Fall World 2016

Conference & Exhibit

Attend The #1 BC/DR Event!

Summer Journal

Volume 29, Issue 3

Full Contents Now Available!

Industry Hot News

Industry Hot News (6230)

It should come as no surprise that regulators and organizations alike struggle to set and enforce guidelines for social media activity. It’s not just that the rise of social media is rapidly transforming the way we interact with people, customers, and brands; but also how many ways this transformation is happening.

The core issue is that social media alters the way we as individuals share who we are, merging our roles as people, professionals, and consumers.  As we share more of ourselves on a growing number of social networks, questions quickly surface:

  • How frequently and on what social networks should we post?
  • When should we present ourselves in our professional role versus sharing our personal opinions?
  • Is it okay to be social media friends with co-workers, clients, or your boss?

These are complicated matters for individuals, and absolute conundrums for organizations concerned with how employees behave and interact with others in, and outside of, the workplace. Their questions are even more complicated:

...

http://blogs.forrester.com/nick_hayes/13-07-31-five_common_legal_regulatory_challenges_with_social_media

Thursday, 01 August 2013 15:06

Is it time for object storage to shine?

My previous column touched on the promise of storage virtualisation in an era of “software-defined everything” and other initiatives that promise to make storage much simpler to manage.

One option for time and cost-starved IT managers to rein in their storage spending is object storage.

Object storage, on paper at least, seems like an appealing option. It is radically simpler than traditional storage area networks (SAN) and even network-attached storage (NAS), it scales much better from a capacity standpoint, and it is especially well suited to cost-effectively storing lots of unstructured data – think files, videos, music and images – in this big data era.

Yet, according to our research, the adoption of object storage is a minority activity. In a recent study by 451 Research’s The Info Pro service, out of 275 storage professionals at mid-sized and large organisations, just under a quarter (24%) said they had already deployed object storage.

...

http://www.computerweekly.com/opinion/Is-it-time-for-object-storage-to-shine

Wednesday, 31 July 2013 18:57

This is not a test

FORTUNE -- Manpower -- SWAT teams, bomb squads, K9 units, scores of local police officers, and citizens providing information -- will forever receive credit for bringing down the suspects linked to the Boston Marathon bombings that killed three and wounded hundreds. But there was another, little-noticed participant in the manhunt: an emergency alert platform created by Glendale, Calif.-based Everbridge.

It was Everbridge's system that enabled officers to keep locals informed -- and safe -- as they tore through suburban streets in search of the suspects. Everbridge allows single entities to send thousands of messages at the push of a button, even if cell towers are down. (The system can send texts using Wi-Fi). During Boston's marathon bombings, local companies used the system to verify the safety of employees, hospitals used it to relay information to nurses, and police updated citizens with safety alerts and messages. "We really wanted to limit people being out [on the streets] so that those law enforcement folks could maneuver around the town," says Watertown Fire Chief Mario Orangio. "By getting that message out as quickly as we did, it helped immensely." At one point during the manhunt that resulted in the capture of suspect Dzhokhar Tsarnaev, the Watertown Fire Department sent out 11,000 messages in a 15-minute span using Everbridge, he added.

...

http://tech.fortune.cnn.com/2013/05/06/this-is-not-a-test/

CIO — Your organization will come under attack. It's not a matter of "if." It's a matter of "when." And security is no longer simply an operational concern. As technology has become the central component of nearly all business processes, security has become a business concern. As a result, information security should sit firmly on the boardroom agenda.

"If the worst were to happen, could we honestly tell our customers, partners or regulators that we've done everything that was expected of us, especially in the face of some fairly hefty fines that could be levied by regulators," asks Steve Durbin, global vice president of the Information Security Forum, a nonprofit association that researches and analyzes security and risk management issues on behalf of its members, many of whom are counted among the Fortune Global 500 and Fortune Global 1000.

"We're seeing, I think, not only that boards need to get up to speed on this, but also they need to be preparing their organization for the future," Durbin says. "They need to be determining how they can be more secure tomorrow than they were today."

...

http://www.cio.com/article/734273/CISOs_Must_Engage_the_Board_About_Information_Security

Today I’m going to discuss how a company can mismanage a crisis in a way that makes their plans backfire and blow up.

Of course a crisis cannot always be perfectly planed for or averted. There are a few ways for a social web team to turn a crisis around and even reap the benefits of said crisis.

Recently, Chipotle’s Twitter account was allegedly hacked with several incoherent tweets being published.

...

http://theguaranteedapplicant.wordpress.com/2013/07/30/crisis-management-fake-it-till-you-make-it-week-5/

Cloud computing gives organisations the opportunity to rethink many traditional IT practices, but it may be a particularly good fit for disaster recovery and business continuity.

Network World Editor in Chief John Dix caught up with IBM Distinguished Engineer Richard Cocchiara, who is CTO and the Managing Partner of Consulting for IBM's Business Continuity & Resiliency Services, for his perspective on the subject.

Cocchiara leads a worldwide team who work with clients on systems availability, disaster recovery planning, business continuity management and IT governance.

...

http://www.computerworld.com.au/article/522403/cloud_computing_causing_rethinking_disaster_recovery/

More than three quarters of IT professionals have experienced a data center outage in the past year, a report released on Tuesday by disaster recovery company Zerto said.

In a survey of 356 IT professionals, including IT managers, VMware and sys admins, Zerto found that 42 percent of respondents report to have experienced an outage in the last six months, with 86 percent of those incidents caused by something other than a natural disaster. The top two causes of a data center outage are hardware failure and power loss.

According to the report, 7 percent of companies have no disaster recovery plan at all, which is particularly disturbing when you see the different types of industries the respondents work in, including finance, healthcare, legal, education, pharmaceuticals and manufacturing. In a report from 2011, data center association AFCOM found that more than 15 percent of data centers have no plan for business continuity or disaster recovery.

...

http://www.thewhir.com/web-hosting-news/zerto-finds-7-percent-of-companies-dont-have-disaster-recovery-plan

After investigating alleged steroid use by New York Yankees third baseman Alex Rodriguez, Major League Baseball has reportedly offered him a plea deal. It’s the latest installment in a sad story, with important lessons for companies and workers, both inside and outside the ballpark.

Before allegations of his steroid use surfaced, Rodriguez had become one of baseball’s most storied – and lucrative – franchises and one of the wealthiest players in the game’s history. His annual earnings were $30.3 million according to FORBES’ latest estimates, making him #18 in the magazine’s list of the world’s highest paid athletes. Penalties and fines could mar his future earnings and what should be a hall-of-fame career.

 

 

These are some of the lessons that emerge for corporate America.

...

http://www.cio.com/article/737313/DDoS_Attacks_Getting_Bigger_But_Shorter_in_Duration

The surge of BYOD and mobile devices in general has unleashed havoc in mobile security in the enterprise. IT security managers have been attempting to deal with the fast influx of devices, but most are reeling from the overload of OSes, security issues, vulnerabilities and technologies aimed at securing such devices. In response to this, the National Institute of Standards and Technology (NIST) has provided an informative publication to assist IT organizations in securing mobile devices throughout their life cycles.

The Guidelines for Managing the Security of Mobile Devices in the Enterprise Download breaks down the issues surrounding mobile device security into manageable segments, including:

  • Defining Mobile Device Characteristics
  • Technologies for Mobile Device Management
  • Security for the Enterprise Mobile Device Solution Life Cycle

Within each section are many subsets of information to guide IT security teams in developing their own mobile device security management plan. According to NIST, organizations may not need to use all of the services covered, but services to be considered should include:

...

http://www.itbusinessedge.com/blogs/it-tools/create-a-solid-plan-for-mobile-device-security.html

Wednesday, 31 July 2013 14:51

Are Businesses Rushing to BYOD Too Quickly?

CIO — Are you breaking the law with your BYOD policy?

In a TEKsystems June survey of 3,500 tech professionals, 35 percent of IT leaders (such as CIOs, IT vice presidents and directors) and 25 percent of IT professionals (such as developers, network admins and architects) are not confident that their organization's BYOD policy is compliant with data and privacy protection acts, HIPAA, Dodd-Frank or other government-mandated regulations.

Half of the respondents also believe that 25 percent or more of sensitive data is at risk due to end users accessing this information over personal devices.

These and other alarming findings paint a disturbing picture: The race to embrace BYOD might be outpacing sound business practices.

...

http://www.cio.com/article/737277/Are_Businesses_Rushing_to_BYOD_Too_Quickly_

I’ve mentioned in previous posts that Big Data is more than just big. In order to realize its true value, it must be fast as well.

That means analysis has to approach real-time levels in order to ensure that the final product is relevant to the rapidly changing business environments in which most enterprises find themselves. And therein lies the problem, because while Big Data analytics platforms can be deployed on existing data center infrastructure, producing a real-time architecture will take a bit of work.

Hitachi Data Systems recently completed a study of UK organizations that have implemented Big Data strategies and found that more than half were still relying on outdated or inaccurate information because their legacy infrastructure could not meet the demands of real-time analytics. A key problem remains the stubborn presence of data silos within existing infrastructure, which prevent analytics engines from gaining a true picture of both structured and unstructured data sets. Not to mention, critical data is often kept hidden from decision makers because it can’t be made available on an organization-wide basis.

...

http://www.itbusinessedge.com/blogs/infrastructure/the-big-data-conundrum-is-your-infrastructure-lacking.html

Truly savvy managers know the value of information. It’s the stuff intelligent decisions are borne of. But in recent weeks, the international community and the US Federal Government have been howling over the data collection efforts of the National Security Agency, making arguments as to whether or not those efforts are in the interests of US national security and whether or not data mining is an invasion of individual civil liberties. The concerns being raised may be misplaced. The major concern may not be with the data, but with the information being derived from it.

Information is distilled data. Distillation is a process that profoundly alters the natural state of the data. Anyone who has ever distilled data knows that context, sampling procedures, and data aging all play significant roles in the value of the information derived there from. As managers and executives, we need to examine four key considerations whenever we’re using data and information to make critical business decisions:

...

http://blog.cutter.com/2013/07/30/gathering-intelligence-data-or-information/

Tuesday, 30 July 2013 16:42

ERM: Old concept, new ideas

CSO - Enterprise risk management (ERM) is hardly new. Eric Cowperthwaite, CISO at the nonprofit healthcare organization Providence Health and Services, recalls hearing the term for the first time in the late 1990s, "and it existed before then, even if we didn't call it that," he said.

Indeed, the term goes back several decades, according to Jeff Spivey, who is vice president at RiskIQ, president at Security Risk Management, and international vice president of ISACA.

"My father was involved in risk management beginning in 1968," he said. "What was then called 'risk management' is now called 'enterprise risk management.'"

John Shortreed, a member of the International Organization for Standards, which developed ISO 31000, one of the most prominent frameworks for ERM, says the framework has been "evolving and maturing over the last decade, in response to the increasing risks [in] our world" brought on by such varied factors as interconnectivity, climate change and economic upheaval.

...

http://www.networkworld.com/news/2013/072913-erm-old-concept-new-272302.html

While the tragedies of April 15 and April 18, 2013, are forever etched into the minds of the greater-Boston and MIT communities, 46 participants in the MIT Professional Education course Crisis Management and Business Continuity, had the opportunity to hear first-hand accounts of the events on Boylston Street and MIT’s campus from several key responding organizations, news outlets, an MIT alumnus, and several others on July 18 at the Stata Center.

The panel titled “The Boston Marathon bombings: Exemplary response amid horror,” was moderated by WBUR’s Deborah Becker, and included Edward Davis, Boston Police commissioner; James Hooley, chief of Boston EMS; Dr. Paul Biddinger, chief, Division of Emergency Preparedness, medical director, Emergency Department Operations, Massachusetts General Hospital; Imad Mouline, SB ’91, CTO, Everbridge, a Mass and Emergency Notification software company; Joe Sciacca, editor-in-chief of the Boston Herald; and Peter Casey, programming and news director, WBZ radio. William VanSchalkwyk, managing director, Environment, Health, and Safety Headquarters Office, MIT; and Helen Privett, business continuity manager at GMO, were also on hand.

...

http://web.mit.edu/newsoffice/2013/panel-draws-crisis-management-lessons-from-local-events.html

Colleges and universities are putting the financial and personal information of students and parents at risk by allowing them to submit such data to the school in unencrypted email.

That was a finding in a survey released Monday by Halock Security Labs after surveying 162 institutions of higher learning in the United States.

Half the institutions allowed sensitive documents to be sent to them in unencrypted emails, the survey said, while a quarter of the schools actually encouraged such transmissions.

"Typically, they do what they need to do to comply with regulations, but they're weak on risk management and actively controlling  and managing risk," Terry Kurzynski, a partner with Halock Security Labs, said in an interview.

...

http://www.cio.com/article/737252/Universities_Putting_Sensitive_Data_at_Risk_via_Unsecure_Email

Has a third-party vendor caused a data breach at your organization? If so, did the vendor notify you? If you weren’t notified during — or right after — the investigation you have plenty of company.

A new study conducted by the Ponemon Institute indicates that many business associates don’t notify their organizations of a data breach during the investigation or after determining the cause of the incident. In fact, 47 percent of those polled either have no timeframe for notification or they do not notify the organization at all.

 These facts alone are alarming but can be especially detrimental to an organization in the health care industry, where the new HIPAA Omnibus Final Rule broadens the definition of a data breach and calls for stricter enforcement and greater penalties. The Omnibus Rule took effect in March 2013, although organizations have until September to comply.

...

http://www.corporatecomplianceinsights.com/five-tips-for-minimizing-data-breaches-caused-by-third-party-vendors

A tremendous amount of attention has been lavished on machine-to-machine (M2M) communications. One of its great selling points is its ubiquity. It holds the promise of burrowing into the nooks and crannies of everyday life and providing communications affecting a massive number of mundane uses. It’s a terrific time and labor saver – if things go according to plan.

Believe it or not – and I know this is shocking – things don’t always go according to Hoyle. M2M, if compromised, can turn those rote procedures and promises into real headaches. The Internet of Things can turn into the Internet of Troubles.

...

http://www.itbusinessedge.com/blogs/data-and-telecom/the-great-security-risks-and-rewards-of-m2m.html

It seems like barely a week goes by that there isn’t another development in the software-defined data center.

But as the advancements keep piling up, one thing is becoming clear--or less clear when you think about it. As more and more vendors, developers, systems integrators and data operators and providers enter the field, the more muddled it becomes. What once appeared to be a fairly straight-forward, albeit highly technical, means of extending the benefits of hardware virtualization across both localized and distributed infrastructure is quickly becoming a mish-mosh of platforms, architectures and design philosophies that could very well end up destroying the broad universality that the technology was supposed to engender.

In this way, software-defined tech is no different from the many IT evolutions of the past. Yet it is still painful to see another golden opportunity for widespread infrastructure interoperability slip through the data community’s grasp.

...

http://www.itbusinessedge.com/blogs/infrastructure/software-defined-everything-a-multitude-of-solutions.html

JERSEY CITY, N.J. – ISO announced today revisions to its e-commerce (cyber insurance) product. The E-Commerce Program enhancements from ISO introduce new insurance policies designed specifically for companies with a media liability exposure. Both a "claims-made" and "occurrence" version, each providing defense within limits, are available. ISO is a member of the Verisk Insurance Solutions group at Verisk Analytics (VRSK).

The new policies complement ISO`s existing cyber liability insurance policies: the Information Security Protection Policy (for commercial risks) and the Financial Institutions Information Security Protection Policy (for all financial institutions).

ISO`s media liability policies offer eight separate insuring agreements: media liability; security breach liability; programming errors and omissions liability; replacement or restoration of electronic data; extortion threats; business income and extra expense; public relations expense; and security breach expense. All of them can be written with separate limits and deductibles. Similar to the existing ISO cyber insurance policies, the new media liability policies have associated manual rules and loss costs.

...

http://finance.yahoo.com/news/iso-enhances-cyber-liability-insurance-140102430.html

Recent developments in the cybersecurity landscape have heightened interest in the challenges associated with accurately anticipating and understanding risk, and using that knowledge to better manage organizations.

Enterprises are better delivering risk assessment and, one hopes, defenses, in the current climate of challenging cybersecurity.

Nation-state types of threats may have a very serious impact on organizations. President Obama has directed the National Institute of Standards and Technology to develop a new cybersecurity framework. The administration has sharpened its focus on what can be done to improve cybersecurity throughout the United States' critical infrastructure.

In this podcast, a panel of experts discuss how predicting risks and potential losses accurately is an essential ingredient in enterprise transformation.

- See more at: http://www.ecommercetimes.com/rsstory/78587.html#sthash.uKinWVIy.dpuf

Recent developments in the cybersecurity landscape have heightened interest in the challenges associated with accurately anticipating and understanding risk, and using that knowledge to better manage organizations.

Enterprises are better delivering risk assessment and, one hopes, defenses, in the current climate of challenging cybersecurity.

Nation-state types of threats may have a very serious impact on organizations. President Obama has directed the National Institute of Standards and Technology to develop a new cybersecurity framework. The administration has sharpened its focus on what can be done to improve cybersecurity throughout the United States' critical infrastructure.

In this podcast, a panel of experts discuss how predicting risks and potential losses accurately is an essential ingredient in enterprise transformation.

- See more at: http://www.ecommercetimes.com/rsstory/78587.html#sthash.uKinWVIy.dpuf

Considering potential threats to an organization's reputation as part of the strategic planning process can help reduce such risks and even position a company to enhance its reputation by allowing it to prepare an effective response when an event occurs.

“I think there is a very powerful connection between strategic risk management and reputation and brand management,” said James W. DeLoach, managing director at consultant Protiviti Inc. in Houston.

“As we view certain events over the last several years, we have come to realize even the best household names, the best brands face their moment of crisis. No company is immune to the risk of a crisis,” Mr. DeLoach said.

...

http://www.businessinsurance.com/article/20130728/NEWS06/307289991#

Can you imagine a major industry which suffers a near death experience, angers its entire customer base—wholesale and retail, domestic and international—and yet refuses to publicly apologise and adopt a plan of action that commits the industry to not repeating the mistakes of the past. That is where the banking industry is at right now.

This lack of decisive action on the part of the industry’s leadership will do lasting damage to not only the industry but also to its as yet unforgiving customers and the global economy. Part of the problem is that the industry does not appear to even realise that it is in a crisis—one which has been brought about by a complete loss of public faith in its activities. That is a tragedy.

...

http://ledwidge.wordpress.com/2013/07/28/banks-desperately-need-a-crisis-management-plan/

Monday, 29 July 2013 15:57

The RAID5 delusion

Case in point
I spoke to the head of small company – about 25 employees – who had suffered a RAID5 drive failure. The 4TB RAID was used for file sharing.

A drive failed, reconstruction failed and vendor phone support was disastrous. All data was lost.

But the worst of it was that there was no backup. They believed that RAID5 would protect their data. They were wrong.

What RAID5 is for
RAID5 does offer some data protection assuming it works. But it's main purpose is to protect access to your data. This is why it is popular in enterprise applications where maintaining data access during a failure is of vital concern.

...

http://www.zdnet.com/the-raid5-delusion-7000018639/

While there’s a tendency to think of cloud computing as a nebulous IT experience that provides continuous access to files and applications, the reality of cloud computing is governed much more by the unforgiving laws of physics. In fact, cloud computing is little more than a massive exercise in distributed computing where the location of files and applications matters more than ever.

Given that reality, there’s a lot more interest these days in putting applications in the cloud as near to the core Internet as possible without being locked into a specific carrier for network services.

...

http://www.itbusinessedge.com/blogs/it-unmasked/equinix-makes-case-for-moving-cloud-to-the-network.html

Computerworld — There's a new C-level executive -- the Chief Digital Officer (CDO) -- in the boardroom, charged with ensuring that companies' massive stores of digital content are being used effectively to connect with customers and drive revenue growth.

At first blush, an executive title that includes the word "digital" would seem to encroach on IT's territory. Not so, observers say -- but that doesn't mean tech leaders don't need to be prepared to work closely with a CDO somwhere down the line.

Gartner last year reported that the number of CDOs is rising steadily, predicting that by 2015, some 25% of companies will have one managing their digital goals, according to analyst Mark P. McDonald. (See also CDOs by the numbers.)

While media companies are at the forefront of this movement, McDonald says, all kinds of organizations are starting to see value in their digital assets and in how those assets can help grow revenue.

"I think everybody's asking themselves whether they need [a CDO] or should become one," McDonald enthuses. "Organizations are looking for some kind of innovation or growth, and digital technologies are providing the first source of technology-intensive growth that we've had in a decade."

...

http://www.cio.com/article/737148/Chief_Digital_Officer_Hot_New_Tech_Title_or_Flash_in_the_Pan_

Monday, 29 July 2013 15:51

Cloud EHR Lessons Learned in Haiti

CIO — Healthcare providers in the United States have preconceived notions about electronic health records—namely, that EHR systems haven't lived up to their promise of transforming healthcare by improving efficiency and cutting costs.

The healthcare industry also has preconceived notions about cloud computing, too—namely, that the cloud isn't secure enough for patient data.

Go to Haiti, though, and the story's dramatically different. There are no preconceptions, no tales of IT implementations gone wrong and no government mandates to adopt technology. As one health worker told Pierre Valette, vice president of content communications for cloud EHR and practice management software vendor athenahealth, "They've got nothing to unlearn."

