Veterans Affairs: Why Not Implement Data Breach Lessons Learned?
Posted In Human Resources, Incident Reporting, Information Privacy, Information Security, Legal, Regulatory Compliance, Risk Management on August 26th, 2010 Tags: Awareness Training, Data Breach, Information Security, lost laptops, Veterans Affairs
Dissemination vs. Implementation
The Veterans Affairs Department recently announced they will be publishing monthly online accounts of data breaches and lost BlackBerrys and laptops in order to improve accountability and increase transparency.
What was shocking to me was that from April through July of this year, the VA has lost 72 BlackBerrys and 34 laptops. Patient information has been sent to the wrong address or mailed incorrectly 441 times. There were 9,746 breach incidents involving notifications to patients and 2,501 incidents in which credit reporting was required.
Almost 10,000 breach incidents in 3 months! What is wrong with this picture? Instead of just disseminating data breaches after the fact, what if the VA actually explained and implemented lessons learned and took proactive steps towards prevention?
I think the VA needs to ask a couple of questions:
1) Why are so many handheld devices and laptops being lost? Are there ways we can educate our employees on best practices for protecting devices? Are there consequences?
2) With so many devices and laptops lost each month, how do we ensure these devices are protected with encryption? Are employees taking home sensitive information that should not be placed on personal devices? Do employees know what information is sensitive?
3) What should be done to improve efficiencies in the mail room and prevent mailing errors with patient information? How do we know there were only 441 errors; were these just the mistakes that were caught?
4) How can we implement ongoing awareness and educate our employees (and third-parties) on protecting sensitive information?
Breach notifications are expensive. Credit reporting is expensive. Replacing BlackBerrys and laptops is expensive. Correcting errors and re-mailing information is expensive.
Prevention is a lot less expensive for the Veterans Affairs and a lot less expensive for us tax payers too… is anyone interested in implementing lessons learned?
No Comments
Email This Post
Blueprints Do Not Build Skyscrapers
Posted In Business Continuity, Human Resources, Regulatory Compliance, Risk Management, School Safety, Workplace Violence on August 11th, 2010 Tags: Anti-Bullying, policy and procedure management, preparedness program
In my previous blog I suggested that building a successful preparedness campaign is like building a skyscraper…and in some cases it seems like building a skyscraper may actually be easier than building a successful campus-wide or organization-wide preparedness effort.
I mentioned that building a skyscraper and building a campus-wide or organization-wide preparedness effort have a lot in common and one of those common items is blueprints.
Blueprints can be a technical drawing, a mechanical drawing, an architectural plan, a model, a prototype, a detailed plan of action and etc. Blueprints can also include programs, policies, procedures, processes, guidelines, checklists and etc.
But blueprints are not skyscrapers.
Lessons learned continue to reveal that many organizations are extremely vulnerable because they purchase blueprints (emergency plans, anti-bullying programs, checklists, and etc.) and schedule a meeting or training session and post their blueprints on an intranet/portal and think they have built their “skyscraper”.
More and more organizations are learning the hard way that having blueprints is not enough.
Even though financial organizations have policies, government entities have plans, schools have procedures, healthcare organizations have checklists and organizations have been offering general training on an annual basis for years… tragedies, failures, bullying and lawsuits continue to escalate.
Do your organization’s leaders understand that building organization-wide preparedness efforts or a culture of safety or an anti-bullying environment requires more than disseminating blueprints?
No Comments
Email This Post
Building A Preparedness Program…like Building a Skyscraper?
Posted In Business Continuity, Emergency Management, Human Resources, Regulatory Compliance, School Safety, Workplace Violence on August 9th, 2010 Tags: campus preparedness conference, Compliance, Ethics, safety, Security
I attended the Virginia Governor’s Campus Preparedness conference last week and had an interesting discussion with one of the attendees. We were talking about how building preparedness across an organization or an entire campus is becoming more complex and more difficult due to escalating challenges, regulations, obligations, liabilities and much more.
As our discussion continued, we started talking about how important tools can be when building campus-wide preparedness programs. In reference to whether tools can make a difference, I offered the following analogy:
Could a skyscraper be built using a hammer, a saw and some nails?
The attendee responded quickly, yes the skyscraper could be built but she wouldn’t go inside it!
Next we discussed how building a skyscraper and building a campus-wide or organization-wide preparedness program have a lot in common:
- Both require blueprints
- Both are complex and require planning
- Both require specialized tools to build
- Both have a lot of parts or “dots to connect”
- Both require specialized tools to maintain
- People will not trust poorly built skyscrapers or preparedness programs
Are you building your __________ program [preparedness, compliance, business continuity, safety, security, ethics, etc.] with old outdated tools such as binders, intranets, shared drives and general training?
