Continuity Planning Feed

01/18/2012

Why should senior management be involved in security decisions?

I am putting the finishing touches on an executive presention for a client.  Our finding, after a series of technical tests, a review of their policies and their security administrative compents was that they are generally proactive on securty from a technical perspective but any additional maturation or improvement of their program requires management involvement.

I am going to present this to senior management team that has already informed me they don't want to hear that message.

This isn't the first time Jacadis has encountered such a situation.

Why should senior management be involved in security decisions?

At some level security decisions are really risk management decisions and not just technical, information security decisions.  Even the strongest technical team can't know the risks, obligations, contracts and mission priorities that senior management brings to the table. 

Sorry, managers but this isn't just geeky stuff.

Here is a quick list of five questions that my client's technical team needs senior management input, involvement and or leadership on:

  1. Are we obligated by law or contract to HIPAA?
  2. Are we obligated to PCI?  Are we exposed in the way we handle crtedit card data?
  3. How long can your business operate with reduced computer facilities?  Which facilities are most important to the mission?
  4. How will we respond to illegal activity on our network? Attacks from outside? In the event of a breach?
  5. What are our employees permitted to do with social media outside of work hours on their own computers?

Are you putting your technical team in a spot where you expect them to protect your business but don't share with them critical information or involve yourself in their decision making process?  If you are in a business that is data driven (and which business today isn't) your lack of involvement will likely ensure a high technical team turnover, raise the possibility that you will have security issues interfere with your business, decrease the resiliency of your business and potentially put at risk vendor and client relationship while also opening your business (and perhaps yourself personally) to legal and regulatory liability.

 

Enhanced by Zemanta

Posted by at 11:14 AM in Committee Action, Compliance, Continuity Planning, Information Security Basics, Leadership, Risk Management, Secure Value | | Comments (0) | TrackBack (0)

| | |

11/29/2011

When the snow flies & the power dies will the generator do its thing? You sure?

Forecast is for some snow tomorrow here in Columbus.  One of my clients just last week shared it had taken a couple of months to get maintenance to test the back up generator.  They finally went to fire it up to test that it worked and .... nothing.  Tried again.  Nothing.  Their hardware vendor responded quickly. Turns out that the broken part was under warranty but was 48 hours away.

The test was conducted on one of those warm sunny days we had before Thanksgiving.  We aren't supposed to get much snow tomorrow but you never know here in Ohio.  Had the part failure not been found until it was actually needed the 48 hour shipping wait could have been catastrophic.

Our client did two things right:

1.  They created a policy calendar.  Policies should be formal statements of value supported by the routines  (processes) that must be followed to meet the stated value. Most of the time though policies are dead documents that state something a client would like to do but doesn't get around to doing.  My client's policy calendar lets them manage the normal routines of their "HIPAA year" which operationalizes their compliance.

2.   They actually tested the process.  The IT Director didn't take no for an answer as maintenance continued to put his test request off. 

How are you doing?

Have you operationalized your HIPAA program?

Have you tested your generator, your back up processes and your contingency operations plan?

 

Posted by at 04:36 PM in Assessments and Tests, Committee Action, Compliance, Continuity Planning, HIPAA, HITECH, Secure Value | | Comments (0) | TrackBack (0)

| | |

08/04/2011

Forget customer privacy for a moment ... are you protecting your key business information?

With so much focus these days on data privacy and individual identities much of the conversation within the security community and from the security community to the business community skips over other critical information types that need to be protected.

This is a list of information that you should also work to protect:

1.    Information about your systems and networks.  When I backpack I don't do very well if I have to go off trail and I don't have a map.  The same is true for someone trying to break into your information systems.  If you fail to protect the information describing your systems and networks (network maps, configuration files, etc.) then you may just be providing a map to someone who wants to explore your network and find more valuable information.  Are you making your network an outside explorers paradise?