...

http://www.cio.com/article/737151/Cloud_EHR_Lessons_Learned_in_Haiti

We couldn’t let this week end without leaving you with another reminder of the unaddressed risks in BYOD practices. It’s a trend that shows no sign of slowing, as the risks may be multiplying faster than IT’s ability and willingness to take control in some organizations.

In a Fiberlink survey conducted by Harris Interactive among 2,064 U.S. adults earlier this year, respondents answered questions about how they use their personal and work-provided mobile devices, how they regard those devices, and which specific risky activities they have performed with those devices.

What have they been up to? Twenty-five percent had opened or saved a work attachment file into a third-party app like Dropbox. Twenty percent had cut and pasted a work-related email or attachment from company email to personal email. Eighteen percent had accessed websites blocked by company policy. Fifty-six percent reported they had not performed any of these activities. Since this is self-reported, we can assume these numbers are skewed to make the respondents look more chaste than they may really be.

...

http://www.itbusinessedge.com/blogs/governance-and-risk/will-dual-personas-be-the-answer-to-byod-risks.html

A recent study of 35 large organizations found that social data is still “largely isolated from business-critical enterprise apps” and is created in departmental silos.

The Altimeter Group study found that the average enterprise-class company owns 178 social accounts, with 13 departments “actively engaged” on social platforms. That’s creating serious social data silos, and, not surprisingly, there’s very little effort to integrate all this data.

You really didn’t need a crystal ball to see this coming. As long as businesses function in departmental silos, there will be data silos that mimic that structure.

The report also revealed it’s not always easy to integrate this data, attributing the issue to the fact that so many organizational departments touch the data, “all with varying perspectives on the information,” the article states, adding:

“The report also notes the numerous nuances within social data make it problematic to apply general metrics across the board and, in many organizations, social data doesn’t carry the same credibility as its enterprise counterpart.”

When social data is integrated with enterprise data, it’s usually through business intelligence tools (42 percent), followed by market research at 35 percent. CRM (27 percent), email marketing (27 percent) and sensor data (uh? 4 percent) are also points of convergence.

...

http://www.itbusinessedge.com/blogs/integration/enterprise-social-data-isolated-in-departmental-silos.html

Now that energy prices seem to have stabilized once again, there has been a noticeable shift in attitude surrounding the development and design of the next-generation, “green” data center.

It’s not that the IT industry has discarded the concept entirely--indeed, a number of high-profile projects are scheduled to break ground in the next few months--but there is growing disagreement over how to ensure that everyone’s needs are being met, including data providers, data consumers and the environment itself.

A key topic of debate is the use of renewable energy. Whether it’s wind, water, solar, geothermal, etc., questions are surfacing as to whether full or even partial dependence on renewables is right for the data center. It’s important to note that some of the criticisms are coming from leading environmental researchers, not the data center industry.

...

http://www.itbusinessedge.com/blogs/infrastructure/renewable-energy-for-the-data-center-where-when-and-how.html

CIO — Earlier this week, Intel discussed its plans to forever change the data center as we know it.

Intel, a core technology maker, is now aggressively moving from servers into networking and storage and partnering with segment leaders such as Cisco Systems and EMC along the way. This could make the near future rather interesting.

 

Think RAID, But With Cheap Processors

For a while, I was convinced that Intel wouldn't catch this wave. Years ago, Microsoft began an initiative to rethink the data center as kind of a modular server. Applying a RAID-like concept to low-cost processors stood at the center of this effort. Replacing the "D" in RAID with a "P" would give any CMO a heart attack, so the concept never got a catchy name—but, on paper, it was poised to reduce computing costs dramatically.

...

http://www.cio.com/article/737027/How_Intel_Plans_to_Destroy_the_Legacy_Data_Center

By far the majority of reputation crises I’ve been involved in have a very, very important question at the core: how do we avoid fanning the flames? There is a very real danger in communicating about an event of actually doing harm rather than improving the situation. The greatest danger, of course, is bringing a bad story to the attention of others who otherwise would not even be aware of it.

The understandable fear of this I believe is the main cause for the other problem which is “too little, too late.” When actions taken, or messages communicated about a big problem, are seen as coming slowly only as a result of outrage or pressure, then reputation damage can be severe.

This is a dilemma, a clear example of being between a rock and a hard place. And almost everyone wants to know how to make a sure-fire strategy decision that doesn’t cause harm in either direction.

...

http://ww2.crisisblogger.com/2013/07/crisis-strategy-how-to-avoid-fanning-the-flames/

Two months after Hurricane Sandy pummeled New York City, Battery Park is again humming with tourists and hustlers, guys selling foam Statue of Liberty crowns, and commuters shuffling off the Staten Island Ferry. On a winter day when the bright sun takes the edge off a frigid harbor breeze, it's hard to imagine all this under water. But if you look closely, there are hints that not everything is back to normal.

Take the boarded-up entrance to the new South Ferry subway station at the end of the No. 1 line. The metal structure covering the stairwell is dotted with rust and streaked with salt, tracing the high-water mark at 13.88 feet above the low-tide line—a level that surpassed all historical floods by nearly four feet. The saltwater submerged the station, turning it into a "large fish tank," as former Metropolitan Transportation Authority Chairman Joseph Lhota put it, corroding the signals and ruining the interior. While the city reopened the old station in early April, the newer one is expected to remain closed to the public for as long as three years.

Before the storm, South Ferry was easily one of the more extravagant stations in the city, refurbished to the tune of $545 million in 2009 and praised by former MTA CEO Elliot Sander as "artistically beautiful and highly functional." Just three years later, the city is poised to spend more than that amount fixing it. Some have argued that South Ferry shouldn't be reopened at all.

...

http://www.motherjones.com/environment/2013/07/hurricane-sandy-global-warming-flooding

When I was 21, I almost lost several hundred million dollars by threatening to mutilate one of our customers.

In my senior year in college, I worked full time as an intern PM at NetApp NTAP -1%. I spent most of that time at work being groomed and prepared to be a full PM, and given that my background was in cryptography I got pulled into a lot of customer meetings related to security.

One of our customers at the time was undergoing a big change with their security architecture,  and I tagged along with one of the directors to the meeting. I was one of ten PMs giving talks on roadmap and our plans, and I had 30 minutes to convince their CIO and CEO that we could integrate our new systems well with the new security infrastructure they were rolling out.

...

http://www.forbes.com/sites/quora/2013/07/26/what-is-the-most-catastrophic-error-made-by-an-intern-at-a-tech-company/

WASHINGTON, D.C. — U.S. small businesses — widely recognized as the backbone of the U.S. economy — are particularly at risk from extreme weather and climate change and must take steps to adapt, according to a new report from Small Business Majority (SBM) and the American Sustainable Business Council (ASBC).

Titled “Climate Change Preparedness and the Small Business Sector,” the report concludes: “Because small businesses are distinctly critical to the U.S. economy, and at the same time uniquely vulnerable to damage from extreme weather events, collective actions by the small business community could have an enormous impact on insulating the U.S. economy from climate risk.”

Featuring case studies from the retail, tourism, landscape architecture, agriculture, roofing and small-scale manufacturing sectors of the U.S. economy, the Small Business Majority/ASBC report finds:

...

http://www.manufacturing.net/news/2013/07/report-small-businesses-uniquely-vulnerable-to-climate-change-extreme-weather

By David Zahn, FuelQuest

Hurricane season began June 1 and will last for six months. The National Oceanic and Atmospheric Administration (NOAA) predicts 2013 will be an above-average year for tropical storms and hurricanes. NOAA estimates anywhere between 13 and 20 named storms (sustained winds of 39 miles or greater) and between seven and 11 hurricanes (sustained winds of 74 miles or higher), with three to six of those storms possibly becoming at least a Category 3 (111 miles per hour or higher winds).

Contrasted against seasonal averages of 12 named storms, six hurricanes and three major hurricanes, communities, businesses and governments are on notice for 2013.

The devastating, crippling and deadly nature of these storms is without compare. Hurricane Sandy, which hit the New Jersey coast on Oct. 29, illustrates this fact well. According to the National Hurricane Center, Sandy impacted 24 states, caused 72 deaths and generated more than $50 billion in damages. It also left more than 8.5 million customers without power.

...

http://www.csnews.com/top-story-expert_columns-hurricane_preparedness_starts_with_a_storm_-64146.html

“Business Continuity Planning: Is it an Art or a Science?” That discussion rages on, with as much intensity as the chicken-or-the-egg controversy.  But there is no doubt when it comes to Incident Management – there must be an underlying science for the response to be predictable and effective. One key element of that science is the “Causality Chain”, knowledge which can lead to a predictive response (the selection of appropriate strategies, tactics, actions, or plan to invoke) in any disruptive incident.

An understanding of the Causality Chain should start with an understanding of the organization model.  An organization, in its simplest form, can be represented as a collection of interdependent assets – People, Facilities, Processes, Technology and Supply-Chains – all engaged in delivering products and/or services. This is true in any industry; products and services are an outcome in manufacturing, retail, finance, energy, communications, information, services and everything else – including non-profits and government.

...

http://ebrp.net/the-importance-of-causality-chain-in-effective-incident-management/

By Brandon Butler

Network World — Oracle had a busy couple of weeks at the end of June, rolling out a new version of its database software and announcing partnerships with Microsoft, Salesforce.com and NetSuite. In doing so the company who's CEO Larry Ellison at one time bemoaned cloud computing has almost overnight become a major player in the industry. Here's why.

The moves are not just significant for Oracle; the partnerships that the company has garnered are significant to the partnering with Microsoft and Salesforce, too. And they'll also reverberate across the industry to competing companies such as Amazon Web Services and SAP, predicts Holger Mueller, vice president at Constellation Research who recently published a report about these developments. "The bottom line: Oracle technology will play a fundamental role accelerating cloud adoption," he writes.

...

http://www.cio.com/article/736984/3_Things_Oracle_has_Done_to_Become_a_Big_Cloud_Player

Disaster Recovery and Business Continuity are completely different. They are siblings but still two separate and unique topics. Disaster Recovery is technology + process + people for IT systems. Business continuity is people + process for business functions. You can have Business Continuity without Disaster Recovery. The opposite is a total waste of money. If there is no plan for the business to recover and connect to IT systems, you are pouring money down the drain.

In addition, Disaster Recovery is not all about technology. There have been some good discussions about Recovery Point Objectives (RPO) and Recovery Time Objectives (RTO) in the industry. However, the linkages to the business functions have not thoroughly been detailed. Even large companies have issue with correlating the IT systems to business functions. In fact, one very large airline I worked with is a perfect example. They named 55 mission critical business functions. IT identified 55 mission critical applications. After some due diligence in aligning business function to applications, only 9 of the applications named by IT supported mission critical business functions and 46 mission critical business functions were not properly supported. So, there were many applications which had clusters, replication, and expensive Disaster Recovery techniques employed that did not need it.

...

http://mdjohn.wordpress.com/2013/07/25/disaster-recovery-business-continuity-operational-recovery-clearing-up-misconceptions/

When a deluge of rain and river water hit Calgary's streets last month, many of the city's businesses were forced to shut their doors and stop employees from coming into work. In fact, an estimated 180,000 workers that live in the downtown core and were forced to evacuate from their homes had no way of getting to work. Some of the country's largest energy corporations were forced to contact staff through social media channels to notify them that their workplaces were no longer accessible. Others asked available staff to log in remotely if they could do so safely. And others set up makeshift satellite offices outside the areas affected by the flood and asked workers to convene at the nearest one instead of overloading the computer systems by logging in remotely all at once.

While the cost of Calgary's floods to local businesses is still being tabulated, the overall economic cost is estimated to be more than $1-billion. Much of that will be related to business losses in the wake of the flood. Tragedies such as the Alberta flood bring to the fore more frequently the often-overlooked issue of risk management and business continuity planning.

...

http://www.canada.com/news/Alberta+floods+vivid+reminder+growing+relevance+business+continuity+plans/8703299/story.html

Thursday, 25 July 2013 15:41

Plan Vs. Technology

Technology is not a Plan. Technology enables a Plan. A Plan coordinates the people and processes that are then enabled by the technology. A replication package only “copies” (I realize it does more than copy, but for simplification purposes that’s what we will call it) bits from one location to another one. How do you decide what to replicate? How do you decide whether there is corruption? How do you handle a hardware failure on one or both of the arrays which are involved in the replication during a disaster? Who declares disaster? Who makes the decision to purchase an array, if necessary? How do you communicate between team members if cell phones and land lines are down? Where do you go to connect if the normal location is inaccessible (blocked off by police, etc.)?

These are the things that a Plan addresses. Apologies for stating the obvious for some. As you can tell, one of my pet peeves is the belief by IT that technology IS the Plan. The same is true for the business assuming that because they think it is “backed up” it is instantly available and synchronized.

...

http://mdjohn.wordpress.com/2013/07/24/plan-vs-technology/

The Wharton School’s Risk Management and Decision Processes Center is joining forces with Zurich Insurance Group in an effort to enhance flood resilience.

In this one-of-a-kind multiyear interdisciplinary approach, Wharton and Zurich, which provides a wide range of insurance services worldwide, will expand upon current research on flood resilience, risk reduction and economic and communal security.

The Risk Management and Decision Processes Center focuses its research on catastrophic risk management as it applies to manmade hazards — floods impact more people across the globe than does any other natural disaster.

“Catastrophic floods — from hurricanes such as Katrina or Sandy, from tsunamis, or from inland flooding as recently happened in Europe—have caused billions of dollars in losses and displaced millions of individuals and businesses in recent years,” Managing Director of the Wharton Risk Center Erwann Michel-Kerjan, who will lead Wharton’s research efforts, said in a statement.

...

http://www.thedp.com/article/2013/07/wharton-partners-to-study-flood-resilience

Data storage has always been a challenge but in recent times it has become harder to manage, purely because of the sheer amount of information organisations are dealing with. This includes structured data from enterprise systems and unstructured data from social networks – all accessed using connected and increasingly, mobile devices.

These trends have raised significant issues for storage managers around how to best manage capacity to cope with the constant influx of data, while optimising performance, managing disaster recovery activities and controlling costs. At the same time, IT managers and other technologists have more choice than ever when it comes to controlling storage infrastructure – including managing all or parts of their storage onsite or in the cloud.

Throughout May and June, IT leaders discussed these issues and more at a series of Computerworld roundtable events in Brisbane, Melbourne, Perth and Sydney, sponsored by IBM.

...

http://www.computerworld.com.au/article/521930/computerworld_lunch_report_future_storage/

Arlington, VA - Today, the Ethics Resource Center released its latest report, National Business Ethics Survey of Social Networkers: New Risks and Opportunities at Work. The study investigates how social networking is affecting the way work gets done, reshaping relationships among workers at all levels of an organization, and altering attitudes about the type of conduct that is acceptable in the workplace.

Major findings show that the more active the social networker, the more likely they are to encounter ethics risks (witness misconduct, feel pressure to compromise standards, and experience retaliation for reporting misconduct). The report also indicates that, despite what many think, social networks are not only for younger employees. Forty-seven percent of active social networkers are under the age of 30, but not far behind, 40 percent are between the ages of 30 and 44.

“Social networking is transforming the office environment in unpredictable ways, with changes that could potentially involve employees at all levels.” said ERC’s President, Dr. Patricia J. Harned. “It is important that those in leadership roles do not fall behind the curve, so they are prepared to act in ways that will seize the opportunities social networking creates, while limiting the risk.”

...

http://www.corporatecomplianceinsights.com/news/three-out-of-four-social-networkers-are-logging-in-on-company-time-ethics-resource-center-reports/

Thursday, 25 July 2013 15:30

12 Predictive Analytics Screw-Ups

Computerworld — Whether you're new to predictive analytics or have a few projects under your belt, it's all too easy to make gaffes. "The vast majority of analytic projects are riddled with mistakes," says John Elder, CEO at data mining firm Elder Research.

Most of those aren't fatal -- almost every model can be improved -- but many projects fail miserably nonetheless, leaving the business with a costly investment in software and time, and nothing to show for it.

And even if you develop a useful model, there are other roadblocks from the business. Elder says that 90% of his firm's projects are "technical successes," but only 65% of that 90% are ever deployed at the client organization.

We asked experts at three consulting firms -- Elder Research, Abbott Analytics and Prediction Impact -- to describe the most egregious business and technical mistakes they're run across based on their experiences in the field. Here is their list of 12 sure-fire ways to fail.

...

http://www.cio.com/article/736882/12_Predictive_Analytics_Screw_Ups

Chances are your organization is so reliant upon IT services that it couldn't function without it. That's why business continuity planning often falls under the purview of the IT department, even though it affects the entire company.

This is both a great thing and a not-so-great thing. On one hand, IT knows that it's covered in the event of a crisis. On the downside, the rest of the company is often left thinking, "Not my problem." So when the time comes for IT to test the disaster recovery models, the rest of the business often won't tolerate being put offline for the sake of business continuity testing. It's no wonder that only 40% of IT organizations have tested their disaster recovery plans in the last 12 months. It's no easy task, but a rock-solid business continuity plan is mission critical for high-functioning, mature companies.

...

http://www.informationweek.com/creative-tests-for-your-business-continu/240158780

Pointing out how poorly you pay your own employees is a crisis management faux pas

So, you set out to create a website, accessible to the public, aimed at helping your employees budget. You have hopes of helping them out, but let’s be real here, you’re also looking to grab you some good PR in the process. Once you get started, however, you realize that there is no way a typical employee at your organization makes enough to live on, even with a second job, and leaving out minor expenses like food, water, and clothing…because those are luxury items, right?

Most of us would scrap the project on the spot, but not McDonald’s! The company, which has already run into a few stumbling blocks while getting acquainted with how the modern web works, must not have thought it was a problem because they went live. As could be expected, the company took a beating in the media, largely as result of the buzz generated following video, from the activists at Low Pay is Not Okay:

- See more at: http://managementhelp.org/blogs/crisis-management/2013/07/23/mcdonalds-callous-crisis-management-mistake/#sthash.M923gTRZ.dpuf

Pointing out how poorly you pay your own employees is a crisis management faux pas

So, you set out to create a website, accessible to the public, aimed at helping your employees budget. You have hopes of helping them out, but let’s be real here, you’re also looking to grab you some good PR in the process. Once you get started, however, you realize that there is no way a typical employee at your organization makes enough to live on, even with a second job, and leaving out minor expenses like food, water, and clothing…because those are luxury items, right?

Most of us would scrap the project on the spot, but not McDonald’s! The company, which has already run into a few stumbling blocks while getting acquainted with how the modern web works, must not have thought it was a problem because they went live. As could be expected, the company took a beating in the media, largely as result of the buzz generated following video, from the activists at Low Pay is Not Okay:

- See more at: http://managementhelp.org/blogs/crisis-management/2013/07/23/mcdonalds-callous-crisis-management-mistake/#sthash.M923gTRZ.dpuf
Wednesday, 24 July 2013 16:15

Dreamworks builds disaster recovery program

If a major earthquake hits Glendale, one of the city's largest businesses, DreamWorks Animation, wants to get back to work as soon as possible — and has partnered with the city on a new program to make that happen.

On Monday, officials from the city of Glendale and the animation studio announced the new partnership, called the "Back to Business" program, during a press conference on DreamWorks' campus on Flower Street.

City Building Official Stuart Tom said the program allows businesses to pre-qualify to perform their own damage assessments with private engineers, who are 'deputized' on a case-by-case basis, in the wake of a disaster.

...

http://articles.glendalenewspress.com/2013-07-23/news/tn-gnp-me-dreamworks-builds-disaster-recovery-program-20130723_1_glendale-water-power-dreamworks-earthquake

Over the past 2½ years, Christchurch's business environment has challenged many assumptions and contracts. In this six-part series, lawyers from Christchurch legal firm Malley & Co look at some of the lessons all businesses can learn. In this article Michael McKay looks at some of the insurance issues.
 
Repairs to earthquake damaged shops on New Regent Street after the Christchurch earthquakes. If a loss in profit was because of damage to a business's property, it was likely to be covered by insurance. If, however, the loss was due to fewer customers visiting the affected area, it may be excluded under another circumstances clause. Photo / File
Repairs to earthquake damaged shops on New Regent Street after the Christchurch earthquakes. If a loss in profit was because of damage to a business's property, it was likely to be covered by insurance. If, however, the loss was due to fewer customers visiting the affected area, it may be excluded under another circumstances clause. Photo / File
 

Insurance is one of the biggest business issues to emerge from the Christchurch earthquakes.

It's led several businesses to consider whether they can claim under their existing policy and whether that policy is still appropriate.

After the earthquakes, it became apparent that many insured and insurers held different views about the scope of their policies. Policy provisions were often untested, and interpretations differed.

...

http://www.nzherald.co.nz/business/news/article.cfm?c_id=3&objectid=10902530&ref=rss

Wednesday, 24 July 2013 16:00

Will CSOs Become CROs in the Future?

CSO — Few would deny the chief security officer role has evolved quite a bit in recent years. At many large companies, the heads of both physical and information security now report in to the same person, an enterprise CSO. The pace of change for the function is accelerating along with the ever-changing nature of threats.

Today, many believe CSOs will morph, sooner rather than later, into chief risk officers (CROs), monitoring and mitigating enterprise risks, including those relating to information security and facilities (but excluding financial risks, which are covered by the more traditional CRO function in large companies). At a high level, the new responsibilities include understanding your company's risk profile and risk appetite and then mitigating the risks accordingly.

