Third-Parties and the Protection of Sensitive Information: Is Your Organization Lacking Contractual Assurances?
Posted In Information Privacy, Information Security, Legal, Regulatory Compliance, Risk Management, Uncategorized on September 17th, 2010 Tags: contractor agreements, Data Breach, GAO, Information Security, third-party breaches
A recent GAO report has revealed that federal agencies utilizing contracted workers are failing to implement contractual assurances with third-parties regarding the protection of sensitive information.
GAO auditors examined the contracting practices of three of the largest federal agencies and of those three, only one (DHS) required third-party companies to sign standard contracts requiring the contractors to follow best practices in safeguarding sensitive information.
In a recent data breach, a TSA contractor allegedly provided a Boston couple the social security numbers for more than a dozen TSA workers. Third-parties are increasingly responsible for data breaches, but most often, the hiring agency or company will face the resulting lawsuits, reputational damages, fines, etc. Outsourcers, consultants, contractors and business partners were responsible for almost half of the data breach incidents in 2008 and recent incidents show third-party gaps are mounting.
It is critical for organizations to require third-parties to be aware of, understand and acknowledge their responsibilities for protecting all types of information. Organizations should:
- Train contractors on best practices for protecting information
- Require contractors to sign non-disclosure agreements
- Require contractors to review and acknowledge organization-specific policies and procedures
- Require contractors to review ongoing updates as risks, challenges, requirements change
- Track all contractor agreements with legal-ready and audit-ready documentation
Lessons learned have shown that third-party data breaches will continue to occur if organizations do not change their status quo processes and connect the dots with third-parties more effectively.
How are you addressing your third-party relationships today?
Have your business partners, contractors, etc. signed off on your organization’s policies and procedures?
Do they understand their individual roles and responsibilities for protecting your customer / sensitive information?
No Comments
Email This Post
New Year’s Resolutions for Cutting Costs, Cutting Spending and Cutting Weight…
Posted In Uncategorized on January 5th, 2010
If you made resolutions to lose weight, which of the following options would you choose?
Option 1 – cut off an arm or a leg or both.
Option 2 – change your eating patterns and identify new ways to burn calories.
Both options will help you cut weight, but…
Option 1 would most likely limit your capabilities to achieve short term and long term goals and limit your ability to achieve better results overall.
Option 2 would most likely make you feel better and increase your ability overall to do and achieve better results.
As more and more organizational leaders face budget cuts, organizational leaders must decide if they are going to cut off their “arms and legs” or look for new ways to cut costs, cut spending and improve efficiencies.
Paying attention to lessons learned and other success can deliver impressive returns. Several of the next Lessons Learned Blogs will cover new ways to cut costs and cut spending while also improving your organization’s ability to achieve better results short term AND long term.
No Comments
Email This Post
Value of Lessons Learned Continues to Escalate
Posted In Uncategorized on December 31st, 2009 Tags: Connecting the Dots, Incident Reporting, Information Security, Red Flags, Risk Management, safety, Workplace Violence
Looking back at 2009, there were hundreds and hundreds of lessons learned that organizational leaders can utilize as we move into 2010.
I look forward to sharing even more lessons learned and analysis in 2010 and I am excited about some of the new additions and topics we have planned for January 2010 and beyond.
Because everyone has concerns about the bottom line, we will be sharing lessons learned that will help organizations reduce costs, improve productivity, increase discounts on insurance, reduce soaring compliance costs and prevent expensive incidents.
Safety, risk management, information security, red flags, workplace violence, incident reporting, secure information sharing and “connecting the dots” are a few of the other topics that will be covered in 2010.
We are making it easier for you to include your managers and your board of directors, so be sure to check out the new features of the LESSONS LEARNED BLOG – forward individual posts, search for categories, see the most recent posts, get updates via Twitter and watch for some new slideshows too.
Have a Happy New Year!
No Comments
Email This Post
President Obama’s 10-point Cybersecurity Action Plan – Part 10
Posted In Uncategorized on June 26th, 2009 Tags: Art and Science of Security Risk Assessment, cyber security, Human Factors, ObamaStep 10 is:
Build a cybersecurity-based identity management vision and strategy that addresses privacy and civil liberties interests, leveraging privacy-enhancing technologies for the nation.
Step 10 is definitely needed.
Step 10 mentions privacy which is generally more about collection and dissemination of sensitive and personally identifiable information (PII) than securing or protecting sensitive information. Privacy is generally more about People and Processes and security is generally more about Technology; however I think President Obama is smart to mention the need to build an identity management vision and strategy that addresses privacy and civil liberties.