2.    Your company's secret sauce.  You may not have a secret sauce made of "11 herbs and spices". Or your business may not depend on the mysteries of an ancient chinese secret (Remember the Calgon commercials?) but all of us in small business have our secret sauces.  For Jacadis, it is the unique way we deliver many of our services.  For a printing client of mine, it is the unique steps that they have created to protect confidential data transmitted to them from larger customers.  That process has helped them win business because other printers aren't doing it.  Years ago we did work for a company that made a unique material used in the florist business.  They were the only company in the world that could produce the material at quantity and had factories world wide that did it.  Their key asset was the chemical formula and process to produce that material.  Are you protecting your secret sauces?

3.  Intellectual property, according to wikipedia, refers "to a number of distinct types of creations of the mind for which a set of exclusive rights are recognized—and the corresponding fields of law.   Under intellectual property law, owners are granted certain exclusive rights to a variety of intangible assets, such as musical, literary, and artistic works; discoveries and inventions; and words, phrases, symbols, and designs. Common types of intellectual property include copyrights, trademarks, patents, industrial design rights and trade secrets in some jurisdictions."  To maintain those rights you need to actively assert those rights, which as I understand it from my friends in the legal profession, includes protecting the digital versions of those rights.  Are you asserting your IP rights?

3.    Work.  Think of the endless hours that you spent putting together that killer sales presentation.  Should it be corrupted or removed from your computer you’ll have to redo the work.  The same is true for data entry, etc.  The work itself might not be “secret” but should you lose it you’ll really be losing time and value.  As I sit here typing most of my work is electronic collections of media (words, video, slide presentations, papers, articles, Secure-Value, jacadis.com).  For your business your work may be many other things.  My sales team would tell me that their biggest collection of work is the information they have on clients.  A friend of mine has a laser cutting business.  Unique programs are written to consistently and repeatedly cut 3D designs into different materials.  These programs are his work.  Another friend has a much lower tech manufacturing business, an old sand mold foundary.  His forms and molds breaking means he has to redo them just as my more high tech laser cutting friend would have to do should those laser programs get lost or corrupted.  In the end the loss of work means the loss of time or information.  You'll have to invest time to recreate the information.  In some cases you may not be able to recreate it.  Are you protecting your work?

4.    Personal information about your executives, leaders and key employees.  Again, to explore something you need a map.  To attack a target you need a map.  Freely and without thought sharing personal information on your executives, leaders and key employees may just be providing a map.  This is a tricky subject though.  I won't do business with a company if I can't see some information about its ownership.  Most people do business with people so a company that completely hides the details of their key players doesn't earn my trust.  Likewise, though, a firm that freely shares contact information, addresses, personal information, etc. about its members opens itself up.  On a simple level, executive emails sprinkled all over a web site invite spam.  On a more complicated level, in some businesses, travel plans and other locational information improperly shared invites more nefarious attacks.  Are you protecting your key people? Are you protecting all of your people?

5.  Personal, though non-protected, information about your customers and prospects.  Again, protect the map.  Customer lists, detailed information about your customer's pains and challenges, and the other sort of information that fuels a personal realationship between your business and your clients should be protected regardless of whether or not the informaiton is consdiered private, confidential or in some way protected by law or regulation.  Protecting your customers information promotes trust.  Are you promoting trust with your customers?

What types of information that must be protected did I miss?

Related articles
Enhanced by Zemanta

Posted by at 09:54 AM in Assessments and Tests, Committee Action, Competitive Advantage, Continuity Planning, Information Security, Information Security Basics, Innovation, Online Business, Risk Analysis, Risk Management, Secure Value, Small Business | | Comments (0) | TrackBack (0)

Technorati Tags: , ,

| | |

02/02/2011

How do you run your business in bad weather?

Regardless of where you sit reading this it is most likely blistering cold and slick with ice and snow outside. Here in Columbus we officially have had a tad bit over .5 inch of precepitation which is a freaky ice and snow mix.  It is flurrying outside so I expect more snow.