...

http://www.cio.com/article/736804/Will_CSOs_Become_CROs_in_the_Future_

CSO — A recent study that greatly reduces an often-cited estimate on the economic impact of cybercrime and cyberespionage should not give companies a reason to spend less on security, experts say.

The McAfee-sponsored report, released on Monday, found that Internet-based crime and spying cost the U.S. economy as much as $100 billion a year, not the $1 trillion originally estimated by the Intel-owned security vendor. The study was done in conjunction with the nonprofit Center for Strategic and International Studies.

...

http://www.cio.com/article/736861/Don_t_Be_Fooled_By_Study_s_Dramatically_Lower_Cyberthreat_Estimate_Experts_Say

You work in compliance. Now you are on the horns of a dilemma.  Are you going to become a whistleblower or not?

Serious Misconduct

You have learned of serious misconduct within your organization that has been overtly or tacitly approved by high-level management.   You have alerted those above you –or outside counsel– about the misconduct or have tried your best to put a stop to it.  But neither has worked.  You are appalled by what you have witnessed and may even be concerned with being held accountable if and when the misconduct gets exposed and turns into a civil or criminal action.  You understandably are worried about your reputation, both professionally and personally.  You’re near the end of your rope.  Perhaps, you’ve even spoken out so vehemently that you’ve already lost your job.

...

http://www.corporatecomplianceinsights.com/when-compliance-has-to-consider-blowing-the-whistle-some-pros-and-cons/

On July 22, 2013, a 6.6 magnitude earthquake, followed by hundreds of aftershocks, jolted China’s northwest Gansu Province, one of the country’s most under-developed regions. Ninety four people were initially reported dead, although that number is likely to rise in coming days. Hundreds were injured and some 227,000 people were displaced by the earthquake, which damaged 127,000 homes. Heavy rain is forecast to hit the affected area—potentially affecting rescue and relief efforts and increases chances of landslides or houses collapsing.

The Red Cross Society of China immediately responded to assess needs on the ground and dispatch relief supplies, including tents, family kits, jackets and quilts, and more items are being mobilized from warehouses around the country. A 24-member health Emergency Response Team, including volunteer doctors and psychosocial specialists, have also deployed to the affected area.

China is one of the world’s most disaster-prone countries—with approximately 70% of its cities and half of its population located in disaster-prone areas. Earlier this year, the Red Cross Society of China responded to a 7.0 magnitude earthquake in the hit Sichuan province, which killed 196 people and injured over 13,400.

The International Federation of Red Cross and Red Crescent Societies is closely monitoring the situation together with the Red Cross Society of China.

http://newsroom.redcross.org/2013/07/23/disaster-alert-earthquake-in-chinas-gansu-province/

Wednesday, 24 July 2013 15:51

… addicted to thinking

Every so often I find something that sparks me out of the intellectual wasteland that so much of the debate around risk, BC and resilience seems to have become. One example is the book I recently finished reading - Addicted to Performance by John Bircham and Heather Connolly.

I would recommend this to those interested in risk and resilience thinking.
If your primary approach to risk, BC and resilience is standardised, templated and adhering to conventional wisdom – rather than application of critical thinking – this book is for you. But you may not fully appreciate that.

...

http://www.blog.vrg.net.au/reflection/reviews/addicted-to-thinking/

Company Growth Rate Remains Above 40% as Company Exceeds $43 Million in Annualized Revenue

 

HOUSTON, TX – Alert Logic (www.alertlogic.com), the recognized leader in Security-as-a-Service solutions for the cloud, today announced GAAP revenues for the quarter ending June 30, 2013 of $10.1 million, up 43 percent from the second quarter of 2012, and up 7 percent from the first quarter of 2013. Alert Logic’s annualized revenue under contract in the month of June 2013 exceeded $43 million, and is tracking ahead of the company’s plan to reach a $50 million run-rate by the end of 2013.

Alert Logic realized strong Q2 momentum within the public cloud sector as the company’s release of Threat Manager for Cloud and Log Manager solutions helped secure more than 100 Amazon Web Services customers.

“Our strong growth this quarter keeps us on track to reach our goal of being a $50 million business by the end of 2013,” said Gray Hall, Alert Logic’s president and CEO. “Our new product releases from the second half of 2012 and the first half of 2013 helped fuel our growth this quarter, and we expect a similar boost in the future from the exciting new products and capabilities we plan to launch in the second half of 2013.”

To date, Alert Logic has more than 2,200 customers using its Security-as-a-Service solutions, both via service providers and directly from Alert Logic.

Alert Logic’s notable highlights for Q2 2013 include:

·         Releasing the next generation of Threat Manager, the first fully managed threat management solution deployable in any elastic cloud infrastructure, irrespective of hypervisor and networking architecture.

·         Being named a “Cool Vendor“ by Gartner in its 2013 Security Services report, which recognizes Alert Logic for its innovative business model, intrusion detection, vulnerability assessment, log management and web application firewall Security-as-a-Service solutions and cloud-based architecture.

A privately held company, Alert Logic publicly reports its Generally Accepted Accounting Principles (GAAP) revenue results and growth rates quarterly, in addition to its annualized recurring revenue under contract. Alert Logic’s financial statements have been audited in accordance with GAAP since 2005. All Alert Logic revenue is derived through long-term subscription contracts, consistent with the company’s Security-as-a-Service business model. Alert Logic’s solutions are sold directly to enterprise customers and through a diversified channel of resellers and cloud service provider partners.

Alert Logic specializes in providing a portfolio of Security-as-a-Service solutions for customers of hosting and cloud service providers. More than half of the largest managed hosting and cloud service providers use Alert Logic to secure their customer environments, making Alert Logic the de facto standard for securing infrastructure in hosted and cloud environments.

Alert Logic’s Security-as-a-Service solutions provide customers four distinct advantages: market-leading security tools, a fully outsourced and managed SaaS delivery model, integrated 24×7 Security Operations Center (SOC) services to monitor and provide expert guidance, and the ability to deploy wherever a customer has IT infrastructure, including the cloud.

 

 

About Alert Logic
Alert Logic, the leading provider of Security-as-a-Service solutions for the cloud, provides solutions to secure the application and infrastructure stack. By integrating advanced security tools with 24×7 Security Operations Center expertise, customers can defend against security threats and address compliance mandates. By leveraging an “as-a-Service” delivery model, Alert Logic solutions include day-to-day management of security infrastructure, security experts translating complex data into actionable insight, and flexible deployment options to address customer security needs in any computing environment. Built from the ground up to address the unique challenges of public and private cloud environments, Alert Logic partners with over half of the largest cloud and hosting service providers to provide Security-as-a-Service solutions for business application deployments for over 2,200 enterprises. Alert Logic is based in Houston, Texas, and was founded in 2002. For more information, please visit www.alertlogic.com.

A policy debate is raging in Europe over cloud computing and those who want to bind the cloud in over-prescriptive regulation threaten to prevent the benefits of the new technology being felt, argues Thomas Boué.

Thomas Boué is director of government relations for Europe, the Middle East and Africa at the Business Software Alliance, a trade association.

A quiet battle of wills has broken out among European policymakers who are pushing competing visions for how to capitalise on the most significant wave of innovation now underway in information technology: cloud computing.

All agree that by creating a new, more efficient architecture for computing, the cloud offers vast economic benefits. It lets enterprises avoid the cost of buying and maintaining some of the IT hardware and software they need to run their operations. Instead, they can have their computing resources delivered over the internet, as infinitely scalable services. For established companies, this creates cost savings that can be reinvested in the core business. For smaller start-ups, it represents one less obstacle on the path to growth.

But while some rightly see the cloud as an opportunity to accelerate commerce and expand global trade in digital services, others harbour more protectionist urges, focused on creating a European fiefdom in the cloud at the expense of global scale.

...

http://www.euractiv.com/infosociety/overbearing-data-protection-rule-analysis-529494

"Well, it will never happen!" is an underlying rationale when nonprofits fail to engage in risk management practices.

When "it" does happen, leadership's first question often is "Can we (translated: ‘me') be sued?"

At this point their question is neither timely nor relevant. The relevant question is whether the party harmed can recover from the nonprofit. The answer often confirms the "ounce of prevention" principle. To prevent harm and to minimize its impact requires an effective risk management strategy.

...

http://www.philanthropyjournal.org/resources/managementleadership/risk-management-everyone%E2%80%99s-ounce-prevention

What if you could look over the shoulder of every one of your customers as they used your mobile apps, web pages, kiosks, and other digital channels? What could you learn? How might you use what you learn to dynamically adjust your digital experiences?

In the days when web applications were king, this type of insight was doable with simple web analytics and similar tools. Today, continual experience optimization is much more difficult because of:

...

http://blogs.forrester.com/randy_heffner/13-07-23-digital_customer_experiences_integration_opens_a_world_of_optimization_possibilities

Yesterday Intel had a major press and analyst event in San Francisco to talk about their vision for the future of the data center, anchored on what has become in many eyes the virtuous cycle of future infrastructure demand – mobile devices and “the Internet of things” driving cloud resource consumption, which in turn spews out big data which spawns storage and the requirement for yet more computing to deal with it. As usual with these kinds of events from Intel, it was long on serious vision, and strong on strategic positioning albeit a bit parsimonious on actual future product information with a couple of interesting exceptions.

Content and Core Topics:

Demand side drivers – No major surprises here, but the proliferation of mobile device, the impending Internet of Things and the mountains of big data that they generate will combine to continue to increase demand for cloud-resident infrastructure, particularly servers and storage, both of which present Intel with an opportunity to sell semiconductors. Needless to say, Intel laced their presentations with frequent reminders about who was the king of semiconductor manufacturing.

...

http://blogs.forrester.com/richard_fichera/13-07-23 intel_lays_out_future_data_center_strategy_serious_focus_on_emerging_opportunities

Tuesday, 23 July 2013 16:01

All Hail the Data

A report from the National Insurance Crime Bureau (NICB) has revealed that insurance claims resulting from hailstorm damage in the United States increased by a whopping 84 percent from 2010 to 2012.

In 2010, there were 467,602 hail damage claims filed, but by 2012 that number had jumped to 861,597.

All told, over two million hail damage claims were processed from January 1, 2010 to December 31, 2012, the NICB said.

Perhaps not surprisingly the top five states generating hail damage claims during this period were Texas (320,823); Missouri (138,857); Kansas (126,490); Colorado (118,118) and Oklahoma (114,168).

...

http://www.iii.org/insuranceindustryblog/?p=3331

CIOSoftware defined networking is one of the most misunderstood concepts in infrastructure computing. It's a phenomenon that's growing in relevance, but it's still mysterious to many CIOs, particularly those who were not reared in overly technical practice. Many myths still surround SDN. What exactly is the notion behind the technology? How can you apply SDN at your business? And how can your organization benefit from it.

Software-Defined Networking Basics

Essentially, SDN takes the virtualization phenomenon that's been sweeping datacenters around the globe for the past several years and extends it from computing hardware and storage devices to network infrastructure itself. By inserting a layer of intelligent software between network devices (such as switches, routers and network cards) and the operating system that talks to the wire, software defined networking lets an IT professional or administrator configure networks using only software. No longer must he travel to every physical device and configure—or, in many cases, reconfigure—settings.

SDN achieves the same abstraction that hardware virtualization does. With hardware virtualization, the hypervisor inserts itself between the physical components of a computer (the motherboard, main bus, processor, memory and so on) and the operating system. The operating system sees virtualized components and operates with those, and the hypervisor itself translates the instructions coming to these virtualized components into instructions the underlying physical hardware can handle.

...

http://www.cio.com/article/736739/What_CIOs_Need_to_Know_About_Software_Defined_Networking_

TRENTON, N.J. -- From Liberty State Park in North Jersey to Lucy the Elephant at the Shore, the state has a wealth of historic sites along the coast that have weathered the whims of Mother Nature for many years. Some, like Lucy, are more than 100 years old.

These important historic sites require protection both before and after a disaster, when any damage that has occurred needs to be repaired in a historically and environmentally sound way.

FEMA’s Environmental Planning and Historic Preservation Cadre (EHP) plays a critical role in helping municipalities and agencies understand the importance of compliance with environmental and cultural regulations so they may make informed planning decisions when repairing or rebuilding a damaged historic site.  

EHP provides expertise and technical assistance to FEMA staff, local, state and federal partners, and applicants who are tasked with the challenge of preserving historic, cultural and natural aspects of our national heritage. They help applicants understand what is required under the law and how best to meet these requirements. 

FEMA’s goal is to ensure that when FEMA funding is to be made available for the restoration of historic sites, all applicable federal, environmental and cultural statutes are identified and met.

The EHP program integrates the protection and enhancement of a state’s environmental, historic and cultural resources into FEMA’s mission, programs and activities.

Typical environmental and historic preservation laws and executive orders that may apply to an historic restoration project include the Endangered Species Act, the Clean Air Act, the Clean Water Act, the National Historic Preservation Act, and floodplains, wetlands and federal executive orders such as Environmental Justice. Also included are state historic preservation offices.

In a continuing partnership with local and state governments, FEMA seeks, through funding grants, to help states recover from a presidentially declared disaster and EHP is careful to advise all applicants to recognize environmental concerns in order to avoid project delays and permit denials while preserving and minimizing effects on New Jersey’s environmental and historic resources.

FEMA's mission is to support our citizens and first responders to ensure that as a nation we work together to build, sustain, and improve our capability to prepare for, protect against, respond to, recover from, and mitigate all hazards.

Follow FEMA online at www.fema.gov/blog, www.twitter.com/fema, www.facebook.com/fema, and www.youtube.com/fema. Also, follow Administrator Craig Fugate's activities at www.twitter.com/craigatfema.

http://www.fema.gov/news-release/2013/07/22/role-femas-environmental-and-historic-preservation-unit-disaster

Large companies have the resources and the incentive to implement risk management systems. With the increase in compliance by medium and small-sized companies, chief compliance officers and internal auditors are developing and implementing risk management systems. I have never been a fan of complicating or confusing compliance and risk management. After all, risk management naturally belongs in the compliance program functions. Creating a whole new risk management function separate from compliance makes no sense.

With this caveat on the structure and operation of a risk management system, I believe that companies should conduct risk assessment and management strategies. When I use the terms risk assessment and management systems, I am referring to overall organizational risks, including business and operational risks, not a specific anti-corruption risk assessment.

A basic risk management system can be developed through an annual collaborative process which requires the participation of all senior management, as well as mangers in each business unit/product or service line. Essentially, a senior risk management group should be charged with the responsibility of identifying the most significant risks facing the organization.

...

http://www.corporatecomplianceinsights.com/risk-management-systems-the-new-frontier

Pushing compliance responsibilities closer to the front lines of a business can help make the overall process of enterprise risk management more efficient and less painful, but without proper planning it can also create new challenges. When processes are adopted or updated, critical compliance tasks may be inadvertently mitigated or cancelled without anyone understanding the impact on the company.

The challenges and benefits of well-planned compliance program execution are discussed in a new book, Enterprise Compliance: The Risk Intelligent Approach from Deloitte‘s Governance, Risk and Compliance Services. The book is organized around three main components of creating a compliance culture—starting with assessing the environment that drives an organization’s compliance risk and requirements and then continuing to the execution and evaluation phases. It also features important questions boards should be discussing with management and discussing among themselves. This article, the second in a series of three, addresses the seven components that comprise the execution aspects of compliance programs. The first article looks at the three facets that shape an organization’s compliance and risk environment: its industry, geography and emerging issues.

...

http://deloitte.wsj.com/riskandcompliance/2013/07/22/compliance-risk-management-executing-the-program/

Monday, 22 July 2013 13:50

Why the Mob Rules

Computerworld — A Kickstarter project called Tile set out to raise $20,000 to create small, flat, battery-powered stickers that you attach to your stuff, enabling you to find anything with your smartphone.

They've raised more than $1.6 million so far.

But why?

Tracker gadgets have been around for years. They're useful for finding your lost remote control, keys and other objects. But Tile does something incredible that no other tracking product can. Here's how it works.

You attach a tile to your tablet, remote control, dog's collar or you drop it into your purse, backpack or briefcase. Use the smartphone app to register each Tile device -- basically tell the Tile cloud service what object each Tile is associated with.

...

http://www.cio.com/article/736706/Why_the_Mob_Rules

International travel has many wonderful benefits – one possible risk is the spread of illness into your home, community and where you work.  It can happen in a blink of an eye.  How do illnesses get discovered and tracked?  Good question.  And there is a Global Surveillance System that does just that.

In 2012, the number of international tourist arrivals worldwide was projected to reach a new high of 1 billion arrivals, a 48% increase from 674 million arrivals in 2000. International travel also is increasing among U.S. residents. In 2009, U.S. residents made approximately 61 million trips outside the country, a 5% increase from 1999. Travel-related morbidity can occur during or after travel. Worldwide, 8% of travelers from industrialized to developing countries report becoming ill enough to seek health care during or after travel. Travelers have contributed to the global spread of infectious diseases, including novel and emerging pathogens. Therefore, surveillance of travel-related morbidity is an essential component of global public health surveillance and will be of greater importance as international travel increases worldwide.

...

http://ems-solutionsinc.com/blog/global-surveillance-for-travel-related-disease-affects-your-business-and-you-your-family-at-home-abroad

Monday, 22 July 2013 13:47

When Your Commute Becomes Derailed

Just yesterday I remarked to my husband that my train, the Hudson line, has been amazingly stable and almost always on time. Especially when you consider that there have been major derailments of the Connecticut (May 17) and the Long Island (June 17) lines of the Metropolitan Transit Authority (MTA).

I should have known better. Just when you think you can take a breather, something is bound to happen, as it did this morning. Normally I would have been listening to the news and traffic report, but I was spending some time with my puppy before rushing to the ferry station. Once there I waited, but no ferry, and the few people who were there didn’t seem to know why. Annoying.

I called my husband and asked him to drop me off at the train station across the Hudson (parking is impossible there). On the train platform, however, I quickly learned that there was a big problem—the derailment of 10 CSX garbage train cars on a narrow portion of track used by the Hudson line. There were no injuries, but that is a whole lot of cleanup, not to mention the two tracks that need to be replaced, according to the conductor I talked to. He estimated it would take at least the weekend to repair the damage.

...

http://www.riskmanagementmonitor.com/mta-derailment-lessons-learned/

Monday, 22 July 2013 13:42

What We’re Watching: 7/19/13

By Lars Anderson, Director, Public Affairs

At the end of each week, we post a "What We’re Watching" blog as we look ahead to the weekend and recap events from the week. We encourage you to share it with your friends and family, and have a safe weekend.

Weather Outlook
For many parts of the U.S. it’s been a scorcher all week long, but it looks as though things are finally going to cool off as slightly lower temperatures are expected next week. In the meantime, here are some extreme heat safety tips to keep in mind until the cool down arrives:

  • Cover windows that receive morning or afternoon sun with drapes, shades, awnings, or louvers. (Outdoor awnings or louvers can reduce the heat that enters a home by up to 80 percent.)
  • Know those in your neighborhood who are elderly, young, sick or overweight. They are more likely to become victims of excessive heat and may need help
  • Never leave children or pets alone in closed vehicles.
  • Stay indoors as much as possible and limit exposure to the sun.
  • Consider spending the warmest part of the day in public buildings such as libraries, schools, movie theaters, shopping malls, and other community facilities. Circulating air can cool the body by increasing the perspiration rate of evaporation.
  • Eat well-balanced, light, and regular meals. Avoid using salt tablets unless directed to do so by a physician.
  • Drink plenty of water; even if you do not feel thirsty. Avoid drinks with caffeine and limit intake of alcoholic beverages.
  • Dress in loose-fitting, lightweight, and light-colored clothes that cover as much skin as possible. Avoid dark colors because they absorb the sun’s rays. Protect your face and head by wearing a wide-brimmed hat.
  • Avoid strenuous work during the warmest part of the day. Use a buddy system when working in extreme heat, and take frequent breaks.

For more extreme heat safety tips and information, visit www.Ready.gov/heat.
Our friends at the National Weather Service don’t expect any other severe weather over the next couple of days, but as we know weather conditions can rapidly change.  We encourage everyone to monitor your local weather conditions at www.weather.gov or on your mobile phone at http://mobile.weather.gov.

Photos of Week
Here are a few of my favorite photos from the week. You can find more photos at the FEMA Photo Library.



San Francisco, Calif., July 18, 2013 -- Attendees and participants of the 11th FEMA Think Tank listen and contribute to the discussion facilitated by Deputy Administrator Rich Serino at the San Francisco Tech Shop.
San Francisco, Calif., July 18, 2013 -- Attendees and participants of the 11th FEMA Think Tank listen and contribute to the discussion facilitated by Deputy Administrator Rich Serino at the San Francisco Tech Shop.


Alakanuk, Alaska, July 16, 2013 -- The Alaska State Coordinating Officer Sam Walton and Federal Coordinating Officer Dolph A. Diemont meet with City Manager James Blowe to discuss the FEMA programs.
Alakanuk, Alaska, July 16, 2013 -- The Alaska State Coordinating Officer Sam Walton and Federal Coordinating Officer Dolph A. Diemont meet with City Manager James Blowe to discuss the FEMA programs which will assist in the recovery efforts after severe flooding crippled the entire infrastructure. Federal funding in the form of Public Assistance (PA) is available to state, tribal and eligible local governments and certain nonprofit organizations on a cost sharing basis for emergency work and the repair or replacement of facilities damaged by the flooding in the Alaska Gateway Regional Educational Attendance Area (REAA), Copper River REAA, Lower Yukon REAA, Yukon Flats REAA, and the Yukon-Koyukuk REAA.