No Comments
Email This Post
SEC Provides Lessons Learned on Policies and Porn
Posted In Business Continuity, Human Resources, Incident Reporting, Information Security, Legal, Risk Management on July 7th, 2010 Tags: Federal Computer Week, incident management, SEC, security policy, social media policies
A recent follow up article in Federal Computer Week (FCW) highlighted the porn scandal at the Securities Exchange Commission (SEC) and suggested this was a dramatic wake-up call for any government agency who doubted the need for and importance of an airtight security policy.
Good for Teri Robinson… who wrote the article!!
However…the steps Teri laid out that an agency should take to build and enforce a security policy are missing a couple of critical steps based on lessons learned and legal defensibility. Teri suggested the following steps:
- Review existing policy
- Social media guidelines should be included and should be specific
- Assign responsibility because policies are more easily adopted if someone is in charge
- Train, train, train as threats change so do policies so regular training is needed
- Enforce the rules
- Ramp up resources with technology and staffing
I agree with Reviewing Existing Policy, Including Social Media and Enforcing the Rules.
I sort of agree with Assigning Responsibility and Train, Train, Train…
I disagree with Ramping Up Resources and Staffing Up.
Based on lessons learned, the following steps are also needed:
- Accountability at the Individual Level
- Documentation of Individual Acknowledgements
- Situational Awareness and Case Studies that relate to organization specific policies
- Incident Reporting and Incident Management Tools for Assessment/Prevention Teams
And based on lessons learned, more staff for enforcement and training is probably not necessary if you implement the right tools for current personnel to utilize.
Now if we could just get federal agencies to start using “tractors” instead of “old horses”…
No Comments
Email This Post
Are You Aware of TSA’s Bad Attitude and Bad Flyers List?
Posted In Human Resources, Incident Reporting, Workplace Violence on June 14th, 2010 Tags: pushy flyers, TSA
Did you see the article in the USA Today last week regarding TSA keeping a database of pushy flyers?
The pushy fliers program was launched in 2007 to help prevent the nation’s 50,000 airport screeners from being attacked or threatened. TSA officials voiced concern about passengers disrespecting screeners so they began issuing new uniforms with police style badges pinned to shirts. According to the article, the database has records from about 240 incidents and most are screeners in conflict with other screeners and 30 incidents involve passengers or airport workers attacking or threatening screeners.
Based on my experiences leaving a New York area airport this week, I understand why 8 times more incidents are screeners in conflict with other screeners. And based on my experiences, I am also curious if TSA has started creating a database of TSA screeners that disrespect passengers?
These New York area TSA screeners seemed more interested in being bossy than screening passengers to ensure safety and security. Maybe it’s the uniform and the pin on badge? Maybe the uniforms are the problem?
Maybe the uniforms make TSA scanners behave like control freak umpires – like Cowboy Joe West and Bossy Bill Hohn – both are major league baseball umpires that forgot about their real job responsibilities because they were too busy trying to be in control. MLB announced they were going to address Bill Hohn “in a very stern way”…perhaps lessons learned from the TSA database and lessons from MLB will help TSA address what seems to be a growing problem?
Passengers deserve respect and passengers deserve TSA scanners that put their roles and their responsibilities before their attitudes and personal control issues.
I wonder if organizational leaders are paying attention to these lessons learned when they travel? Or as organizational leaders watch TV and see all the negative feedback on umpires?
Organizational leaders must quickly realize that connecting the dots includes all types of dots – every good, bad and bossy individual must be connected to the organization’s culture and be accountable for their roles, responsibilities, obligations and decisions.
Did your organization use these lessons learned to achieve better results with your passengers, fans, customers and partners?
No Comments
Email This Post
Mounting Challenges with People and Processes…Do you need a Tractor?
Posted In Business Continuity, Human Resources, Risk Management, School Safety on April 27th, 2010 Tags: ACUTA, people and processes, philp quigley
I attended the national ACUTA conference last week and one of the speakers mentioned Philip Quigley’s quote regarding ‘farmers and building tractors’. If you are not familiar with his quote, see below:
Philip J. Quigley, former CEO of Pacific Telesis said, “If we were to go back in time 100 years and ask a farmer what he’d like if he could have anything, he’d probably tell us he wanted a horse that was twice as strong and ate half as many oats. He would not tell us he wanted a tractor. Technology changes things so fast that many people aren’t sure what the best solutions to their problems might be.”