Today, we are all working from home with the exception of 1 of our analysts who is at a surgeon's who came to us yesterday for help with a major outage due to a virus outbreak.  Weighing options last night we considered not sending Adrian, sending him last night as the weather rolled in for a hotel stay within walking distance of the client or sending him.  He choose to go this morning.

We had our bad weather lesson several years ago when Ike mad landfall on the Northern Gulf Coast and kept rolling inland and through Columbus just like .. well, just like a hurricane!  Power was out for several days.  It was difficult to work and some companies couldn't work at all.

We made some changes to our office infrastructure that allow our team to work from home.  Everyone has laptops.  We all have broadband at home.  Some of us have Verizon MiFi's that are useful as backups in this situation.  We use SaaS applications for CRM (Salesforce), Professional Services Management (QuickArrow) and much of our communications.  And we've set an expectation that if the weather is bad deal with the homefront, stay home and get what work you can get done done.  If you don't have work to do use the time to learn something new.

Power in the office building is out.  That's caused a couple of minor issues.  When the weather has cleared we'll have a discussion about how to tweak our infrastructure to correct for those issues next time (we are in Ohio, there will be a next time ... in fact it might be next week!).

Here's another employer's take on their bad weather policies as compared to a large employer in their hometown of Dallas Fort Worth.  Starr Tincup is a "best place to work" award winner.  The company maintains a blog All Business is Personal which is all about "applying personal value systems and ethics to business management".  I've come to enjoy the blog on a regular basis.

What about you, how do you run your business in bad weather?

Related articles
Enhanced by Zemanta

Posted by at 10:35 AM in Continuity Planning, Secure Value | | Comments (0) | TrackBack (0)

| | |

07/06/2010

Secure Value by Protecting What You Can't Afford to Lose

Small bank vault or strongroom from 1901.Image via Wikipedia

It isn't about the systems but the information .. ask yourself "What information can my business not afford to lose" ... and then protect it!

So much of my day is filled talking to executives or senior level managers who are trying to translate technical security concerns into their business frame of reference.  For them stepping from a world of comfort in business lingo into a jungle of technology jargon speak is painful. 

If that is painful for you I have a suggestion.

Turn it around.

Take out a legal pad.

Write out your key information or processes.

Rank order them from most critical to least critical.

Start with the most critical. 

Test its place on the list.  Could the business survive without it for a day? a week?  Would the business survive but be worth less?  How would it impact your organization? customers? bank accounts and available cash? regulatory obligations?

What are you doing to prevent that bad event from happening?

Could you detect it if it did happen?

How would you respond when it does happen?

You may need to call on your IT manager, your CPA, your lawyer, HR and other managers internal to your company to get the answers to these questions.  These conversations may raise other questions you can't answer internally. 

You may need to find an outside firm to assist with those tougher to answer questions.

Once you are confident the questions about that first piece of critical data has been answered go to the next item on the list and repeat until you have a sense you know what needs to happen to secure your critical data.

Then do it.

Enhanced by Zemanta

Posted by at 01:54 PM in Committee Action, Compliance, Continuity Planning, Information Security Basics, Leadership, Policy, Risk Management, Secure Value, Small Business | | Comments (0) | TrackBack (0)

| | |

06/23/2010

Disaster planning ... EARTHQUAKE!!!! In Ohio? NO WAY!

Hurricane Katrina making its second landfall i...Image via Wikipedia

Have you planned how you will remain operating in the case of a operations interrupting event?

Yes, earthquakes happen in Ohio (though in this case damage hasn't been reported). 

Hurricanes can hit this far north, too (much of Ohio lost power as Katrina slid its way north). 

Snow and ice are a sure thing 3 months of the year (and in Ohio sometimes 5 months). 

Summer storms and tornadoes are as much a part of the season as hot dogs, fireworks and watermelon. 

And those are just the forces of nature.  

I have yet to go looking for official news so my details are sketchy.  Everybody is twittering away about the earthquake that hit Ohio (and parts of Canada, too) today.  