I have to say….I am surprised that President Obama has not named the Cybersecurity Adviser yet. On May 29th, President Obama said he would personally pick a Cybersecurity Adviser and I was hoping by the time I got to Step 10 that President Obama would have made his pick known.
So for now, I will focus on Lessons Learned as my stack of Lessons Learned stories continues to grow taller and taller!
And just in case you missed the press release, be sure to check out Ira Somerson’s new book called “The Art & Science of Security Risk Assessment” as I was a primary contributor to Chapter 8 of the book regarding Human Factors.
No Comments
Email This Post
President Barack Obama’s Inauguration Speech
Posted In Uncategorized on January 21st, 2009 Tags: Accountability, Inauguration, President Obama, ResponsibilityJanuary 20th, 2009 was great day! And for many reasons, January 20th, 2009 will long be remembered as a very important day in the history of the United States of America.
As USA Today reported, President Obama’s speech mixed promises with rebukes of former President Bush.
I do not want to get into the rebukes, but I would like to take this opportunity to highlight a few of President Obama’s comments and promises regarding accountability, responsibility and knowledge.
Accountability - And those of us who manage the public’s dollars will be held to account – to spend wisely, reform bad habits, and do our business in the light of day – because only then can we restore the vital trust between a people and their government.
Responsibility – What is required of us now is a new era of responsibility – a recognition, on the part of every American, that we have duties to ourselves, our nation, and the world, duties that we do not grudgingly accept but rather seize gladly, firm in the knowledge that there is nothing so satisfying to the spirit, so defining of our character, than giving our all to a difficult task.
Knowledge – This is the price and the promise of citizenship. This is the source of our confidence – the knowledge that God calls on us to shape an uncertain destiny.
I really like President Obama’s promises, but getting real results will require a different approach than using “big megaphones and big jumbotrons” in front of a couple million people or “TV and radio megaphones” blasted out to several million people. Organizational leaders must be empowered with next generation knowledge management tools to ensure that every American and every person that manages the public’s dollars understands their organization’s “customized knowledge” that is specific to their organization’s goals, strategies and obligations.
Time and time again, lessons learned have shown that individuals are easily overwhelmed if they have to sort through entire binders, e-mails, intranets or portals of general information to figure out where their individual roles and responsibilities begin and end and where someone else’s responsibilities take over. These types of broadcasts and megaphone management have not worked and will not work and now is the perfect time to make changes.
President Obama’s speech was great and the President’s promises sound great…so I have a promise too… I promise to do my part in helping every American and every organizational leader to learn how next generation knowledge management tools can help them the same way we are helping other organizations to more effectively manage their “customized knowledge” and ensure accountability and responsibility (and profitability) for their organizational, departmental and individual-level needs and obligations.
God Bless America!
No Comments
Email This Post
Next Generation Knowledge Management
Posted In Uncategorized on January 2nd, 2009 Tags: Accountability, Audit, Confidentiality, Knowledge Management, SecurityWelcome to my next generation knowledge management blog.
My blog will analyze real world incidents and multiple organizational situations and demonstrate why and how “next generation” and “knowledge management” efforts are critical to an organization’s success and how “next generation knowledge management” must replace ineffective “megaphone management”.
“Next generation” = Forward-thinking ways to improve organizational results by replacing outdated and status quo processes. “Next generation” ideas will also help organizational leaders to perform at higher levels as business environments become more complex and more effectively engage and lead others to make better decisions and achieve better results.
“Knowledge management” = While there are multiple definitions for knowledge management, I believe that lessons learned have clearly shown that “knowledge management” has become the most important element (and most ignored and most misunderstood) for all types of management. Management types include: risk, emergency, compliance, security, information, technology, audit, privacy, assessment, operational, disaster, crisis, change, controls, people, and etc.
“Megaphone management” = Most organizations use “megaphone management” methods such as binders, e-mails, intranets, shared network drives, annual general training, knowledge centers, and etc. to broadcast information and knowledge to their people. “Megaphone management” methods do not offer individual-level confidentiality, security, accountability, measurability or audit-ready or legal-ready documentation.
My blog topics will explain how incidents and headlines could have been addressed more effectively and more efficiently with “next generation knowledge management” methods rather than status quo methods and outdated “megaphone management” efforts.
No Comments
Email This Post