 

http://blog.fema.gov/2013/07/what-were-watching-71913.html

IDG News Service — Six British citizens were wrongly detained or accused of crimes as a result of mistakes made by authorities when requesting access to Internet data, the U.K. Interception of Communications Commissioner said.

A report detailing law enforcement's errors in the UK was published as interest in surveillance of ordinary citizens' online activities runs high, in the wake of disclosures about the U.S. National Security Agency's secret surveillance programs.

In 2012, U.K. public authorities submitted 570,135 notices and authorizations for communications data, according to the report published on Thursday. The principal users of this communications data are still the intelligence agencies, police forces and other law enforcement agencies, wrote Paul Kennedy who served as the Interception of Communications Commissioner through last year.

...

http://www.cio.com/article/736674/Bad_Internet_Data_Requests_Led_to_6_Wrongly_Held_Or_Accused_in_UK

It’s mid-July and for many parts of the United States this means persistent hot and dry weather increases the risk of wildfires.

Some 46 percent of the contiguous United States is currently experiencing moderate to exceptional drought conditions, according to Tuesday’s report from the U.S. Drought Monitor.

The first monthly drought outlook from NOAA’s Climate Prediction Center recently warned that drought in the U.S. Southwest is exceptionally intense and unlikely to break completely, despite some relief from the summer thunderstorm season. Most of the already parched West will likely see drought persist or worsen, NOAA said.

Meanwhile, the Wall Street Journal reports that overgrown forest land poses fire risk to a growing number of communities.

It cites U.S. Forest Service statistics that 65 million to 82 million of National Forest lands are at a “high or very high risk of fire” and are in need of restoration.

...

http://www.iii.org/insuranceindustryblog/?p=3325

Wanna know a secret? Here it is. Chances are, the same reason you’re reading this blog is why many folks at CDC do what they do: a fascination with infectious diseases and a desire to help others. Although the work of CDC employees is frequently glamorized in movies like Outbreak and Contagion, we face the same challenges as any other large, complex organization: communication, logistics, funding, and teamwork. These challenges become especially apparent when outbreaks occur, such as during CDC’s recent response to a dengue outbreak in Angola. Based on our experiences in Angola, this blog will dispel 5 myths about outbreak investigation that are often dramatized by Hollywood.

...

http://blogs.cdc.gov/publichealthmatters/2013/07/dengue-in-angola/

More and more workers around the world are bringing their personal mobile devices to the office daily, and companies appear to be having trouble keeping up with the trend.

About 60 percent of organizations acknowledged they either don't have a policy that specifies how employees may use their own devices in the workplace (41 percent) or are just planning to write such a policy, a study released on Wednesday from Acronis and the Ponemon Institute has found.

"Even though we're still in the early stages of BYOD [Bring Your Own Device], companies are playing catch-up to where their users are," Anders Lofgren, director of Mobility Solutions for Acronis, told CSOonline.

Even as recently as three years ago, IT departments had an iron grip on the endpoints to their networks. "They could secure and provision a fixed device that was procured by the enterprise," said Ben Gibson, chief marketing officer for Aruba Networks.

...

http://www.cio.com/article/736596/BYOD_Runs_Wild_at_Most_Global_Companies

Friday, 19 July 2013 17:47

Disaster Planning for Magical Rabbits

I have a pet rabbit at home. His name is Boba Fett, named after the popular bounty hunter character in the Star Wars movies, and he’s a pretty laid-back little guy, as far as pets go. He’s not the type of animal that requires a ton of maintenance and he definitely doesn’t need a formal risk management plan. But according to a recent article in the Washington Post, not all rabbits get off so easily. Evidently not only does the U.S. Department of Agriculture require certain rabbits to be licensed, but their owners must also have a written disaster plan for what they will do with their rabbit in case of emergency. It sounds crazy, but bureaucracy often does, I guess.

According to the article, some years back Marty Hahne, otherwise known as Marty the Magician, got a notice from the USDA that based on a law that requires licenses for “animal exhibitors,” the rabbit Marty used in his magic act needed to be licensed. Marty complied. And then, this summer, the USDA informed him of a new rule from the agency’s Animal and Plant Health Inspection Service (APHIS):

...

http://www.riskmanagementmonitor.com/disaster-planning-for-magical-rabbits/

There is no question that April 27, 2011 changed the lives of Alabamians. On that one day, our state experienced more than 60 confirmed tornadoes causing widespread devastation. Soon after, we decided to do all we could to make our state safer in the future.

In the days, weeks and months following the tornadoes, Governor Bentley and I toured the state and heard the personal stories of disaster survivors.  Many of them told us how they only had moments to find safety while praying for their lives and the lives of their loved ones.

They were the lucky ones that day.  No matter how much they had lost, they were grateful to still be here, and live through one of the state’s most devastating disasters.  Unfortunately, more than 250 people lost their lives during that 24-hour span of tornadoes.

Once my staff and I grasped the sheer magnitude of what had just happened, we all knew we had to do something to prevent this from happening again.

...

http://blog.fema.gov/2013/07/using-mitigation-to-save-lives-alabama.html

Thursday, 18 July 2013 15:54

Giving Alabamians A Safe Place To Go

During the April 2011 tornadoes, Prattville, Ala. resident Ty Story took cover in a closet with his wife Becky and their three daughters using a mattress for extra protection.

“We were about a mile from where it hit,” he said of the EF-3 tornado that destroyed and damaged numerous homes in his community. “We knew it was close to us, but we couldn’t see it because our house is next to a tree line. But you could see all the trees going in different directions from the wind.”

Although the Story family and their home were undamaged, the devastation around their home and community made one decision very easy.  They quickly became one of the 4,267 Alabama families to register for and receive an individual safe room grant from the state of Alabama funded through the Federal Emergency Management Agency’s hazard mitigation program.

“The safety of Alabama’s residents was a main priority of Governor Bentley following the April 2011 storms,” said Alabama Emergency Management Agency Director Art Faulkner, whose agency administered the program. “Our directive was to assist every homeowner and municipality who submitted the required application within the deadline to ensure they would soon have a safe place to go.”

Following federally declared disasters, states are given grant money from FEMA, through the Hazard Mitigation Grant Program, to help their residents and communities be more resilient in preparation for future disasters. The April 27, 2011 event in Alabama resulted in 62 tornadoes creating a path of destruction more than 1,711 miles long and causing more than 250 deaths in the state. 

Due to that devastation, the state was eligible for more than $70 million in mitigation funds.

“We knew we never wanted to face this situation again,” Faulkner said. “We wanted to give Alabama families and communities the resources they needed to be prepared.”

Because the state established priorities for mitigation projects early, FEMA was able to provide up-front funding for program management costs, allowing the state to hire and train grant reviewers early in the process. Then, as grant applications came in from communities throughout the state, reviewers were already in place to handle them.

In addition, FEMA committed staff to work in Alabama for nearly two years to help process the mitigation grant applications, said FEMA Region IV Administrator Phil May.

 “A key component in Alabama’s recovery has been the state’s commitment to implement mitigation measures to lessen the impacts of future disasters,” he said. “This allowed FEMA and state staff to work hand-in-hand during the project application and approval process.”

The partnership between the federal and state government, along with the rapid ability to receive funding wasn’t lost on the Story family, whose storm shelter is now installed underground, through their garage.  The family received 75 percent of the cost through the grant program.

“Having the peace of mind we have now? That’s just huge,” he said. “We knew we wanted one after seeing the damage. But when we heard about the program and getting reimbursement to do this, well that was just a no-brainer. With three girls in school, I’m just glad FEMA and Alabama made this decision.”

Another example of the unified effort was the FEMA and AEMA co-sponsored “Safer Alabama Summit” held in June 2011 on the University of Alabama’s campus, which allowed storm survivors and elected officials to learn more about the importance of mitigation activities and how to make informed decisions on their recovery. The summit led to numerous other mitigation-related outreach meetings and events throughout the state.

In addition to safe rooms and storm shelters, state officials also obligated money to fund generators for critical infrastructure, alert notification systems, and a project to harden portions of the Druid City Hospital’s trauma center in Tuscaloosa that also sustained damages.

Alabama Mitigation Priorities:

  • $63 million for 4,267 individual & 282 community safe rooms/storm shelters.
  • $3.6 million for alert notification systems.
  • $5 million for generators to critical infrastructure facilities.
  • $1.3 million to harden Druid City Hospital’s trauma center.

http://www.fema.gov/news-release/2013/07/18/giving-alabamians-safe-place-go

More and more businesses have been allowing employees to use their personal mobile devices as a primary means of communication in the workplace.  The increased usage of employee-owned smartphones, though convenient, can also pose a serious risk to security; questions may also arise concerning the control and ownership of company data.

It is important for your business to establish strict guidelines for the use of personal mobile devices in the workplace. For example, there should be a clause in company policy allowing for the remote wiping of mobile devices upon termination of employment. Further, company data should be kept separate from personal data, and the use of third-party applications should be kept to a minimum.

...

http://www.insurancefortechs.com/thirdparty-apps-threat-business.html

Computerworld - Manhattan is one of the best locations in the U.S. for data center network connectivity, but in the era of climate change it is also an increasingly risky location. Even so, major data center provider Telx thinks the benefits of NYC outweigh the risks.

Telx said Wednesday that it is opening its third facility in New York, a 72,000 square-foot data center at 32 Avenue of Americas in a former AT&T building rich in network connections.

There are more than 600 network alternatives available in the building, said Chris Downie, president and CFO of Telx. For many customers, "leveraging access to connectivity" and low latency remains a priority, he said. And having data center facilities close to their Manhattan offices is also a consideration.

...

http://www.computerworld.com/s/article/9240857/Forget_Sandy._Telx_still_likes_NYC_for_its_latest_data_center

A security breach can happen to a business of any size, not just the big ones. In fact, 75% of data breaches are targeted at small and medium sized businesses. The cost of a breach can be significant, and not just financially, but for your reputation as well. With an average cost of $214 per compromised customer record, it is no wonder that within half a year of being victimized by cybercrime, 60% of small businesses close. With the correct Cyber Liability Insurance and these 10-Steps to a Safer Business you and your company do not have to be a victim of a breach in security.

...

http://www.insurancefortechs.com/10-steps-safer-business-cyber-security-guide.html

CIO — The thought of a CIO turning to spying technology to peek inside a personal iPhone makes people furious. They fret about an employer remotely reading personal emails and text messages, seeing personal photos and videos, and listening to personal voicemail.

But they would be wrong to worry about such things.

At least that's the message from Ojas Rege, vice president of strategy at MobileIron, a mobile device management software developer.

"There's a ton of confusion out there, and so the trust gap has widened," says Rege. "Employees don't really know what their employer can and can't see. They're just guessing."

...

http://www.cio.com/article/736559/What_Can_Employers_Really_See_on_a_BYOD_Smartphone_or_Tablet_

Wednesday, 17 July 2013 15:53

How to protect your business information

The biggest information security problem for small businesses is coping with the complexity of their systems when they have no-one with the specialist knowledge on how to protect the data, and maybe no IT specialist at all.

Louise Bennett, Chair of the Information Security Specialist Group at the Chartered Institute for IT (BCS), says it's a significant problem. There are sources of information on the web for dealing with most issues, and there's always the option of hiring a consultant, but any firm that wants to keep its sensitive data secure needs a basic level of understanding in-house.

There is evidence that small firms are suffering; in April the Department for Business and Skills (BIS) published the annual Information Security Breaches Survey, showing that 87% of small companies had suffered a breach in the previous year, with the median number rising from 11 to 17.

Bennett says she thinks it's realistic for a small firm to develop the understanding to place itself in the minority that are not affected.

...

http://www.techradar.com/news/internet/policies-protocols/how-to-protect-your-business-information-1166251

Wednesday, 17 July 2013 15:44

Why risk management can succeed in IT

This is a counterpoint to the Network World article "Why risk management fails in IT" by Richard Stiennon, chief research analyst at IT-Harvest.

Earlier this week Richard Stiennon published an article that questions the value of risk management in IT, and I would argue that, although risk management presents challenges to IT, best practice-driven approaches leveraging aspects of risk management are essential to good security.

Stiennon's perspective reflects the prevailing view in the media -- supported by valid industry statistics -- that IT security is losing the war against the bad guys. Data breaches are front page news and companies are being fined millions of dollars for losing personal information. Given we have been fighting this battle for so long, we must have made some progress, right?

...

http://www.computerworld.com.au/article/439774/why_risk_management_can_succeed_it/

Wednesday, 17 July 2013 15:42

15 Ways to Screw Up an IT Project

CIO — Paul Simon famously sang that there must be 50 ways to leave your lover. Similar could be said (if not sung) regarding projects: There must be 50 ways to screw up your IT projects. Indeed, ask IT executives and project management experts, as CIO.com did, and they will rattle off dozens of reasons why projects go astray. For the sake of brevity, however, we are starting with the top 15 ways to derail a project--and how to avoid these project management pitfalls.

1. Having a poor or no statement of work. "I've seen many projects encounter troubles due to the lack of a well-defined project scope," says Bryan Fangman, senior project manager at Borland, a Micro Focus Company.

...

http://www.cio.com/article/736491/15_Ways_to_Screw_Up_an_IT_Project

Wednesday, 17 July 2013 15:41

Who Can Pry Into Your Cloud-based Data?

Computerworld — Can anyone access the data that you trust to the safekeeping of a cloud-computing vendor? It's a good question, made all the more relevant by the revelations regarding the National Security Agency's Prism program. So how can you best address these issues in your contract with your cloud vendor?

With cloud computing, data access is inevitably a shared responsibility between the customer and the cloud vendor. Those shared responsibilities need to be addressed in the contract, and most cloud vendors' standard contracts leave something to be desired.

While the cloud vendor is responsible for providing the customer with access to its own data, the cloud vendor should also be contractually obligated to not share the customer's data with others, intentionally or not. This may seem obvious, but there are nuances to be addressed in the following areas:

...

http://www.cio.com/article/736452/Who_Can_Pry_Into_Your_Cloud_based_Data_

Wednesday, 17 July 2013 15:22

Making an Agile IT Strategy

An agile enterprise is a flexible, robust organization that is capable of rapid response to unexpected challenges, events, and opportunities. Agile enterprises achieve continuous competitive advantage in serving their customers by following strategies that facilitate speed and change. Enablers of enterprise agility include diffused authority; flat organizational structures; trust-based relationships with customers and suppliers; and, of course, an agile information technology strategy. In this post, I focus on what it takes to have an agile IT strategy.

IT departments that are truly agile, or are at least on the path to becoming so, exhibit several key characteristics. First, the majority of their project teams are taking an agile approach to the full delivery lifecycle. This typically is either a disciplined agile delivery (DAD)-based strategy or a strategy that they formulated themselves that is evolving toward something that looks a lot like DAD. This doesn’t mean that all project teams are agile, but most are and the ones that aren’t are starting to move in that direction. Second, the IT organization natively supports — and more importantly, embraces — agile strategies for cross-solution activities such as portfolio management, operations, enterprise architecture, asset management, enterprise administration, governance, and other activities. Third, the IT organization seeks to optimize all of these activities as a whole, to borrow from lean terminology, instead of suboptimizing around functional silos as they may have in the days of the waterfall/traditional paradigm. Let’s explore each of these characteristics one at a time.

...

http://blog.cutter.com/2013/07/16/making-an-agile-it-strategy

CIO — After more than 4,000 votes were cast, the final Big Data startup rankings are in. Keep in mind that while voting was weighted heavily, it was not the be-all-and-end-all consideration. Other criteria included big-name end users, VC funding, the pedigree of the management team and market positioning.

Here are the final rankings, along with why they finished where they did:

...

http://www.cio.com/article/736377/10_Top_Big_Data_Startups_to_Watch_Final_Rankings

Trend Micro held its first Asia Pacific (AP) Industry Analyst summit on April 9, 2013 in Singapore. The most obvious message for me is that the company is clearly seeking to expand its focus well beyond the “legacy” antivirus market. Throughout the event, Trend Micro emphasized the need for cloud security solutions and the opportunities that exist in the Asia Pacific market. Speakers also highlighted the need to invest in breaking Trend Micro’s image as an antivirus vendor to help capitalize on the market opportunities for enterprise cloud security. 

Below are the two key themes highlighted by Trend Micro during the event and my take on each:

  • Enabling cloud-related security is central to company growth.Security-related concerns remain the most prominent reason that organizations cite for not adopting cloud services.  Recently Cloud Security Alliance (CSA) outlined the “Notorious Nine” threats for 2013, and the top three cloud-related threats include data breaches, data loss and account hijacking. (Source:http://www.zdnet.com/clouds-risks-spur-notorious-nine-threats-for-2013-7000011820/). Forrester’s Forrsights IT Budgets and Priorities Survey conducted in Q4 2012 shows that 30% of organizations in the AP region aim to create a comprehensive strategy and implementation plan for public cloud and other as–a-service offerings over the next 12 months. Cloud-related spending therefore represents a big market opportunity. Security will be central to organization’s cloud strategies, and hence spending. Trend Micro is aiming to meet this nascent demand but must better explain why they’re best positioned.

...

http://blogs.forrester.com/manatosh_das/13-07-15-trend_micro_bets_big_on_cloud_security_in_asia_pacific

Intellectual property is an essential part of a company’s bottom line. It encompasses various forms, including patents for useful features that make products more desirable or make manufacturing processes and business methods more efficient and economical; trademarks that protect the names, logos, and symbols used to identify and distinguish a company and its goods and services; trade secrets that protect customer lists, vendor lists, formulations, and the like; copyrights that protect marketing materials, product guides and manuals, audio-visual works, software, information compilations, and artwork; and design patents or trade dress that protect the way products look. Not all forms of intellectual property are important to every company, but some form of intellectual property is important to virtually every company.

Notwithstanding the importance of IP, businesses have overlooked its value until fairly recently. In the 1990s, business strength was focused on tangible assets, with intangible IP being relegated to mention in footnotes. The internet business boom and government regulation changed business thinking. Now companies more typically recognize the importance of IP in business decisions and transactions, and that recognition has increased the demand for IP audits. In a 2011 survey by CPA Global, 77 percent of in-house IP professionals said their companies had a greater understanding of the importance of IP and IP valuation, but 74 percent highlighted the need for more focused IP management strategies. The following discussion describes IP audits, explains why they are  essential for good IP management, and provides information about IP audit costs.

...

http://www.corporatecomplianceinsights.com/ip-audits-what-are-they-why-are-they-important-what-do-they-cost

I’m at that point in my life where one of the greatest joys I have is playing tennis with my teenage grandson. I’ve always looked at competition through sports as a great bonding opportunity for fathers and sons.  My grandson is taking lessons once a week at local club near us.  Over the past couple of years, he’s gotten pretty darn good.  To help him practice between lessons, I serve as his “sparring partner”.  We find time to play a couple of times a week together.

When I was younger (i.e. high school and college) I played some racquetball, but never tennis.  What I know about tennis has come from my being an easy mark for “the kid”.  But with my competitive nature, I’ve learned and practiced along the way to the point where I can actually give him a run for his money – oh that’s right, it’s my money.

Anyway, I just got in from playing tennis this evening with my grandson and while I was out on the court “getting schooled” again, I began thinking about how playing tennis can be similar to what we do in crisis management.

...

http://timbonno.wordpress.com/2013/07/15/getting-beat-by-a-teenager-in-tennis-and-whats-that-got-to-do-with-crisis-management/

Tuesday, 16 July 2013 15:52

The 3 Year Itch

I have been involved in the BCM industry for the past few years – knee-deep in our company’s marketing, branding and social media activities. I also wear a CRM hat and track all the sales and marketing efforts.  On average, we receive a few hundred enquiries for our products from our contact widget on our website.  We get a few hundred more qualified leads from our participation in various industry trade shows. All these sales opportunities are followed up diligently by our Sales team.

When analyzing the CRM database, a very interesting pattern emerges:

The 3-year itch

Prospects with whom we’ve dealt before often return with requests for product and pricing information.  Most of them occur on 36-month cycles. These prospects stay engaged for varying periods – from a single conversation to as long as 6 months. If they decide to buy a competitor’s product the conversation ends – temporarily. They often pop up again in 36 months to start the whole process again.

...

http://ebrp.net/the-3-year-itch/

Tuesday, 16 July 2013 15:48

Sleepless in Philadelphia

Here at FEMA we’re committed to the “Whole Community” approach to emergency management which Administrator Fugate initiated when he arrived. For those of you that haven’t heard of the Whole Community concept, it basically says that FEMA can’t manage emergencies by ourselves; we need to make sure that we’re including the private sector, community organizations, faith-based organizations, state local, and tribal government, the general public, non-profits, schools, our partners in other federal agencies, and almost any other group you can think of. One specific part of the Whole Community idea that we’re really working on is integrating the needs of people with access and functional needs in an inclusive setting and to accomplish this, we’re working collaboratively with our community partners who can bring resources, skills, and expertise to the table.  To support this effort Administrator Fugate created the Office of Disability Integration & Coordination and positions like mine, as the Regional Disability Integration Specialist here in the Region III office in Philadelphia.