And I after I heard the quote it hit me…at times we may all be like ‘farmers’ who are not aware of ‘tractors’ that could help us achieve better results. It may also explain why so many organizational leaders are still trying to get more out of their ‘horses’ (binders and intranets (aka digitized binders) and general training) to solve their escalating People and Process challenges.
Everyone knows that People and Processes are an organization’s weakest links, but now that budgets are limited and regulations, risks and pains are mounting, the ‘old horses’ cannot keep up.
Are your ‘old horses’ keeping up with your mounting challenges? Would a ‘tractor’ help?
Comment (1)
Email This Post
What is a “Failure to Implement”?
Posted In Human Resources, Information Privacy, Information Security, Legal, Regulatory Compliance, Risk Management on April 19th, 2010 Tags: Assessments, CVS, documentation, FTC, HIPAA, Implementation, Infotec, legal due diligence, Omaha, Security Awareness
Recently, Awareity’s CEO, Rick Shaw, was asked to present at the Infotec conference in Omaha. During his presentation, “The Truths (and Myths) About Assessments, Planning and Implementing”, Rick discussed the three-legged stool each organization is sitting on, and the importance of all three legs (Assessments, Planning/Developing and Implementing).
Most organizations understand the importance of assessments and planning, but where many fail to deliver is in the implementation phase. As we have seen with numerous headlines and lessons learned, a failure to implement can lead to expensive fines, lawsuits, breaches and losses. Rick used a case study for CVS Caremark. Due to employees carelessly tossing old pill bottles into a store’s dumpster, CVS now has the FTC coming to audit their information security program for the next 20 years and was forced to pay a HIPAA violation fine of $2.25 M.
The FTC Complaint Docket No. C-4259 read:
“Among other things, respondent failed to: 1) implement policies and procedures to dispose securely of such information, including, but not limited to, policies and procedures to render the information unreadable in the course of disposal.”
During the presentation, one woman raised her hand and asked, “What do you mean by “implement”? How do you “implement” your policies and procedures once they are created?”
I thought this was a great question and one that should be expanded upon.
An organization can have the best security policy (or plan, program, etc.) in the world, but if the policy is not implemented down to the individual-level, how will individuals be able to help the organization achieve better results?
If your organization is just blasting your security policies out to your people in e-mails and memos…how do you know if anyone received the email or is reading the policies and understands them? Or perhaps you are sending out updated pages for the employee handbooks or manuals…how can you ensure your employees are actually reading these policies? Are the binders just sitting on a shelf untouched?
Implementing policies, procedures, plans and processes means organizations have documentation and proof that individuals have read, understood and acknowledged their roles and responsibilities. Regulations require proof of implementation. Legal due diligence requires proof of implementation. Lessons Learned continue to prove that organizations that lack implementation will continue to experience expensive and embarrassing results.
Organizations must ensure all appropriate individuals (employees, third-parties, etc.) are receiving updated policies and guidelines, reading the policies, understanding the policies, and acknowledging their individual roles and responsibilities. Providing employees with a once-a-year general training session is not good enough as we know risks, threats, best practices, etc. are constantly changing. The bad guys are not taking 364 days off, is your organization?
Comment (1)
Email This Post
Lack of Awareness Kills…
Posted In Human Resources, Risk Management on April 8th, 2010 Tags: Awareness, bullying, Massachusetts, Security Awareness, Situational Awareness
If you have been following the bullying case in Massachusetts, you know all too well that lack of awareness can kill.
Lessons learned clearly show a lack of awareness kills:
- People
- Careers
- Credibility
- Confidentiality
- Bottom Lines
- Reputations
- Strategies
- And more…
Lessons learned in schools, banks, hospitals, manufacturing, government and most every other sector continue to demonstrate how lack of awareness creates gaps, poor decisions and unwanted results.
There are many different types of awareness:
- Situational Awareness
- Security Awareness
- Privacy Awareness
- Risk Awareness
- Customer Awareness
- Brand Awareness
- And numerous others…
Does your organization’s management realize they are responsible for awareness? Awareness must be managed (and measured) vertically and horizontally and at the individual-level – from Board members to management to employees to partners to customers.
Does your organization’s management understand the value of improving awareness at the individual level? Awareness is a process of being informed, alert, knowledgeable, cognizant and sophisticated. Awareness must be ongoing to ensure individuals understand your organization’s strategies and culture as well as their roles and responsibilities so they can make better decisions and help their organization achieve better results.