Take that shake and rattle as a nudge to put your senior operations people together and have a quick conversation regarding your own resiliency.  Every company's conversation is going to be different.  Use these questions as a guide:

  • How long can we afford to be "off line"?
  • Can we still operate if our computers can't?
  • What are our most critical systems (computer networks, laptops, phones, mobile devices, etc.)?  
  • How would a 3 day power outage impact us?
  • How would a 5 day blizzard impact us?
  • How would an infrastructure damaging earthquake impact us?
  • What other catastrophe should we plan for?
  • Can one of these events put us out of business?
  • How do we make ourselves agile and flexible enough to survive?

Pick some big items on the list and assign them as projects to be done.  Once those projects are done in a month or so go through the exercises again and repeat.  It isn't a formal business continuity plan but a regular conversation with some assigned action items to be completed after would have certainly solved most real world business interruptions we've encountered.

In the midst of disaster you can't make adjustments.  Make them now.

Enhanced by Zemanta

Posted by at 04:17 PM in Committee Action, Continuity Planning, Leadership, Secure Value, Small Business | | Comments (0) | TrackBack (0)

| | |

05/11/2010

Would your business continue to thrive if your life were interrupted suddenly with a personal issue?

Secure Value by Planning for Business AND Family Interruptions

in mid-May the president of a small and emerging information security firm started to wear down with flu-like symptoms.  Within the week a small red dot appeared on the inside of his right elbow.  Soon the red spot would start to grow developing into a raging infection sending him to the hospital ... and Jacadis would lose the services of his services for nearly five weeks.

Sharing any more of my story (yes, I am alive and yes, I have all my digits and limbs) falls into the category of TMI .. too much information!

But the lessons I learned ... what happens to a company when you lose a key manager?  what needs to be in place to  let you take care of your health and family while your business continues to function? and others .. I want to share.

In the short version I was gone for nearly 5 weeks.  The company staff responded as a team and managed most things without too many bumps.  A few client projects and commitments were negatively impacted.  We are working to correct them.  I laid wide awake in the hospital bed worrying about things even when in most cases I didn't have to.  And I came back to two full voice mail boxes, 500-plus emails and a to do list that makes me cringe.  But Jacadis still thrives.  

Honestly, it was by heroic effort, good fortune (because we've hired good people) and dumb luck, not because of plan. 

My story has motivated me to consider a business continuity plan including a succession plan. 

As I learn what that means I want to share that to help you secure value.  I'd love to hear your story if you've had a similar issue arise.  What did you do? Did it turn out well? for you? for the company? for your customers?

Posted by at 04:27 PM in Continuity Planning, Risk Management, Secure Value, Small Business | | Comments (0) | TrackBack (0)

| | |

02/16/2010

Secure Value by Preventing Bad Things From Becoming Crises Cases

Automatic fire suppressionImage via Wikipedia

We are not going to prevent all bad things from happening in all areas of life including the weather (as I sit semi-snowbound in my home office) and information security.  I'm using the downtime to catch up on some business reading.

One article that struck me as sharable to the executive and business leader trying to secure value was a Management Tip of the Day for Feburary 16th from the Harvard Business Review: 3 Components for Preventing Crises:

1.  Pattern recognition. Encourage your people to share information and make connections so that you can recognize when a problem is forming. 

Part of this is ensuring that you have a good news travels, bad news travels fast culture.  If your employees are scared to deliver bad news you won't get the information you need to see an emerging pattern in time to prevent the crises.  You also need to have awareness of what to do and visibility for what "normal" is, so that abnormalities can be identified.
  • Does your behavior as a leader support bad news making it to your desk in time?
  • Are you staff aware of what their role in the information security process is?
  • Do you know what "normal" looks like in your business environment? On your network? In your call center? In your applications?

2.  Broader communication. Communication across silos is not easy, but it should be mandatory so that critical information reaches all parts of an organization.

Again, the ability to communicate across silos is a cultural issue.  Do you promote cross cultural collaboration? Or do you prefer that information and data travel up and down a chain of command?