A large part of my job is making sure that the access and functional needs of people with disabilities are addressed in an inclusive manner, as well as making connections between emergency managers and disability leaders.  So I want to tell you a little bit about an exciting project we are participating in with our community partners.



Philadelphia, Pa., June 28, 2013 -- LesleyAnne Ezelle, Regional Disability Integration Specialist, FEMA Region III visits the Philadelphia Chapter of the American Red Cross office where they held a Shelter Sleepover Exercise.

On June 28th, 2013 I went to the Philadelphia Chapter of the American Red Cross office where they held a Shelter Sleepover Exercise. The point of the exercise was to test their ability to provide services and support to people with access and functional needs in a general shelter. There were volunteers from the local community, many of whom are active with the Functional Needs Subcommittee of the Southeastern Pennsylvania Regional Task Force.

They asked me to give an overview of effective communication, so I gave a demonstration on the equipment that we now have in our Disaster Recovery Centers (DRC). This equipment can also be used in other settings so that people with access and functional needs can get the same information as everyone else and get it in their preferred method of communication.  FEMA now has 175 accessible communication kits that are used to provide effective communication access in every DRC.

While this technology gives us many new options to communicate more effectively, it was pointed out by one of the shelter ‘clients’ that sometimes a skilled person who can interpret and provide information is needed too. We realize that having trained and knowledgeable shelter staff and access to on-site interpreters, scribes, and personal care attendants is just as important to providing effective and accessible services.  FEMA can offer these services to the state, during a Presidentially-declared disaster, if requested.  By having exercises like this one, both the shelter clients and the shelter volunteers get the opportunity to learn what works, what doesn’t, what may be available and we’re able to find solutions, together, to make the shelter experience truly inclusive and accessible.

One of the things that I found very impressive about this exercise is that it was a good example of the saying “nothing about us, without us” that we use a lot in the advocacy movement when we talk about planning services for people with disabilities. Shelter Sleep Over and other activities in Region III are an example of embracing that philosophy and we are looking forward to many more collaborative learning experiences.

http://blog.fema.gov/2013/07/sleepless-in-philadelphia.html

CIO — Mobile devices are working their way into every facet of our lives these days. For instance, according to Accenture Interactive, 72 percent of consumers ages 20 to 40 now use mobile devices to comparison shop while in retail stores.

The problem for retailers? The majority of them leave without making a purchase with their smartphone or tablet; they purchase online—often using a different device, such as a desktop PC.

How do you track the success of your marketing under these circumstances and ensure that you are delivering your customers the best possible experience? BloomReach, which specializes in big data marketing applications, believes big data provides the answer.

BloomReach today took the wraps off BloomReach Mobile, a cross-channel-optimized mobile search and discovery solution built on the company's signature Web Relevance Engine technology.

...

http://www.cio.com/article/736361/How_Big_Data_Can_Help_Retailers_Optimize_Mobile

Computerworld - Given the dire warnings about climate change, some business leaders and IT professionals are pondering this question: How should data center managers handle the crop of so-called 100- and even 500-year storms, coastal floods and other ecological disasters that climatologists predict are heading our way?

Some experts suggest that managers of mission-critical data centers simply need to harden their existing facilities, other observers say data centers need to be moved to higher ground, and a third group advises data center managers to pursue both strategies.

One thing is certain, experts say: Few IT organizations -- even those that suffered or narrowly escaped damage during recent major storms -- are thinking long term. Most IT leaders are, if anything, taking the path of least resistance and least expense.

...

http://www.computerworld.com/s/article/9240743/Some_data_center_operators_take_their_chances_with_floods

Many of us don’t hear about a crisis until it hits the newswires, either through social media, news websites or through a posting on a social site we might follow. In some cases, we might not know about a crisis until we see 1st responders racing down the road heading towards and emergency.


Some will automatically see a disaster as a large catastrophe and one of the BCM/DR industry definitions of a disaster is that it’s a sudden, unplanned event that prevents the organization from performing normal operations. Though both a crisis and/or disaster can start well before the public or media even get wind of the problem.
Sometimes a disaster doesn’t begin until after a period of time when a lesser level of operational hindrance has been experienced. Then when the disaster itself occur, the management of the situation will determine the level of crisis; meaning how well the crisis is handled from the perspective of the public, media, stakeholders (vendors, partners etc) and employees.

...

http://stoneroad.wordpress.com/2013/07/12/crisis-management-when-does-a-crisis-start/

In 2008, Hurricane Ike devastated the upper Texas coast with many animals lost and many more suffering needlessly.  This storm triggered a request for the Texas A&M College of Veterinary Medicine & Biomedical Sciences to form a deployable veterinary emergency team. 

The Texas A&M Veterinary Emergency Team External Web Site Icon(TAMU VET) is comprised of veterinary faculty, staff, and senior veterinary medical students. Since the inception, the TAMU VET has been deployed for Hurricanes Rita and Gustuv, the 2011 Grimes County Wildfire and Bastrop Complex Wildfire, an Alzheimer’s patient search in Brazos County in 2012, and the 2013 West, Texas fertilizer plant explosion.

TAMU VET was formed in response to an increasing frequency of emergencies and disasters, the pressing need for veterinary support for the canine component of search and rescue efforts, and a societal decision that animals were worthy of care and support during disasters.

When a call to respond to a disaster comes in, an alert is put out to the team via a phone call down system, and everyone responds with their availability to deploy. The goal is to be out the door within four hours of a request to deploy. Working hand in hand with the first responders, one of the most important benefits of TAMU VET is their ability to be on the front lines of a disaster. Not only are they there to support, treat, and assist canine search teams, but the first responders are often the first groups to find or rescue animals that have been involved in the disaster. TAMU VET is able to coordinate the capture and rescue of found animals, and gives first responders a place to bring injured or ill animals.

This triage point for the field allows first responders to do their job and also begins the process of animal rescue and recovery early on. It has become the expectation that TAMU VET will be on the ground in an emergency because everyone realizes that animal issues are an aspect of any disaster. “First responders have told us repeatedly that it helps them do their job when they know we are there to help take care of their canine search teams, but also to take care of animals that might otherwise be ignored, left behind, or rescue delayed until the human response is completed. This is a truly special partnership and is one that we know works,” says Deb Zoran, Associate Professor and TAMU VET Medical Operations Chief at Texas A&M University College of Veterinary Medicine and Biomedical Sciences.

The diverse range of deployments has allowed the veterinary students to participate in serving the citizens of Texas while simultaneously providing professional development through the complex and rapidly changing disaster environment in which they are providing veterinary medical care. The educational value of emergency response deployments led to the development of a required clinical veterinary medical rotation during the fourth year of the veterinary program – the first of its kind in the United States.

The clinical rotation at TAMU is designed to provide veterinary medical students with the knowledge base and skills to assist their communities with planning to mitigate or respond to animal issues during disasters. The rotation is divided into two major parts: preparedness and response. The preparedness component requires students to make a personal preparedness plan, assigns them the task of working through the process of developing a practice preparedness plan, and introduces the students to the concept of developing a county emergency animal sheltering and veterinary medical operations plan. In the response component, students learn risk communications, medical and field triage concepts, and medical operations in austere conditions. They also have the opportunity to spend a day at Disaster City – a local training site for first responders from around the state and the nation to get to understand some of the medical and environmental conditions the first responders must work in.

As a leader in veterinary emergency preparedness and response, TAMU just marked the first anniversary of their required clinical rotation and continues to act as a strong service for animals in a disaster.  For more information, visit the TAMU VET websiteExternal Web Site Icon.

http://blogs.cdc.gov/publichealthmatters/2013/07/veterinary-school-leads-in-emergency-response/

IDG News Service (Miami Bureau) — In another example of the consumerization of IT, people have embraced cloud storage and file sharing services like Dropbox both at home and at work, and CIOs better take notice about this trend, according to a Forrester Research report.

"There is huge business value in these types of services," said Rob Koplowitz, co-author of the study "File Sync and Share Platforms, Q3 2013. "They solve a bunch of business problems."

Dropbox and similar services, with their intuitive and user-friendly interfaces, make it easy and convenient for people to sync files across multiple personal and enterprise devices, including tablets and smartphones, and share these often large files with colleagues, clients and partners, he said.

...

http://www.cio.com/article/736300/Forrester_File_Sync_and_Share_Heats_Up_in_the_Enterprise

There's a very old IT problem that's gaining renewed attention lately: The problem of keeping too many copies of data. The analyst firm IDC has quantified the problem and come up with some rather startling statistics:

  • More than 60% of all enterprise disk capacity worldwide is filled with copy data
  • By 2016, spending on storage for copy data will approach $50 billion and copy data capacity will exceed 315 million terabytes
  • In the next 12 months, [IT departments] expect increased use of data copies for app development and testing, regulatory compliance, multi-user access and long-term archival

...

http://blogs.computerworld.com/data-storage/22451/makin-copies-and-why-not-having-copy-data-management-crushing-your-it-department

Risk modeling is a useful tool for business continuity managers, but over-reliance and flawed approaches can create difficulties. By Geary W. Sikich.

Introduction

Fundamental uncertainties derive from our fragmentary understanding of risk and complex system dynamics and interdependencies. Abundant stochastic variation in risk parameters further exacerbates the ability to clearly assess uncertainties.

Uncertainty is not just a single dimension, but also surrounds the potential impacts of forces such as globalization and decentralization, effects of movements of global markets and trade regimes, and the effectiveness and utility of risk identification and control measures such as buffering, use of incentives, or strict regulatory approaches.

Such uncertainty underpins the arguments both of those exploiting risk, who demand evidence that exploitation causes harm before accepting limitations, and those avoiding risk, who seek to limit risk realization in the absence of clear indications of sustainability.

...

http://www.continuitycentral.com/feature1088.html

The wrong words online can come back to haunt you

The case of Justin Carter, the Central Texas teen jailed for over five months as a result of a Facebook comment, is a powerful lesson in just how serious social media has gotten, and why your personal crisis management considerations should include careful censorship of controversial conversation.

Here’s what went down, as described in a HuffPost blog by Ryan Grenoble:

Earlier this year, Carter and a friend got into an Facebook argument with someone regarding “League of Legends,” an online video game with notoriously die-hard fans. Justin’s father, Jack, explained to ABC local affiliate KVUE that at the end of the conversation “[s]omeone had said something to the effect of ‘Oh you’re insane, you’re crazy, you’re messed up in the head,’ to which [Justin] replied ‘Oh yeah, I’m real messed up in the head, I’m going to go shoot up a school full of kids and eat their still, beating hearts,’ and the next two lines were lol and jk [all sic].”

- See more at: http://managementhelp.org/blogs/crisis-management/2013/07/12/jailed-texas-teen-a-social-media-crisis-management-lesson/#sthash.fpMEHyYv.dpuf

Network World — There are two trends happening in the IT hardware market, each gaining momentum but offering very different ways of outfitting data centers.

On the one hand, companies with enormous data centers such as Facebook, Rackspace, Google and Goldman Sachs are creating their own compute, storage and network devices using cheap, commodity components. The pieces are built to a standard - organized by the Open Compute Project (OCP) - to ensure they interoperate, and they are then are assembled to create hardware that is finely tuned to the specific needs of an organization. This "disaggregation" of hardware allows one company to have a system that is optimized for high-storage capacity with low CPU, for example, while another company could customize the hardware for intense reading capabilities, but low writing.

...

http://www.cio.com/article/736279/Pick_Your_Hardware_Vision_Open_Compute_Project_vs._Data_Centers_in_a_Box

Friday, 12 July 2013 16:57

It’s all in your head

Or is it?

 

According to MONDAQ.com, Australia’s courts seem to be spending a lot of time considering “psychiatric harm” in the workplace.

While these concerns seem primarily based on conditions “Down Under,” risk management practitioners should be aware that the issue can become global and effect their clients. Similar cases may be coming to a courtroom near you.

In one case, the court ruled that “Employers not necessarily liable for psychiatric harm to employees who are stressed or overworked” ( http://tinyurl.com/k7up53m). In separate decisions, two employees who sustained psychiatric injuries in the course of their employment in Victoria were denied damages in recent decisions of the Supreme Court of Victoria and the Victorian Court of Appeal.

In another case, “Law firm successfully defends against claim of bullying” (http://tinyurl.com/knl7gn2), the court decided that an employee who experienced an overwhelming workload, professional and personal pressure, conflict and a strained relationship with a colleague was found not to have been bullied.

Interestingly, all cases were heard in the same Australian state, Victoria.

...

http://johnglennmbci.blogspot.com/2013/07/erm-bc-coop-its-all-in-your-head.html

Thursday, 11 July 2013 14:21

Developing a Crisis Management Plan

“Houston, we have a problem.”

Even the most professionally run businesses, including law firms, occasionally run into times of crisis.

In the specific example of a law firm, crises can arise in many forms, like issues that compromise operations, financial dilemmas, and ultimately, problems that threaten or damage the integrity and reputation of a firm.

Entertaining thoughts of potential predicaments can be uncomfortable, not to mention daunting. However, as is the case in any type of disaster scenario, it is best to have an anticipatory plan of action in place before catastrophe occurs. Doing so can be the difference between putting out the fire and fanning the flames in times of crisis.

...

http://www.thelawplanetblog.com/2013/07/developing_a_crisis_management.html

DSD manifesto clarifies “significant risks” and strategies for secure BYOD

David Braue | July 11, 2013
http://w.sharethis.com/images/sharethis_counter.png");" class="stMainServices st-sharethis-counter"> 

Strategies for securely implementing bring your own device (BYOD) policies have been formalised in an extensive document recently published by the Defence Signals Directorate (DSD) that outlines business cases, regulatory obligations and legislation relevant to securely implanting BYOD.

The document, entitled Risk Management of Enterprise Mobility including Bring Your Own Device (BYOD), aims to help readers understand and mitigate the "significant risks associated with using devices for work-related purposes that have the potential to expose sensitive data", according to its authors.

DSD has long held primacy in information-security matters, offering technical certification of products for use in secure environments and offering IT-security guidance for government and non-government bodies through publications such as its Information Security Manual (ISM).

- See more at: http://www.computerworld.com.sg/tech/security/dsd-manifesto-clarifies-significant-risks-and-strategies-for-secure-byod/#sthash.Z2xHiAiO.dpuf

By Sunil Cherian

Business continuity planning (BCP) should cover an organization’s ability to avoid major business disruption from a disaster while addressing the principal concerns of business risk mitigation, and protecting and preventing lost data. Business transactions delivered from the data center / centre pose major challenges to business continuity.

Data center infrastructure and the networks that support it play a prominent role in automating business processes and communication across the organization, customers, partners, suppliers and regulators to ensure the organization continues to run during a disaster. Connectivity in data center infrastructure and the networks can be adversely affected by bottlenecks or complete failure due to network outages, hardware failures, human error and natural disasters.

Application delivery controllers (ADCs) protect these vital corporate assets and keep the network up and running. Below are five capabilities to look for to create a reliable application delivery infrastructure for business continuity planning:

...

http://www.continuitycentral.com/feature1086.html

The emerging H7N9 avian influenza virus responsible for at least 37 human deaths in China has qualities that could potentially spark a global influenza pandemic, according to a new study published yesterday (July 11th, 2013) in the journal Nature.

An international team led by Yoshihiro Kawaoka of the University of Wisconsin-Madison and the University of Tokyo conducted a comprehensive analysis of two of the first human isolates of the virus from patients in China. Their efforts revealed the H7N9 virus's ability to infect and replicate in several species of mammals, including ferrets and monkeys, and to transmit in ferrets — data that suggests H7N9 viruses have the potential to become a worldwide threat to human health.

"H7N9 viruses have several features typically associated with human influenza viruses and therefore possess pandemic potential and need to be monitored closely," says Kawaoka, one of the world's leading experts on avian flu.

"If H7N9 viruses acquire the ability to transmit efficiently from person to person, a worldwide outbreak is almost certain since humans lack protective immune responses to these types of viruses," says Kawaoka.

...

http://www.continuitycentral.com/news06851.html

Thursday, 11 July 2013 14:18

EMC 'Bringing the Sexy Back' to Data

CIO — Backup isn't exactly the sexiest area within an IT organization. In many cases, it's perennially understaffed and under-resourced. But as data becomes an increasingly valuable commodity in the enterprise, and the volumes of data generated by the enterprise expand exponentially, backup is buckling under the strain. A new way of thinking about protection storage architecture may be required.

"Imagine a dam with a single, small sluice gate near the bottom, and there's water just gushing over the top," says Guy Churchward, president of Backup and Recovery Systems at EMC. That sluice gate represents your backup platform and the water represents your data. "Backup can't handle the load."

And worse is coming, Churchward says. If you were to pan the camera back from your little dam with water spilling over the top, you'd see 15 other raging rivers rushing toward you.

...

http://www.cio.com/article/736179/EMC_Bringing_the_Sexy_Back_to_Data_

The title of this article is a question that comes up often in Business Continuity Management industry LinkedIn Group Discussions.  Many planners and practitioners struggle with where BCM in situated in their organizational hierarchy – resulting in a hopeful search for a better solution.

Business Continuity Management is often the homely foster child in many organizations.  (For those not familiar with the US foster-care system, a foster child is removed from his/her natural parents and sent to live with a volunteer ‘foster family’ who receives government funds to provide their care).  Few C-level executive want responsibility for BCM.  There’s little ‘up’ side; it doesn’t make any money, and failure – in either a compliance audit or a real-life disruption – may win a one-way ticket to unemployment.

So the winner of the Business Continuity Management sweepstakes is decided by fiat or by default, depending upon the organization’s culture.

...

http://ebrp.net/where-should-business-continuity-belong-in-an-organization/

Techworld — Many organizations are still dependent on archaic data centre infrastructures despite the knock on effect they can have on the end-user experience and levels of productivity, according to research released today.

Brocade, which commissioned the survey said the results showed that many organisations were using the same data centre technology that has been in place for the last 20 years.

The study, carried out by Vanson Bourne on behalf of the networking company, found that 91 percent of 1,750 IT decision-makers needed to carry out substantial infrastructure upgrades on their networks if they wanted to meet the demands presented by virtualisation and cloud computing.

...

http://www.cio.com/article/736142/Old_Fashioned_Tech_Behind_Data_Center_Outages

Wednesday, 10 July 2013 21:22

BYOD Breeds Distrust Between Workers and IT

CSO — The Bring Your Own Device (BYOD) movement is supposed to boost worker productivity but a study released on Monday said it can also breed distrust between employees and IT departments.

Nearly half of American workers (45 percent) said they're worried about IT accessing personal data on devices they use for work and home, a report by Aruba Networks revealed.

Similar sentiments were expressed by European workers (25 percent) and those in the Middle East (31 percent), said the survey of 3,000 workers worldwide.

In additon, nearly one out of five European workers (18 percent) and more than a quarter of Middle Eastern respondents (26 percent) feared their IT departments would interfere with their private data if they got their hands on the worker's devices.

...

http://www.cio.com/article/736129/BYOD_Breeds_Distrust_Between_Workers_and_IT

Wednesday, 10 July 2013 21:20

A Technological Edge on Wildfires

When the winds change, a ferocious forest inferno can make a sharp turn, and the fire crews battling it may need to depend on their eyes and instincts to tell them whether they are in danger.

Sometimes, as appears to be the case in the deaths of 19 elite firefighters in Arizona, it is already too late.

Of course, the best way to fight catastrophic fires is to keep them from growing to catastrophic scale. But that is becoming more and more difficult as global warming raises the likelihood of fires, especially in Western forests. By 2050, the annual extent of forests burned is predicted to rise by 50 percent or more.

So officials and experts are increasingly relying on technology both high and low to counteract the trickery of raging wildfires.

In computer simulations, the United States Forest Service sets tens of thousands of virtual fires — factoring in different weather patterns, topography, vegetation and historical weather patterns. “You would sort of get a map that depicts a likelihood of fire occurrence,” said Elizabeth Reinhardt, an assistant director of fire ecology and fuels for the Forest Service.

...

http://www.nytimes.com/2013/07/09/science/getting-an-edge-on-wildfires.html

Wednesday, 10 July 2013 21:17

Defining The Mobile Security Market

Understanding the terms and technologies in the mobile security market can be a daunting and difficult task. The mobile ecosystem is changing at a very rapid pace, causing vendors to pivot their product direction to meet the needs of the enterprise. These changes in direction are creating a merging and twisting of technology descriptions being used by sales and marketing of the vendor offerings. What we considered “Mobile Device Management” yesterday has taken on shades of containerization and virtualization today.
 
Mobile antivirus used to be a standalone vision but has rapidly become a piece of the mobile endpoint security market. Where do we draw the lines, and how do we clearly define the market and products that the enterprise requires to secure their mobile environment?
...

There is a young lady carousing in the Caribbean with designs on south Florida.

Turn on the tv and you hear the name “Chantal.” Once named, the tv news readers tell us we are advised to get our hurricane preparations underway.

Turn on the radio and you hear the same thing.

Pick up a newspaper – yes, there still are newspapers in south Florida – and you not only are encouraged with hurricane preparations but you also get a hurricane tracking map.