How is your organization’s management managing, measuring and improving awareness?
Comment (1)
Email This Post
Free Solutions vs. Negative Cost Solutions
Posted In Human Resources, Legal, Regulatory Compliance on April 5th, 2010
I recently received an e-mail from a school safety organization that explained, although the services we were offering seemed very important and addressed critical needs for schools, they only provided free services to schools and therefore they were unable to “look at” our solutions since they were not free.
The response got me thinking…are free solutions really free?
Are free solutions solving the real problems and real challenges organizations face today?
What are free solutions?
The most common free solutions include training, workshops and checklists. Free training is usually general and workshops can be free (if you don’t count lost productivity) and free checklists are all over the Internet, however most free training, free workshops and free checklists are just STEP 1 in a multi-step process or comprehensive program to meet mandates, compliance requirements and legal due diligence efforts. Mandates, compliance and legal due diligence require much more than going through free training or a free workshop….when is the last time an organization won a lawsuit because they attended a free training or a free workshop or showed the judge their free checklist?
Mandates, compliance and legal due diligence require organization specific and customized policies and procedures to be developed and then communicated to all appropriate personnel and then updated on an ongoing basis to mitigate new risks and regulatory updates as well as audit-ready documentation to demonstrate compliance and legal due diligence.
A total/comprehensive program must be implemented across multiple levels, multiple silos, multiple locations, multiple entities and across all appropriate individuals on an ongoing basis. Lessons learned clearly show that most organizations are struggling with implementing and managing total programs.
Free and no cost solutions – especially training, workshops and checklists – have been around for years, but lessons learned clearly show that training, workshops and checklists (free or not free) are nowhere close to being the total solution. As a matter of fact, complex challenges such as compliance, safety, bullying, cyberbullying, workplace violence, terrorism and lawsuits are escalating rather than decreasing.
What are negative cost solutions?
Negative cost solutions enable organizations to reduce their TOTAL COSTS rather than just reducing STEP 1 costs. Most organizations are faced with an overwhelming “HAVE TO DO LIST” (or multiple have to do lists) and the majority of items on their HAVE TO DO LIST will not get crossed off with free training, a free workshop or a free checklist.
Stay tuned…more lessons learned to share on these topics and challenges.
Comment (1)
Email This Post
Workplace Violence – “Don’t Get Caught in the White Zone”
Posted In Human Resources, Incident Reporting, Legal, Risk Management, School Safety, Workplace Violence on March 29th, 2010
While attending a recent conference, I sat in on a speaker discussing workplace violence, threat awareness and preparedness efforts.
While we have done a considerable amount of research on this topic, there were a few items in this presentation that grabbed my attention:
1) Zero reports of violence do not equal zero violence
This is a critical statement for employers to understand and address. Over 80% of violent incidents have clear warning signs, but red flags are often not reported. How is your organization ensuring your employees, third-parties, etc. understand their responsibility to report suspicious incidents, threats, etc.? Have you made it easy for employees to submit an incident report? Can they do so anonymously? Once an employee submits an incident report, how does your organization ensure the appropriate personnel or threat assessment team members are notified? How does your organization know what actions were taken?
2) Distinguish between “making a threat” and “posing a threat”
The speaker addressed three key points:
- Some people who make a threat do pose a threat
- A few people who pose a threat never make a threat
- Most people who make a threat do not pose a threat
How can organizations determine the difference between threatening behavior and odd or unusual behavior? John Doe might have a fascination with guns. Jane Smith just broke up with her boyfriend. Henry Johnson has a history of mental illness. However, just one of these risk factors alone does not generally constitute a threat. The whole picture has to be reviewed and Threat Assessment Teams need specialized awareness to help identify and mitigate risk factors.
There are several assessment tools available (VRAG, RAGE-V, etc.) that can help Threat Assessment Teams evaluate behaviors and determine risk factors. Risk factors can include contextual factors, deterrent factors, potential stressors and resiliency factors, and all should be taken into account when evaluating a potential threat.
3) Don’t Get Caught in the White Zone
As soon as an organization thinks they are safe (“My employees would never do that”) and stops preparing is when they will get caught. It is critical for employers to understand that the risk of workplace violence is real and implement a proactive approach to ensure workplace safety and security.
Organizations must ensure they are “connecting the dots” across all departments, locations, individuals, etc. and eliminate silos between management, staff, mental health, law enforcement, third-parties, etc. When the right information is shared with the right people at the right time, your organization’s chances of preventing workplace violence, negative publicity, lawsuits and much worse, are much better.
No Comments
Email This Post