3.  Trusted leadership. Leaders need to react quickly when a problem surfaces. Showing that you c are about an issue is critical to gaining your employees' trust in your ability to handle problems.

And I believe that showing you care about how the company handles its critical data during good times is a precursor to whether you'll be believable to your employees and customers (and maybe the courts!) if something bad happens.  Trust is critical to securing value.  The trusted leader accepts responsibility for the company's stewardship of critical data.  Are you daily behaviors regarding information stewardship the kind of behaviors that will lead employees to the conclusion that you care about protecting data?

Additional information is available from Harvard Business Review at http://web.hbr.org/email/archive/managementtip.php?date=021610.

Related articles by Zemanta
Reblog this post [with Zemanta]

Posted by at 10:32 AM in Continuity Planning, Information Security Basics, Risk Management, Secure Value | | Comments (0) | TrackBack (0)

| | |

01/25/2010

Secure Value by Understanding the Technology Your Business Depends On

Same Old Snake OilImage by dokmarius via Flickr

There's a map for that

I've been enjoying the heat generated by  AT&T (NYSE: T) and Verizon Wireless (NYSE: VZ) conflict that Verizon’s “There’s a map for that” TV ads started.  Verizon compares the two networks 3g coverage areas with a "There's a map for that" response to a number of questions in a series of funny commercials.

AT&T responded with a series of ads featuring actor Luke Wilson.  If you notice Wilson’s folksy attacks on Verizon fail to directly refute the "There's a map for that" attack.  Every time one interrupts a game on tv I want to shout “C’mon, Luke, is the blue map really that weak?!”

Who is right?

Not for me to settle out here.

The VZ v T battle highlights an information security issue for small and emerging business owners and executives.  The tech companies talk to us with cutsey ads instead of facts.  The facts are often highly technical and not a lot of fun to wade through.  And many of us aren’t knowledgeable enough in the ways of the bits and bytes to effectively do the wading.  So we (as in we entrepreneurs, business leaders, business owners and execs) make our decisions as much on emotion and "gut feel" as we do on cold hard facts.

In a situation like picking cell phone service we might just make a gut decision that costs us more or provides us poor services. 

In working with technology this way in our businesses, it means we make decisions without the knowledge of how that decision will affect the confidentiality, integrity and availability of critical information or how that decision will affect your compliance with government regulations.

TIP:  You have your account and your attorney for financial and legal matters.  Find your trusted IT advisor you navigate the technology map.  He doesn’t need to be a specialist in any specific area, but a generalist that can act as a sounding board for when you want to make IT decisions. The right pick will help you be more secure, while also helping you select and use technology more successfully in your business.

Here's to VZ and T both being honest about what 3G is, network quality, coverage areas v. coverage populations and other important facts.
Reblog this post [with Zemanta]

Posted by at 04:25 PM in Continuity Planning, Secure Value | | Comments (0) | TrackBack (0)

| | |

01/08/2010

Secure Value through Tabletop Exercises: Three Sample Scenarios - CSO Online - Security and Risk

Frank Lloyd Wright's conference table, Taliesi...Image by lumierefl via Flickr

December 01, 2006 — CSO — A tabletop exercise is a great way to get business continuity plans off the written page without the interruption of a full-scale drill. Rather than actually simulating a disaster, the crisis management group gathers for three hours to talk through a simulated disaster.

via www.csoonline.com

We don't spend enough time thinking about disasters ... until they happen .. this is a great article on a technique to put your best brains in thinking through scenarios using a technique called "Tabletop Exercises".

Reblog this post [with Zemanta]

Posted by at 09:00 AM in Continuity Planning, Risk Management, Secure Value | | Comments (0) | TrackBack (0)

| | |

Next »
My Photo

About

TypePad Profile

Get updates on my activity. Follow me on my Profile.

Categories

Twitter Updates

    follow me on Twitter
    Blog powered by TypePad
    Creative Commons Attribution-ShareAlike 3.0 Unported