...

http://johnglennmbci.blogspot.com/2013/07/there-is-young-lady-carousing-in.html

CSO — Today's security threats span a broad spectrum of social engineering schemes, international hackers, and insider threats like the recent NSA breach. It's easy to get overwhelmed by all of the potential threats and where money should be spent to keep up, let alone stay ahead of the curve.

"Security functions are getting only 70 percent of the resources that they need to do an adequate job" of securing the business, including hardware, software, services and staff, said Michael Versace, insights director of worldwide risk at IDC. "The hard stuff is in the next 30 percent."

Meanwhile, worldwide spending on security infrastructure, including software, services and network security appliances used to secure enterprise, rose to $60 billion in 2012, up 8.4 percent from $55 billion in 2011, according to Gartner Inc. That number is expected to hit $86 billion by 2016.

...

http://www.cio.com/article/736050/5_Security_Bolstering_Strategies_That_Won_t_Break_the_Bank

CIO — Recently, BPR-Rico Manufacturing decided it was time for a change in its human resource systems.

The Medina, Ohio-based engineering outfit, which builds lift trucks and other material-handling equipment, had been using Sage North America's Abra HR solution. The on-premises deployment was more than a decade old and had acquired some eccentricities. The system would randomly change employee dental insurance deductions to the two-year prior rate. An employee who generally worked a 32-hour week would occasionally flex to 40 hours, but the system would still pay for only 32 hours.

As it happened, Rico Manufacturing already was replacing its paper-based time card system with cloud-based time and attendance software from Kronos. The company decided to tap Kronos to replace its human resources and payroll system as well—and move it to the cloud.

...

http://www.cio.com/article/736061/Why_SaaS_HR_Software_Is_Ready_to_Take_Off

Prolexic has shared information on a popular cyber attack technique, SYN reflection attacks, which can leverage the defense mechanisms of DDoS mitigation devices to increase the strength of the attacks.

SYN reflection attacks are one of the more sophisticated DDoS attack methods and typically require some skill to execute. However, they have recently grown in popularity as they’ve become available on a DDoS-as-a-Service basis via the criminal underground.

“SYN reflection attacks have been around for a long time, but new attack apps make them extremely easy to launch. Even a novice can do it,” said Stuart Scholly, President of Prolexic. “Malicious actors wrap web-based graphical user interfaces around sophisticated scripts and offer them as convenient DDoS-as-a-Service apps that you can launch from your phone.”

SYN reflection attacks are used against targets that support TCP – a core communication protocol that enables computers to transmit data over the Internet, such as web pages and email.

...

http://www.continuitycentral.com/news06847.html

Certifications of one sort or another have been around seemingly forever.  If you are old enough you may remember (some 30 years ago) when there were very few non-institutional IT certifications available.  The certification boom started in the mid 80’s when some of the network operating system providers were trying to establish a base of knowledge competency (or a new revenue stream – depending on your perspective).  At the time, passing some of these certification exams was a joke.  They didn’t prove the competency or skill that they were created to achieve.

Of course most of those certification programs have matured.  They’ve become more challenging – including theoretical as well as practical testing to ensure competency of the individual.  Typically, the rate of change in technology has driven the recertification processes; as new products and technological advancements are revealed, certification qualifications have changed with them.

...

http://ebrp.net/are-business-continuity-planning-certifications-moving-forward/

Monday, 08 July 2013 14:18

Always wear clean underwear

If a risk management practitioner needs a motto over his or her office door to observe on the practitioner’s way out, it should be:

Always wear clean underwear

Now at first blush you may think this scrivener has lost it. While that is generally debatable, I assure you in this instance I am fully in charge of all my facilities.

What is it we – risk management practitioners – do? Bottom line?

We anticipate and plan for the unexpected.

No, I’m not talking about swans of any hue; I don’t believe in black swans as an event that could not be predicted.

...

http://johnglennmbci.blogspot.com/2013/07/erm-bc-coop-always-wear-underwear.html

Monday, 08 July 2013 14:16

No plan for planes

Catching up on the news Sunday morning I learn that a plane crash at San Francisco’s airport (SFO) caused cancelled flights across the country.

I live close to two major airports: Hollywood/Fort Lauderdale (FLL) and Miami (MIA).

The local tv stations sent people to interview stranded travelers, asking what they were going to do until flights to SFO resumed.

Not one traveler – not one – planned to do anything other than “hunker down” either at the south Florida airport or at a nearby lodging.

If I had been booked on an SFO-bound flight I would be talking to the airline’s representatives to get a flight to LA or Seattle.

Ahh, but that’s not San Francisco.

...

http://johnglennmbci.blogspot.com/2013/07/erm-bc-coop-no-plan-for-planes.html

By Ray Abide

In the past, I have mostly referred to the activity in which participants are assembled to work through a simulated business continuity event in order to determine their familiarity with the plan, its completeness, and perform their individual roles to recover from a given scenario as a business continuity plan test. Sometimes I have interchangeably used the term ‘exercise’ or ‘simulation’ instead of ‘test’.

...

http://www.continuitycentral.com/feature1083.html

By Barry Shteiman.

Recently a very interesting article on the Armed Forces Communications and Electronics Association website caught my eye: ‘DISA Eliminating Firewalls.’

Although the title seemed provocative at first, the article itself just made me smile.

DISA gets it, it really gets it.

One of the advantages of working with the father of the modern firewall (Shlomo Kramer) is that I have an insider’s perspective on how security has evolved over the years: from the early days of Stateful Inspection firewalls, when perimeter and interdepartmental separation was the focus, to the realization that data (a company’s lifeblood) is the single most important asset to protect. Not this or that network, but the data.

In the AFCEA article, Lt. Gen. Ronnie Hawkins JR explains that network separation, while widely accepted, does not encourage business collaboration, such as easily accessing and sharing content.

...

http://www.continuitycentral.com/feature1084.html

Tripwire, Inc., has announced the first instalment of results from an extensive survey on the state of risk-based security management conducted by the Ponemon Institute. The survey covers risk-based security management program governance and maturity and includes 571 UK and 749 US respondents from the following areas: IT security, IT operations, IT risk management, business operations, compliance/internal audit and enterprise risk management.

“The findings from this report strongly indicate that risk-based security management is still viewed as an IT or security task instead of a business task,” noted Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. “Unfortunately, the full value of a risk-based approach to security can only be realized when senior business leaders fully participate in the process.”

...

http://www.continuitycentral.com/news06843.html

Those of us who spend our business lives immersed in the Business Continuity industry swim through a sea of acronyms.  Meanwhile, we are constantly seeking the support and cooperation of colleagues who are often confused by those same acronyms.

We can make understanding easier simply by using real terms instead of acronyms.  But unless we can clearly define those fundamental Business Continuity terms, we still risk confusing our potential supporters and partners.

There are two common terms that are too often used (or confused) interchangeably:  Incident Management and Crisis Management.  They are not the same.  They are related – but have differences in purpose and objectives that ought to make their definitions clear:

...

http://ebrp.net/incident-management-crisis-management-very-different-often-confused/

close up image of a school bus with handicap sign

By Georgina Peacock

When Hurricane Katrina hit, Julie thought she was ready.  She always had an emergency kit prepared because her son Zac needs medical supplies and equipment to keep him happy and healthy. Zac has spina bifida, a major birth defect of the spine; hydrocephalus, which means he has extra fluid in and around the brain; and, a number of food and drug allergies. He has sensitivities to changes in temperature and barometric pressure. Therefore, she always made sure they had a week’s worth of supplies and medicine ready when it was time to evacuate. “There is a very delicate medical balance,” she said.  “When he has an issue, the dominos tend to fall quickly.”

As communities around the Gulf braced for Katrina, Julie’s family left New Orleans for Baton Rouge with their one week reserve of Zac’s medical supplies including catheters, feeding tubes, and special medications. But like most families facing the devastation of this hurricane, they ended up being gone for much longer.  “It was a very challenging time for so many people, but especially for families of children with special health care needs, like ours,” said Julie. “Zac is a unique guy who needs a lot of support.” 

Zac posing in his wheel chair for his baseball team photo“Now, we always keep a one month supply of Zac’s supplies in our emergency kit,” she said. “It’s critical. It’s life and death for us.” Her insurance pays for this stockpile of emergency supplies. She also keeps a document of Zac’s daily needs and medical history in print and electronic format.  This vital document includes:

  • Daily plan of care
  • How to use his medical equipment
  • Recipe for formula
  • Catheterization schedule
  • Allergy information: food and medication allergies, type of reaction, and what to do if he has a reaction
  • Surgeries
  • Diagnoses by body system
  • List of his doctors with contact information
  • Equipment providers
  • Pharmacist
  • Medications and supplies including stock numbers and basic descriptions of products for comparable substitutions
  • Allergy information
  • Insurance information
  • Case manager for his Medicaid waiver
  • Since he is over 18 – legal documentation of  “continuing tutorship” which allows parents to make medical decisions for him.
  • Biographical sketch including his likes/dislikes; hobbies/interests; and triggers-things that will disturb him.

Julie urges families with children who have special needs to know what emergencies are likely in their area. For Julie’s family, they know the areas that flood and prepare for hurricanes and tornados. Also they live in an area that is home to many chemical factories and a nuclear plant, so they prepare for plant explosions, nuclear reactor accidents, and fires.  “Preparing and planning can give you peace of mind,” she said. “Get a kit. Make a plan. Be informed. It applies to everyone, especially to those of us who care for children with special needs.”

Children with Special Healthcare Needs in Emergencies

Children with special healthcare needs may be more vulnerable during an emergency.  They may have difficulty moving from one location to another, urgent or persistent medical needs, difficulty communicating or have trouble with transitioning to different situations. A disaster can present all these difficulties at once. Knowing what to do can help maintain calm in your family and keep them safe.

Please visit the following sites for more resources:

Leave a Comment

Does someone in your family have unique needs? How do you prepare? How have you addressed these needs during an emergency? Share your experiences and tips below.

Georgina Peacock, MD, MPH is a medical officer and developmental-behavioral pediatrician with the Prevention Research Branch in the Centers for Disease Control and Prevention’s National Center on Birth Defects and Developmental Disabilities.  Follow her on Twitter @DrPeacockCDC

http://blogs.cdc.gov/publichealthmatters/2013/07/emergency-preparedness-for-families-with-special-needs/

Further illustrating how important reputation can be to a business enterprise, Paula Deen’s rapidly crumbling empire took another hit this week when Ballantine Books announced that it was cancelling the publication of the celebrity chef’s latest cookbook, Paula Deen’s New Testament: 250 Favorite Recipes, All Lightened Up, which was scheduled to be released in October as the first in a five-book deal signed last year. Even more surprising, was that based on pre-orders alone the book was already Amazon’s number-one best seller (Interestingly enough, the book was replaced at the top spot by another Paula Deen cookbook, Paula Deen’s Southern Cooking Bible.)

The book cancellation brought the total of business deals killed by Deen’s admission that she had used racial slurs in the past to 12. According to the Consumerist, the tally includes:

...

http://www.riskmanagementmonitor.com/paula-deen-and-the-impact-of-reputation-risks

Business Continuity Management (BCM), like most corporate programs, is often plagued by common mistakes; these common mistakes also apply to the Business Impact Analysis (BIA. The following are some common mistakes that need to be addressed to ensure that the BIA is effective:

1. Minimal Management Support – Senior management must buy in to the need for continued maintenance of the BCP program. The program requires on-going resources to ensure that the program is funded and there are dedicated resources assigned across the organization. The people who head up the BCP program must have the requisite training, as well as the skills to provide leadership, prioritize tasks, communicate with stakeholders, and manage the program.

...

http://stoneroad.wordpress.com/2013/07/01/12-tips-trips-traps-the-business-impact-analysis-bia/

CHICAGO--When Hurricane Katrina struck the states near the Gulf of Mexico in August 2005, human resources at Target Brands Inc. was right in the middle of handling the crisis for the well-known retailer.

The company managed to get the cash registers up and running in a very short time, but it was left with the question of who would run them, Terri Howard, who worked for Target then and is now senior director of FEI Behavioral Health in Milwaukee, recalled.

In a crisis, “HR's role is strategic. It is to make sure that your folks are taken care of,” Howard said June 19 at the Society for Human Resource Management's Annual Conference & Exposition.

That has numerous ramifications, she said. In the aftermath of Hurricane Katrina, banks were closed and ATMs weren't working due to power failures, so “we had to fly in cash to pay people, which had implications for compensation,” Howard said. There also were questions about employees with health insurance going to health care providers who were out of network temporarily, she said, and whether the employees would be charged copays.

...

http://www.bna.com/hr-play-strategic-n17179874840/

Tuesday, 02 July 2013 11:44

Data outside the data centre

The data centre gets the spotlight when organisations look to improve their management and storage of data, but a growing proportion of the information in the average enterprise is found at its branch offices and on end-user devices.

Security vendor Symantec, for example, estimates that around 46% of the data in most enterprises is found outside their data centres. The volume of data outside the safe perimeter of the data centre is growing at a rapid rate, thanks to the rise of mobility and cloud computing.

In addition, many companies still maintain Windows file servers and low-end storage arrays in branch offices, so users can access applications and data without having network bottlenecks slow them down. This exposes companies to both data storage risks and inefficiencies.

...

http://www.itweb.co.za/index.php?option=com_content&view=article&id=65329:Data-outside-the-data-centre&catid=69

Mobile devices such as smartphones, laptops and thumb drives are becoming increasingly vital to productivity, but your organization’s data could be at risk if one of these devices is lost or stolen. The amount of protected health information (PHI) that is transported through mobile environments is staggering and healthcare organizations have a responsibility to investigate security incidents and report PHI exposures. To protect the organization and its patients, it is crucial that IT staffs and privacy and security officers know what to do if a breach is suspected.

Having even a simple incident response plan in place that focuses on rapid identification and a coordinated response gives healthcare organizations important advantages in the fight against cyber crime. First, a plan allows IT to greatly reduce the time between the discovery of a possible exposure and the identification of any data that was compromised. Reduced response time can keep the data loss to a minimum and assists the organization in providing mandatory notification within the time frame allowed. In addition, a formal process gives IT the ability to quickly limit unauthorized access to the network and sensitive data, thus limiting the amount of information that may be exposed.

...

http://healthitsecurity.com/2013/07/01/managing-a-health-data-breach-with-a-response-plan/

Disaster can strike in an instant. Whether it is weather-related, man-made or due to some other cause,disasters often occur with little or no warning. That's why creating and implementing an emergency-preparedness plan could mean the difference between saving your business and losing it all.

At the heart of every successful plan is clear communication. Mobile devices such as smartphones andtablets can help ag retailers and their employees connect with each other and authorities, spreading critical information in a time of crisis. Helping to keep the lines of communication open are dozens of mobile appsspecifically designed for emergency preparedness. I’ve researched the most commonly used ones and compiled them in this handy list (in no particular order):

...

http://www.croplife.com/article/34563/10-best-apps-for-emergency-preparedness

The year 2013 will be a turning point in how governments around the world view the threat of floods in a new age of extreme weather events.

India, Nepal, Canada and many countries in Europe have experienced huge losses over the last two months due to intense precipitation that has triggered extreme flooding affecting millions of people’s well-being and livelihoods.

The shocking loss of life in India underlines how vitally important it is that we start planning for future scenarios far removed from anything that we may have experienced in the past.

When we look at the worldwide escalation in economic losses from disasters over the last five years, it is clear that our exposure to extreme events is growing and this trend needs to be addressed through better land use and more resilient infrastructure as we seek to cope with population growth and rapid urbanisation.

...

http://www.trust.org/item/20130701083848-mav3e/

Kylie Fowler got controversial when she spoke last month to an audience of asset management and configuration management professionals at the BCS CMSG Conference in London about the five constants she always encounters in her 10-plus years of working as an IT asset management consultant.

While these constants may always hold true, and her advice on how to deal with them held some surprises.

She counselled the audience always to listen to their data - “your data has a huge amount to tell you if you use it correctly,” she said.

...

http://www.theregister.co.uk/2013/07/01/it_asset_management_five_constants/

Monday, 01 July 2013 14:45

HP Secures Data Migration To The Cloud

With the explosion of data in the enterprise and the ability to use as-a-service storage models, important security-level practices are undermined and organisations lose sight of potential threats. In the absence of these standards, IT teams are struggling to identify and assess potential risks, opening their organisations to catastrophic security breaches.

The new HP Cloud Security Risk and Controls Advisory Services, part of the HP Converged Cloud Professional Services Suite, deliver choice, confidence and consistency to customers by combining expertise from across HP, supporting the management of data risk, identification of vulnerabilities and maintenance of compliance with IT governance. This provides clients with solutions that protect their information before it migrates to or from the cloud, whether it is a public cloud, private cloud or hybrid deployment. As a result, organisations can reassign IT resources from spending time on manual tasks to focusing on innovation.

...

http://biztech2.in.com/news/cloud-computing/hp-secures-data-migration-to-the-cloud/161042/0

No business today is immune from the ravages of storms and power outages – not to mention earthquakes, fires or other unforeseen disasters that can strike in a minute.

Although all companies need a disaster recovery plan, insurance agents have an even greater obligation to put one in place to enable them to operate after a catastrophe to handle the claims of hard-hit clients.

Here are five tips to keep in mind when developing a plan for confronting disaster and for keeping your agency operating through tough times.

...

http://www.insurancejournal.com/magazines/features/2013/07/01/296795.htm

Disaster Recovery as a Service (DRaaS) backs up the whole environment, not just the data.

"Most of the providers I spoke with also offer a cloud-based environment to spin up the applications and data to when you declare a disaster," says Karyn Price, Industry Analyst, Cloud Computing Services, Frost & Sullivan. This enables enterprises to keep applications available.

Vendors offer DRaaS to increase their market share and revenues. Enterprises, especially small businesses are interested in the inexpensive yet comprehensive DR solution DRaaS offers. There are cautionary notes and considerations too that demand the smart businesss attention before and after buying into DRaaS.

...

http://www.csoonline.com/article/735737/3-things-to-consider-before-buying-into-disaster-recovery-as-a-service

Yesterday I was interviewed by NPR for a program airing this weekend about PR and reputation problems caused by racism. It’s always good for someone who helps others prepare for media interviews to do a real one themselves to bring some lessons home. I wasn’t too happy with the interview despite having prepared by thinking through key messages.

In case you catch the story, and some of what I said is included, here is how I intended to answer the question.

1. It’s always about credibility.

While there isn’t a denial, or he said/she said in this case, people are still looking at Paula closely to see if she is to be believed. No doubt trust and respect for at least some has been shaken by revelation of her past attitudes and behavior. Now they are looking to see if she is telling the truth and can rebuild trust. Sincerity is everything. Sadly, I think Paula is very much lacking in this right now with bungled apology, standing up the Today Show, a rocky performance there, and as far as I know, no real action taken–just words. Sincerity and credibility, like all things trust related, are judged more by actions than words.

...

http://ww2.crisisblogger.com/2013/06/what-advice-to-give-those-involved-in-reputation-wrecks/

Federal chief information security officers (CISOs) know that it isn’t a matter of whether their agency will be subject to a cyber-attack; it is a question of how frequently the attacks will occur. 

But, the real concern that keeps CISOs awake at night is wondering when one of the attacks succeeds -- and they know one eventually will -- whether it will successfully compromise the network and disrupt operations, or even worse, result in stolen sensitive, classified or personally identifiable information (PII). 

The traditional approach to addressing common system and network vulnerabilities, which includes placing the problem in silos based on the particular type of attack or its target, is no longer enough to meet the challenges posed by today’s hackers and cyber criminals. Instead, the federal cyber-security landscape requires that agencies take an enterprise approach to cyber risk management, and to do so, CISOs must be able to understand and visualize the human and technology interactions that impact the agency in cyberspace. That’s where analytics can help.

...

http://www.gsnmagazine.com/node/30287?c=cyber_security

With the operational complexities and regulations businesses face today, basic computer services and support may not be enough to allow them to keep pace with their competition. Myriad regulations and a multitude of other activities make it difficult for any contemporary organization to survive (let alone thrive) without people who can design and implement increasingly specialized systems…and keep them up and running. Of course, before the first piece of that IT infrastructure has even been identified, someone has to determine the company’s goals and build the guidelines that will help achieve those objectives.

Those are several of the roles solution providers should be involved in. Businesses need someone to be their architect; not just for system design but also to develop the policies and programs that must be in place to automate their processes. For example, before customer-related information and business-critical data can be safely and securely stored using a cloud backup solution, someone has to determine which files, records and other details need to be saved.

...

http://thevarguy.com/blog/be-information-security-specialist-your-customers-need

Any cyber attack can bring unprecedented damage to a company, but can these damages be quantified in financial terms? This year, experts at B2B International calculated the damages stemming from cyber-attacks based on the results of a survey of companies around the world.

The survey titled, 2013 Global Corporate IT Security Risks survey, found that the average cost incurred by large companies in the wake of a cyber attack is a whopping $649,000. To arrive at the most accurate picture of costs, B2B included only incidents that had occurred in the previous 12 months. Additionally, the assessment was based on information about losses sustained as a direct result of security incidents.

...

http://www.cxotoday.com/story/649000-the-cost-of-a-cyber-attack-on-business/

From the smallest business decisions to the largest ones, risk influences all that we do. But taking a risk is not exactly like spinning a roulette wheel, where luck is the primary ingredient for success. With use of the right tools, risks can carefully be calculated, controlled and managed, greatly reducing the variable of bad luck.

Many successful CFOs today are accounting for the impact of outside forces – from regulatory changes, interest rates, supply chain and other operational events to natural disasters and even consumer sentiment – to inform, shape and govern their corporate strategies.

While the nature of the finance function has historically been to analyze past performance, risk is inherently forward-looking. CFOs must move beyond their traditional domain and use performance indicators and risk to predict the future. By discovering hidden patterns of risk rooted within their ledgers and spreadsheets – and integrating risk with financial management – CFOs can provide critical linkages between strategy and execution and stay ahead of the curve.

...

http://www3.cfo.com/article/2013/6/risk-management_fuessler-big-data-ibm-predictive-analytics-dmv

A quarter of European insurers say it’s hard to find knowledgeable, qualified risk management staff, compared to 16% of their US counterparts.

 

European insurers are becoming increasing troubled by the lack of knowledgeable, qualified risk managers in the talent pool, according to research from State Street.

According to its survey, carried out by the Economist Intelligence Unit in April, 25% of European insurers said they found it difficult to find the right sort of risk manager, compared to 16% of US insurers.

The dearth of suitable talent is concerning, given 89% of insurance executives said improving the assessment and pricing of risk was a challenge.

In addition, 80% of respondents globally viewed balancing liquidity and reserve adequacy as a challenge, and almost a third (29%) said their companies have divested lines of business since the start of the financial crisis due to new capital requirements or risk management considerations.

...

http://www.ai-cio.com/channel/RISK_MANAGEMENT/Is_There_a_Risk_Management_Talent_Drought_in_Europe_.html

CSO — Securing important corporate or personal information has never been more challenging. Every day, new vulnerabilities are discovered, more breaches are reported and we all become less secure. Just look at the headlines, whether it is Anonymous latest attack, state sponsored Cyber espionage or warfare, criminal activity or just someone being exploited by five year old malicious code that still finds victims, the picture metaphor is of a snowball rolling downhill and getting bigger and bigger as it rolls.

Currently, we have a broken model and the state of security continues to spiral downwards. The main root of the issue is that the economics aren't aligned correctly to ensure accountability and responsibility. As a result, we have less security, higher costs, and greater pressure to opt for convenience over security and a fundamental failure to provide proper alignment and transparency to either company or government information security. Without making fundamental changes we are destined to have an ongoing erosion of our security which also translates into an erosion of our privacy and national security.

...

http://www.csoonline.com/article/735575/3-reasons-why-america-s-security-model-is-broken

CALGARY — The flood crisis is a wake-up call for Calgary companies to adopt flexible work arrangements.

With the city in disarray this past week and the downtown closed for business, many companies may find this a spark to put in place telework programs that can prove invaluable not only during crises, but on a more regular basis, said Dr. Laura Hambley, Calgary-based industrial/organizational psychologist with The Leadership Store.

“Having employees well practiced and equipped to work from home, or telework, is an excellent business continuity strategy. In fact, it should be a key component of such plans whenever possible,” she said.

Companies who already have a flexible work policy in place, seamlessly work through natural disasters without losing productivity while keeping safe in their homes, she said.

...

A series of violent storms put Aaron Titus, disaster coordinator for the New Jersey branch of Mormon Helping Hands, through his paces last summer. He coordinated the dispatching of several hundred volunteers to about 300 locations to help remove damaged trees. The effort was so taxing that he doubted one person would be able to successfully coordinate large-scale disaster mitigation smoothly in all cases.

“I realized, if you try to do it as a single individual, you’re never going to be able to,” Titus said.

In response, he developed an early version of Crisis Cleanup, a free open source mapping tool that allows disaster relief organizations to coordinate cleanup and rebuilding efforts after catastrophes. The system’s undergone successive modifications since, and today members of volunteer disaster relief organizations logon to the tool and input data into an assessment form about a resident who needs help. This data includes the resident’s address and the type of incident, like flooding, tree removal or food delivery. That information then generates icons on a dynamic map alongside the assessment form.

...

http://www.emergencymgmt.com/disaster/Crisis-Cleanup-Mapping-Tool.html

In the May issue of Risk Management, Emily Holbrook reported on the prevalence of food fraud in restaurants and supermarkets around the world. Characterized by counterfeit or purposely mislabeled foods used by unscrupulous producers looking to make a quick buck, food fraud manifests itself in many ways. Sometimes its as unsettling as pig rectum in place of calamari or horse meat for hamburger, while other times its farm-raised fish sold as “fresh-caught.” Regardless of the nature of the deception, customers are put at risk. Not only are they conned into buying more expensive items, but they can also be exposed to pathogens or toxins that they would have no reason to expect in their food.

The New York Times recently reported about instances of fake vodka laced with bleach to lighten its color or olive oil contaminated with engine oil to extend the supply and increase profits. It turns out that food fraud is more widespread than most people realize.

...

http://www.riskmanagementmonitor.com/the-cost-of-food-fraud-or-does-this-vodka-taste-like-bleach

Granted, the drop hedcq is bad grammar, but it works for the military and it could – most likely would – work for any organization.

The military is very big on roll calls and knowing who is present and who is absent – in the latter case, also why the person is absent.

The military roll call is done in reverse pyramid fashion.

On the bottom is the squad. This can be maybe 4 to 10 people.

Next is the platoon. A platoon is composed of several squads.

Moving on up there are companies, each having several platoons; then – well, the graphic shows it all.

...

http://johnglennmbci.blogspot.com/2013/06/erm-bc-c00p-sound-off.html

Friday, 28 June 2013 16:41

Tips For Surviving A Mega-Disaster

The U.S. is ready for tornadoes, but not tsunamis.

That's the conclusion of a panel of scientists who spoke this week on "mega-disasters" at the American Geophysical Union's science policy meeting in Washington, D.C.

The nation has done a good job preparing for natural disasters like hurricanes and tornadoes, which occur frequently but usually produce limited damage and relatively few casualties, the panelists said. But government officials are just beginning to develop plans for events like a major tsunami or a large asteroid hurtling toward a populated area.

The difference between a disaster and a mega-disaster is scope, the scientists say. For example, Hurricane Sandy was defined as a disaster because it caused significant flooding in New York and New Jersey last year, says of the U.S. Geological Survey. But the flooding was nothing like what happened to California in the winter of 1861 and 1862, she says.

"It rained for 45 days straight," Jones says, creating a lake in the state's central valleys that stretched for 300 miles. The flooding "bankrupted the state, destroyed the ranching industry, drowned 200,000 head of cattle [and] changed California from a ranching economy to a farming economy," she says.

...

http://www.npr.org/2013/06/28/195630480/tips-for-surviving-a-mega-disaster

Enterprises need to assess the risks of cloud computing and have clarity on data protection and security responsibilities when contracting cloud services to avoid another “2e2 disaster”, a cloud lawyer has said.

Cloud is not a magical solution that will fix all of IT’s problems and customers must understand that the service they get depends on what they pay for, Frank Jennings, cloud lawyer at DMH Stallard told Computer Weekly at the annual Cloud World Forum 2013 event.

“If you are a big blue chip company paying more for the cloud service, you may get a higher level of protection, but if you are a small enterprise, your contract doesn’t provide enough value to the cloud service provider,” Jennings said.

...

http://www.computerweekly.com/news/2240186940/Follow-best-practices-while-contracting-cloud-services-warns-lawyer

Thursday, 27 June 2013 15:07

The three key stages to managing risk

Risk arises because of uncertainty about the future. It could involve the possibility of economic or social loss, or incur damage or delay. Risk management provides a structured way of assessing and dealing with future uncertainty. This leads to more efficient and effective decisions, greater certainty about the future and reduced risk exposure.

In every procurement transaction a degree of risk is involved, although most of the time it is not recognised and expressed as such. This is true for simple purchases, for example, ordering a meal or a bottle of wine in a restaurant. It is especially true when ordering complex goods or services, where the specification is not pre-determined, the outcomes are unsure, and the provider unknown.

...

http://blog.supplymanagement.com/2013/06/the-three-key-stages-to-managing-risk/

Thursday, 27 June 2013 15:06

Hurricane watch? There's an app for that

Emergency preparedness applications are a growing trend in smart phone technology.

It’s hurricane season in Louisiana, and that means people will keep a watchful eye on the Gulf of Mexico. Preparing should go farther than that, however. Local, state and national disaster relief organizations flood their websites with emergency information. Smart phones allow the information to be more accessible with the development of emergency-related mobile apps.

The American Red Cross last year launched six mobile apps — Tornado, Hurricane, Shelter Finder, First Aid, Earthquake and Wildfire.

The Red Cross of Central Louisiana used the hurricane app for the first time when Hurricane Isaac threatened Central Louisiana. The app monitors local conditions, and aids in storm preparations. One feature allows users to find help or let others know they are safe.

...

http://www.thetowntalk.com/article/20130627/NEWS01/306270022/Hurricane-watch-There-s-an-app-that

Thursday, 27 June 2013 15:04

Eight Tips for Implementing a DR Program

Unlike Dorothy in The Wizard of Oz, IT doesn’t have to worry about “lions and tigers and bears, oh my!” Tornados, however, are a shared problem, not to mention hurricanes, earthquakes, blackouts and blizzards. When disaster strikes, it may be tempting to close your eyes and repeat “there’s no place like home,” but unless you have a pair of ruby slippers, the following are better tips to get you safely back to Kansas.

#1 – Distance Matters

Select a disaster recovery location that is far enough away that it won’t be affected by whatever brings your own systems offline.

Florida Hospital, a member of the Adventist Health System, is the nation’s largest privately-owned hospital with 17,600 employees and 2,230 physicians working at 22 campuses. The hospital has its own disaster recovery (DR) site just a few miles from its primary data center in Orlando, but since its primary concern is hurricanes, it also selected a managed SunGard DR site that is 1000 miles up the coast in a location that won’t likely be hit by the same storms.

...

http://www.enterprisestorageforum.com/backup-recovery/eight-tips-for-implementing-a-dr-program.html

A seeming innocuous phrase that sounds as if it could be the name given to a downtown district of a sprawling metropolis or a local sports team, “Five Nines” actually refers to a desired level of system availability.

Ever since man began to create and use more complex machines and tools he has been locked in an eternal battle to keep them working and to improve their performance. But the emergence of cloud computing has freed many companies from the daily tussle between hardware, software, random events and erratic connectivity.

The idea of Five Nines is a classic case of an essentially contested concept, and the debates that whirl across the internet over its validity as a concern of modern businesses demonstrate that it cuts to the very heart of the direction that cloud services are heading in.

But can such a contentious subject be of any use to you and your business?

...

http://www.business2community.com/tech-gadgets/how-important-is-the-concept-of-five-nines-to-your-business-0535399

Thursday, 27 June 2013 15:01

Benefits of cloud-based disaster recovery

An effective business disaster recovery plan is like building or travel insurance - you don't realise how important it is until adversity strikes.

Unexpected events that disrupt normal business activity can have a major impact on operations, staff and customers. Having in place a comprehensive plan to deal with such events is a vital part of effective management.

When it comes to their IT systems, many large companies tackle disaster recovery (DR) by establishing an offsite facility that can support business systems should a catastrophe strike. Critical applications and data is replicated in this facility and kept in a state of readiness at all times.

Smaller companies, however, often find they cannot readily afford such an approach. The overheads associated with purchasing and maintaining duplicate hardware and applications that may never be used make it a very expensive option. Add the extra IT management requirements and this approach to DR moves even further out of reach.

...

Often the employees at a small to mid-size business feel they already have their hands full just running day to day operations. But what if a worst case scenario were to strike?

It’s not pleasant to think about, but necessary to do so. Consider the small businesses that have seen their offices washed away in the recent Alberta floods, or seen their employees stranded and displaced – or worse. How will the business pull together and survive the disaster, while communicating a plan of action to its employees?

When it comes for disaster planning there are few organizations in the world that have as much experience as the U.S. Federal Emergency Management Association (FEMA), an agency under the department of Homeland Security. So we’re looking to Robert Jensen, the principal deputy assistant secretary for public affairs at Homeland Security, for some strategies for disaster recovery communications planning.

...

http://www.itbusiness.ca/news/3-secrets-of-disaster-response-learned-from-hurricane-sandy/37084

I think that small and mid-size businesses are the most underserved in the information security market today. These companies have not paid the necessary attention to information security, and the data indicates they will pay a steep price for not doing more.

Robert Plant, writing for the Harvard Business Review on June 4, 2013, spoke very plainly and clearly on the need for the CSO in companies today. Mr. Plant in his blog writes:

“First off, if the company doesn't have a CSO and the chief executive thinks the "S" has something to do with sustainability, just fire him. If it does have a CSO and the CEO chooses to eliminate that position, do the same thing, because it's the wrong answer. While you're firing him, inform the CEO that data security is the number one critical need for U.S. corporations today, and that the CSO is kind of like the chairman of the Joint Chiefs of Staff. You wouldn't get rid of the chairman of the joint chiefs in wartime.”[1]

...

http://blogs.forrester.com/edward_ferrara/13-06-26-small_and_mid_size_business_have_security_issues_too

Business leaders and IT professionals don't often like to think about contingency plans. It seems like the more a company plans for a disaster, the more it expects one to occur. This attitude doesn't necessarily cause arrogance or ignorance, but what it can result in is too little attention paid to business continuity plans, of which disaster recovery is a significant component. Denying the problem doesn't make it any less likely to occur, but it can mean taking a harder hit to business-critical functionality if it does. These businesses, in addition to those that do seek out extensive disaster recovery plans, should be aware of the strengths of enterprise cloud computing.

Part of what will drive security and business continuity improvement in enterprise clouds is the oversight inherent in the cloud computing model, according to the Jacksonville Business Journal. Cloud service providers and adopters enter into agreements in which CSPs are responsible for protecting another business' resources, be it data, infrastructure or IT. Further developments in cloud partner programs will only increase the number of businesses that are directly responsible for upholding the integrity of another's networked resources.

...

http://www.peakcolo.com/news/enterprise-clouds-expand-disaster-recovery-possibilities

Techworld — Dutch water experts have teamed up with IBM to launch a new initiative called Digital Delta, which will investigate how to use Big Data to prevent flooding.

The Netherlands is a very flat country with almost a quarter of its land at or below sea level, and 55 percent of the Dutch population is located in areas prone to flooding. The government already spends over 7 billion in water management every year, and this is expected to increase 1-2 billion by 2020 unless urgent action is taken.

While large amounts of data are already collected, relevant data can be difficult to find, data quality can be uncertain and with data in many different formats, this creates costly integration issues for water managing authorities, according to IBM.

...

http://www.cio.com/article/735496/IBM_Uses_Big_Data_to_Improve_Dutch_Flood_Control

Wednesday, 26 June 2013 18:03

DDoS: A 'Perfect Weapon' for Attackers

Distributed-denial-of-service attacks are the perfect weapons for cybercriminals and political adversaries. And Prolexic CEO Scott Hammack says any organization with an online presence should brace itself for attacks.

"As the world becomes more chaotic - which I do believe it will be - there will be more and more disenfranchised countries or people," Hammack says during an interview with Information Security Media Group [transcript below]. "This is a perfect weapon," he says.

And as the attacks get more sophisticated, defending against them gets more challenging, Hammack says. Today's attacks are increasingly using standard Internet security mechanisms, such as secure sockets layer protocol, to defeat online-outage defenses, he says.

...

http://www.govinfosecurity.com/ddos-perfect-weapon-for-attackers-a-5859

Wednesday, 26 June 2013 18:02

An Executive's Guide To Security Risks

The following guest post is by Dwayne Melancon, CISA, chief technology officer, Tripwire, an IT security software company.

The SEC is getting pretty explicit about information security risk. You have to identify it, you have to declare it, and you have to manage it.  The problem is, a lot of the CEOs I talk with have no clue what they are accepting when they sign off on information security risk.

Sometimes, they blindly accept the cryptic recommendations from their chief information security officers (a.k.a., CISO).  Sometimes, their guts tell them there may be a problem, but they don’t know which questions to ask to figure out what’s really going on.  In both cases, I think it’s a problem that senior business managers are accepting risks they don’t fully understand.  How can this represent the best interests of your stakeholders?

...

http://www.forbes.com/sites/groupthink/2013/06/26/an-executives-guide-to-security-risks/

Wednesday, 26 June 2013 17:58

Resilience Lessons from Hurricane Sandy

Yesterday I spent the day with a number of people from across the nation looking at what lessons can be learned from the Hurricane Sandy Experience.  The key person putting this event together was Steven Flynn.  Because he was able to get grant funding to support the work he could sponsor the travel for a variety of people to attend.  Generally he drew on people from other major metropolitan areas that have been doing catastrophic planning and also have significant risks.  I liked the mix of attendees.  Due to the significant business interruptions to the NY/NJ ports there was a number of other port authority representatives in attendance.  

The first panel of the day was a federal one that spoke to what they learned from the Hurricane Sandy Experience.  See my notes below.  Please note that this is what I could capture, certainly not a verbatim record for what was said.

...

http://www.emergencymgmt.com/emergency-blogs/disaster-zone/Resilience-lessons-from-hurricane-sandy-062613.html

When it comes to compliance risk, board members know the drill all too well. Every six months or so, they receive a new report indicating that everything is mostly under control.  So it’s no wonder they’re surprised when a compliance issue blows up – and it’s no wonder they’re asking tougher questions of compliance executives with every passing quarter.

As regulatory oversight continues to grow, the challenge of dealing with compliance risk will only become more pressing.  It’s not just an item on the agenda – compliance is its own agenda these days.  Given the pace and scale of change, both compliance executives and boards are increasingly concerned that old, reactive ways of managing compliance may cause them to fall behind the competition — or leave them exposed to new regulatory and reputational risks.

If your organization is looking to increase its Risk Intelligence quotient through full-spectrum compliance, three broad areas will command your attention:  Environment, execution, and evaluation.

...

http://www.corporatecomplianceinsights.com/when-the-board-comes-calling-about-compliance-a-risk-intelligent-approach

Wednesday, 26 June 2013 16:50

Wading through a PR crisis

So, what do you do when the sky caves in, as it has in the last week for Savannah culinary personality Paula Deen? What do you do when the past comes knocking in a most unfavorable way? What are the steps for digging out from under a public relations disaster?

Without speaking directly to the still-unfolding Deen contretemps, Jennifer Abshire, of the Savannah public relations firm that bears her name, said there are three basic rules for dealing your way out of any PR crisis.

“If you’re looking at a crisis, I think dealing with it directly is extremely important,” Abshire said Monday. “I do, however, believe that a simple statement is sufficient. And I think the most important thing for anyone who has dealt in crisis PR is to immediately get as much good news out as possible of the wonderful things the client or person has done to help the community.”

...

http://savannahnow.com/sean-horgan-and-mary-carr-mayle/2013-06-25/wading-through-pr-crisis#.Ucsb39iDmJQ

This was only an exercise.

Police, firefighters and medical technicians swarmed onto the grounds of Canopy Oaks Elementary on a cloudy Friday morning.

They lined up stretchers and plastic kiddie pools in the parking lot behind the school. They set up washing stations to rinse hazardous chemicals off the 15 high school students who spilled into the breezeway in the middle of the school grounds, and doused the students with fire hoses.

Sheriff's deputies interviewed the students one at a time, and one of them admitted there was a bomb in a car parked out front.

The Big Bend Regional Bomb Squad arrived and deployed remote-control robots with mechanical arms that shattered windows and ripped doors off a beat-up Dodge Stratus parked out front.

Friday’s “chemical chaos” drill involved 10 agencies — from Leon County Schools to the Florida Department of Law Enforcement and the hazardous materials unit of the Tallahassee Fire Department. Evaluators followed them every step of the way, taking notes and film that will help them analyze their performance and look for ways they could respond better in the event of a real disaster.

...

http://www.tallahassee.com/article/20130625/NEWS01/306250011/-Chemical-chaos-drill-chance-practice-response-disaster

LAFAYETTE — Sussex County amateur radio operators recently concluded a 24-hour emergency preparedness drill that saw them contact more than 2,600 other operators throughout North America and overseas.

The annual exercise, conducted this past weekend in Lafayette, afforded members of the Sussex County Amateur Radio Club an opportunity to showcase their craft to the public and, just as importantly, contributed to the group's ongoing partnership with the Sussex County Office of Emergency Management.

"We want the community to know that in the event of an emergency, we will be ready to assist in any way we can," said John Santillo, the group's president. "While people often think that cell phones or other communications technologies have replaced ham radio, we can provide vital communications in an emergency that others can't."

...

http://www.njherald.com/story/22687960/2013/06/26/ham-radio-operators-test-emergency-preparedness

The day you need business continuity planning isn’t the day to start thinking about implementing a program.

In the wake of devastating flood waters that hit Calgary and parts of southern Alberta, many organizations in Wild Rose Country have had to flip the switch on their continuity plans to ensure operations continue on as close to normal as possible.

That’s not easy, given the scope of the damage. How bad is the flooding? One need look no further than the city’s iconic Saddledome, home of the Calgary Flames, which filled with water like a giant bathtub up to row 10.

According to estimates from the Calgary Chamber of Commerce, somewhere between 150,000 and 180,000 people work in the city’s downtown core, and the city has a $120-million a day economy. That’s a huge number of displaced employees with a giant price tag, and Calgary Mayor Naheed Nenshi says it will likely be mid-week before most employees can return downtown. It’s hard to imagine the city returning to business as usual this week at all.

- See more at: http://www.hrreporter.com/blog/Editor/archive/2013/06/25/dont-have-a-business-continuity-plan-start-working-on-it-today#sthash.ozTfxrRt.dpuf

 

In my career as an asset manager, and as a manager of financial risk, I have learned that all good risk management is done upfront, before the first purchase is made or product is sold.  Secondarily, good risk management relies on the concept of feedback, i. e., are the results expected at inception happening?  If not, are they happening in a way that makes us doubt the margin of safety that we thought we had?

...

http://www.valuewalk.com/2013/06/risk-management-lessons-from-the-insurance-industry/

Technology problems at the state level last Thursday prevented effective town participation in the 2013 Statewide Severe Weather Exercise, which was executed over two days last week.

The Department of Emergency Services & Public Protection (DESPP) simulated a severe ice storm affecting the west and northwest portion of the state, Region 5 of the Division of Emergency Management and Homeland Security (DEMHS). This was the second year for the drill, which was enacted as part of Governor Dannel P. Malloy’s emergency preparedness and planning initiatives after the severe storms that impacted the region during the previous year.

Towns could elect to participate either Thursday, June 20 or Saturday, June 22.

According to a notice provided to the towns by DESPP, the simulation was supposed to give the region, “an opportunity to exercise DEMHS Region 5’s Regional Emergency Support Plan with the other 4 DEMHS Regions participating in support roles.”

...

http://www.registercitizen.com/articles/2013/06/25/news/doc51c9b5c239342226337290.txt

To control costs and optimize insurance availability an overwhelming number of risk managers feel their organization must conduct deeper research into their risk to reap the full benefits of analytics, according to an online survey taken by insurance broker Marsh.

Nearly 80 percent of risk managers attending a Marsh webinar, "Using Data and Analytics for Optimal Risk Management," says their companies need to take a closer examination of risk-related data.

Of companies employing a risk manager, close to 44 percent say they do not have a set dollar-amount threshold for unexpected losses and 29 percent do not know if their company is aware of how much risk they can take on—about the same number that do quantify and share risk information with their insurance managers.

...

http://www.propertycasualty360.com/2013/06/25/marsh-survey-80-of-risk-managers-say-deeper-risk-r

When I left off last time, I mentioned that the 60/40 principle is an effective one for business continuity and disaster recovery planning. First, I set out an ambitious goal of a comprehensive, organization-wide program built around industry standards and best practices, leveraging the right automation tools and the right vendors and suppliers…and that would also be able to kill any audit. And then I took 40% off the top and made that our end-goal. Then, a funny thing happened…

...

http://blog.sungardas.com/2013/06/business-continuity-and-disaster-recovery-planning-how-to-get-your-organization-moving-in-the-right-direction-part-2/

Aligning to strategic objectives and assessment of BCMS performance

London - June 19, 2013 - Attenda Limited, the Business Critical IT company, today announced that it has been accredited with the new ISO 22301 International Standard for Business Continuity Management.

Published in 2012, the new ISO 22301 standard replaces the equivalent British Standard, BS 25999; introducing important changes including the role of top management in Business Continuity, the alignment to the strategic objectives of the organisation and the assessment of performance of the Business Continuity Management System (BCMS).

Attenda has been working for the past twelve months to align its business to the ISO 22301 standard, carrying out detailed assessments of the organisation and technology elements and processes, including a number of scenario based exercises with the Crisis Management Team.

As Matt Gordon-Smith, Director of Security, Attenda says, "We have a well-developed and mature approach to crisis management; the intention being to reduce the risk of an incident affecting our ability to do business and to allow faster recovery in the event that something does happen."

The ISO 22301 accreditation is an important component in Attenda's managed services and cloud delivery, further endorsing its business critical IT capability. All Attenda Clients will benefit from the assurance provided by this certification; and additionally, they will be able to access a range of Business Continuity and Disaster Recovery Consulting Services from Attenda, based upon this standard.

Dave Austin, Director, Operational Resilience (Oprel), who has led the international team developing the new standard and has acted as an advisor to Attenda, comments "Attenda has not only ensured that it has stringent measures in place for disaster recovery, but it has also given detailed consideration to the key information that could prevent access to the primary information sources during and after a crisis, to ensure that it can recover faster and more effectively."

In addition to ISO 22301, Attenda has been working closely with BSI on an on-going basis, to attain re-accreditation of all of its other ISO certifications including ISO 9001, ISO 27001 and ISO 20000.

Matt Gordon-Smith adds, "As an integral part of our Business Critical IT approach, we understand that Business Continuity reaches into all parts of the organisation, and must be embedded into our culture. The addition of this new ISO standard to our portfolio of accreditations reinforces our commitment to delivering Peace of Mind for our clients."

 
- See more at: http://www.attenda.net/news/prdetails.aspx?prid=128#sthash.iy1iHPtO.dpuf

Aligning to strategic objectives and assessment of BCMS performance

London - June 19, 2013 - Attenda Limited, the Business Critical IT company, today announced that it has been accredited with the new ISO 22301 International Standard for Business Continuity Management.

Published in 2012, the new ISO 22301 standard replaces the equivalent British Standard, BS 25999; introducing important changes including the role of top management in Business Continuity, the alignment to the strategic objectives of the organisation and the assessment of performance of the Business Continuity Management System (BCMS).

Attenda has been working for the past twelve months to align its business to the ISO 22301 standard, carrying out detailed assessments of the organisation and technology elements and processes, including a number of scenario based exercises with the Crisis Management Team.

As Matt Gordon-Smith, Director of Security, Attenda says, "We have a well-developed and mature approach to crisis management; the intention being to reduce the risk of an incident affecting our ability to do business and to allow faster recovery in the event that something does happen."

The ISO 22301 accreditation is an important component in Attenda's managed services and cloud delivery, further endorsing its business critical IT capability. All Attenda Clients will benefit from the assurance provided by this certification; and additionally, they will be able to access a range of Business Continuity and Disaster Recovery Consulting Services from Attenda, based upon this standard.

Dave Austin, Director, Operational Resilience (Oprel), who has led the international team developing the new standard and has acted as an advisor to Attenda, comments "Attenda has not only ensured that it has stringent measures in place for disaster recovery, but it has also given detailed consideration to the key information that could prevent access to the primary information sources during and after a crisis, to ensure that it can recover faster and more effectively."

In addition to ISO 22301, Attenda has been working closely with BSI on an on-going basis, to attain re-accreditation of all of its other ISO certifications including ISO 9001, ISO 27001 and ISO 20000.

Matt Gordon-Smith adds, "As an integral part of our Business Critical IT approach, we understand that Business Continuity reaches into all parts of the organisation, and must be embedded into our culture. The addition of this new ISO standard to our portfolio of accreditations reinforces our commitment to delivering Peace of Mind for our clients."

 
- See more at: http://www.attenda.net/news/prdetails.aspx?prid=128#sthash.iy1iHPtO.dpuf

Sgt. Jesus M. Villahermosa Jr. has been a deputy sheriff with the Pierce County, Wash., Sheriff’s Department since 1981. Villahermosa served 15 months as the director of campus safety at Pacific Lutheran University in a contract partnership where he worked on all security aspects related to staff and student safety. He has been on the Pierce County Sheriff’s SWAT Team since 1983, and he currently serves as the point man on the entry team.

In 1986, Villahermosa began his own consulting business, Crisis Reality Training. He has primarily focused on the issues of school and workplace violence.

In this Q&A, Villahermosa addresses how schools can be better prepared and secure for an active shooter emergency.

...

http://www.emergencymgmt.com/safety/School-Security-Planning-and-Response-Active-Shooter.html

IDG News Service - The French government's accounts payable system, Chorus, is back online after a four-day outage, the French State Financial Computing Agency (AIFE) said Monday.

An accident at a data center operated by French servers and services company Bull on Wednesday affected Chorus's storage systems hosted there. That incident took the core of Chorus, an SAP system with 25,000 users, offline, although another application, Chorus forms, continued to serve its 30,000 users.

The server room's fire extinguishing system was accidentally triggered following an error by one of Bull's subcontractors, resulting in simultaneous damage to several major components of a storage bay holding Chorus data, the agency said.

Bull had little to say about the accident.

...

http://www.computerworld.com/s/article/9240300/Data_center_outage_takes_French_state_financial_system_offline_for_four_days

The Editor interviews Troy Dahlberg, Douglas Farrow and Ginger Menown, Advisory Services Forensic Partners with KPMG LLP.

Mr. Dahlberg is a Partner in New York with the firm’s Forensic Practice. Troy has more than 30 years of experience providing accounting, auditing and consulting services to companies in many industries. 

Mr. Farrow is a Partner in the firm’s Forensic Practice and has over 25 years of experience assisting corporations, attorneys and their clients with a wide spectrum of financial, economic and accounting matters.

Ms. Menown is a Partner in Houston with the firm’s Forensic Practice. She has over 20 years of experience providing services in dispute resolution, investigations, mergers and acquisitions, valuation, financial advisory and auditing.

Editor: Please give us an overview of disaster situations that you have helped clients manage.

Dahlberg: We have assisted clients affected by the 9/11 terrorist attack, Oklahoma bombing, Japanese earthquake, Hurricane Irene and more recently Superstorm Sandy. Our work primarily involves economic accounting or other financial assistance to the companies that have been impacted by the disaster.

Farrow: For instance, we are currently assisting organizations of a wide range of sizes and industries that have suffered losses and/or incurred extra costs as a result of Superstorm Sandy. We are coordinating claim programs with management’s recovery plan, compiling cost data and assisting with quantifying economic and financial losses that companies have sustained as a result of the storm. In the past, we have worked on insurance claims in the tens and hundreds of millions of dollars for companies in diversified industries as a result of natural disasters such as earthquakes, floods and hurricanes.

...

http://www.metrocorpcounsel.com/articles/24446/crisis-management-and-disaster-recovery-matter-experienced-forensic-advisors

The European Commission is seeking leading lights in the arena of cloud services to help sketch out a contract framework so that customers don't get tied into murky deals.

At least, this is the principle that Steelie Neelie Kroes, vice president of the EC outlined in a blog today, ahead of the European Cloud Partnership Steering board in Estonia next month.

"One of the big barriers to using cloud computing is a lack of trust," she said. "People don't always understand what they're paying for, and what they can expect."

"I think you should be able to know what you're getting and what it means - and it should be easy to ensure that the terms in your contract are reasonable: open, transparent, safe and fair."

...

http://www.theregister.co.uk/2013/06/24/ec_cloud_panel/

Here, we are going to talk about with regards to the fact that business interruption insurance and exactly why every business ought to be ready for this surprising.

Business interruption insurance must be a crucial part of any enterprise owner’s strategy. Business interruption insurance behaves as a assisting technique for your organization when it is closed down resulting from unpredicted situations like rental destruction, accidents or maybe just about any unanticipated challenges.

Business interruption insurance provides satisfactory insurance plan whenever your customers are certainly not for action and definitely will help you spend on-going costs. Like this, you’ll get some time throughout fixing your organization. Smaller businesses that don’t invest in the following insurance might endure closure in the near future because spending regarding growing is past their own fiscal total capacity.

...

http://lamulana.com/?p=88

Monday, 24 June 2013 16:05

The Supply Chain After the Disaster

When disaster planning for the supply chain, people rarely talk about what happens when parts and devices are damaged but not ruined. However, in the aftermath of the Japanese earthquake and tsunami, the Thailand floods, and the hurricanes and tornadoes in the US, it's high time for this conversation to start happening in a big way.

Reverse logistics and repair are crucial parts of disaster recovery efforts. Fortune 500 electronics manufacturers will have to rebuild production equipment. Individual consumers will want their under-warranty cars, laptops, and phone replaced. Third-party vendors will be salvaging and reselling scrapped parts.

Let's take Hurricane Sandy, just because it's still fresh in many people's minds. In February, the National Insurance Crime Bureau raised its estimate for the number of vehicles damaged by the storm to 250,500. That number is still based on preliminary figures and could change as more insurance claims are processed. Many of those cars have been cleaned up and may be back on the market under the "good but previously damaged" label. Many others have turned up without such a label.

...

http://www.ebnonline.com/author.asp?section_id=1061&doc_id=264827&itc=velocity_ticker

The result is included in a recent survey of more than 3,000 employers by Zywave, a provider of software as a service technology solutions for the insurance and financial services industry. It was conducted during the first quarter of 2013.

The survey showed 53 percent of employers are very or somewhat concerned about post-accident cost control while 50 percent are concerned about risk control in the form of accident prevention. However, when asked for the most effective measure they take to control workers' comp costs, having a safety-minded culture was mentioned by 69 percent of respondents, although only 26 percent rank safety incentives as effective or highly effective. Also, 34 percent say they do not have a written safety manual.

...

http://www.riskandinsurance.com/story.jsp?storyId=533354392&topic=Main

Monday, 24 June 2013 16:00

Keeping in step with regulation

The arrival of outcomes-focused regulation in October 2011 was greeted with howls of concern by the solicitors’ profession as a whole. A new and uncertain regulatory landscape lay ahead of a profession that has a strong desire for certainty and clarity at the very heart of its culture, training and service offerings. Commentators at the time noted that the new regime offered plenty of negatives and few positives. Eighteen months on, though, the landscape feels very different. Those that have embraced the changes can feel empowered by them and are able to drive risk management into their business as a key part of the business process, rather than simply a compliance burden.

There are things that firms need to be aware of, principally that the change in regulatory structure has moved responsibility away from the regulator to the regulated, with a consequent need to apply sufficient resource to risk-management activities. But there are also opportunities to be exploited. Not opportunities to play fast and loose in the face of broader, less prescriptive, regulatory rules, but instead opportunities to focus on making regulatory, compliance and risk management a more central part of any business and to construct it in a way that fits with your business needs rather than regulatory strictures.

...

http://www.thelawyer.com/news-and-analysis/the-lawyer-management/keeping-in-step-with-regulation/3006276.article

So you need to do some Business Continuity/Disaster Recovery (BC/DR) Planning, but aren’t sure how to start? Depending on the size of the task and the level of prior focus on BC/DR planning within your organization, this could involve anything from simply sprucing up your existing BC/DR plans to the overwhelming feat of creating new plan designs and implementations. If the latter is your situation, don’t feel alone. There are many data center managers, IT executives, and application owners that feel like they’re behind the 8-ball on their business continuity and disaster planning efforts. Rest easy and know that with the right steps, you can get things moving forward in the right direction.

Business Continuity and Disaster Recovery Planning: The 60/40 Rule

One of my best mentors was an extremely successful leader in risk and resilience programming in both the federal government and commercial industry sector. He taught me early on (much to my initial chagrin) that the best programs start out with the 60/40 rule, meaning that you should start out and “sell” goals and objectives that are only 60% of where you would ideally wish to see the end-state. The “60/40 rule”??? As a devoted and overly ambitious “Business Continuity Professional,” I could conceivably accept the classic 80/20 Perato Principle, but 60/40 was difficult to swallow. But he was “the Boss,” so I figured I might as well go with the flow, accept his guidance, and ensure that all my programs targeted getting “60% there.” So how would this work?

...

http://blog.sungardas.com/2013/06/business-continuity-and-disaster-recovery-planning-how-to-get-your-organization-moving-in-the-right-direction-part-1/

The word “disaster” can be used to describe a broad range of events, such as violent weather, a catastrophic accident, or a natural event that causes great damage or loss of life. Disaster recovery is an equally broad term that encompasses both the planning and preparation prior to a catastrophic event, as well as the recovery and recuperation of those affected.

 

A seminal moment in disaster recovery occurred in 1988 when a fire destroyed a central office operated by Illinois Bell in the suburbs of Chicago. The Hinsdale Central Office handled 40,000 local phone lines, which supported the O’Hare International Airport and numerous businesses. Service wasn’t restored for weeks and, one by one, thriving businesses failed and were liquidated. Network planners and architects came to realize that there are a multitude of things that can negatively impact network operations in addition to natural disasters.

While disaster recovery and business continuity are similar in many ways and share many overlapping concerns, they are different subjects. Disaster recovery deals with the aftermath of a catastrophic event that affects an area or region. Business continuity involves the safeguarding of critical business functions.

...

http://www.satellitetoday.com/via/features/Disaster-Recovery-Satellite-More-Prominent-than-Ever_41420.html

Monday, 24 June 2013 15:54

3 Business Safety Tips for Summertime

Whether you operate a seasonal business or sales pick up during the summer months, summertime can be full of risks for small business owners.

From on the job injuries to extreme weather, there’s a host of things that can go wrong to hurt sales or worse yet derail the entire operation.

“Summer is a busy time for certain businesses, particularly those along the coasts,” says Judy Coblentz, VICe president and chief underwriting officer at Travelers. “In certain parts of the country the summer season brings more business and pretty big exposures for small businesses.”

To prevent your business from taking a hit this summer, Travelers put together a list of the biggest seasonal risks and ways to avoid them.

...

Monday, 24 June 2013 15:53

Big Data and GRC

The following is CCI Publisher Maurice Gilbert’s interview with John Verver, VP, Strategy at ACL. Mr. Verver is a Chartered Accountant, Certified Management Consultant, and Certified Information System Auditor, as well as a member of the Center for Continuous Auditing’s advisory board.

Big Data is a hot topic right now – how does it relate to GRC and the practical issues of risk management and compliance?

The term Big Data is used in a wide range of contexts, but it generally refers to the gathering and integration of data from various sources, both traditional and non-traditional, in order to obtain better insights into customers, prospects, market opportunities, and corporate performance. Although it is not often used in reference to risk management, controls, and compliance, it’s interesting to note that analysis of very large volumes of data from disparate sources has played a significant role in GRC for at least the past 10 years.

...

http://www.corporatecomplianceinsights.com/big-data-and-grc/

CSO — Richard Ramirez is remembered all across southern California for the terror he invoked during the early 80's. The serial killer, who died in prison earlier this month, was nicknamed the 'Night Stalker' and was known for the ease with which he entered his victim's homes. He did not break and enter, he didn't shatter windows or climb down the chimneys. For the most part, Richard 'walked' into homes either through screen doors left unlocked or windows left open. Many of his crimes I've been told, were committed close to freeway ramps to facilitate a fast getaway.

What was very interesting to note about Ramirez's victims is that even though the city was aware of a serial killer on the loose, people still left their windows open or the screen doors open. I know I would batten down the hatches and take extra precautions until I heard the killer had been caught. So what makes people be lax and laissez-faire, in the face of a known and omnipresent danger?

...

http://www.cio.com/article/735293/Too_Many_CSOs_Ignore_the_Reality_of_Today_s_Threats

2012 was the second-worst year on record for extreme weather events, both in number and in cost, according to a tally released this morning by the National Oceanic and Atmospheric Administration. Eleven major events—including tornadoes, wildfires, droughts, and hurricanes—racked up a collective bill of over $110 billion, with cropland damage from drought in the Midwest ($17.36 billion in crop insurance payments alone) and Hurricane Sandy, with a $60 billion price tag, as the most expensive items.

...

http://www.motherjones.com/blue-marble/2013/06/2012-ranks-second-billion-dollar-disasters

More than half of mid-sized businesses across Europe would refuse to do business with an organisation which has suffered a data breach, despite the fact many see data loss as just another part of everyday business.

That is according to the second annual pan-European Information Risk Maturity Index by global information management firm Iron Mountain and professional services provider PwC, which examined how companies expect to respond to information risk.

It found that companies are experiencing up to a 50 per cent increase in data breaches per year. The report suggests European firms' approach to data management is marred by confusion, inconsistency and double standards.

The study reveals that despite the risks to business revenue and credibility associated with data loss, more than 60 per cent of organisations surveyed believe cutting costs is more important than investing in proper protection against the loss of data. Many of the businesses told Iron Mountain and PwC that they do not have a proper risk information strategy in place.

...

 

While knowing the latest IT security measures or top marketing strategies are important, they aren't the skills that are going to pay off in the long run for today's college graduates, new research shows.

A study by Kaplan University's College of Business and Technology discovered that critical thinking and written communications are the most important skills college graduates majoring in business or information technology programs will need to succeed in the work force.

"Technology becomes obsolete quite rapidly," said Kaplan University professor Lynne Williams. "Good communication skills remain with you throughout your working life."

...

http://www.businessnewsdaily.com/4666-information-technology-communication-thinking-skills.html

Friday, 21 June 2013 15:36

Improving Security for USB Drives

A new inspector general report criticizing a government contractor's USB drive security practices is an important reminder of why all healthcare organizations need to control the use of mobile storage media and ports.

"Because USB devices connect directly into computers and can store large amounts of data, they can potentially cause serious harm to computers and networks or compromise sensitive data if their use is not properly controlled," says the report from the Department of Health and Human Services' Office of Inspector General.

Among the risks posed by USBs are the spread of malware and the inappropriate download, storage and removal of data by users, resulting in breaches or possible fraud.

Security weaknesses such as those identified by the OIG are common throughout healthcare and need to be addressed to help protect patient privacy, says independent IT security consultant Tom Walsh.

...

http://www.govinfosecurity.com/improving-security-for-usb-drives-a-5851

Friday, 21 June 2013 15:35

Powering backup and DR with cloud

Cloud came as blessing in disguise for back-up and disaster recovery services. Traditionally, we have depended on tapes and data centres for the both which required huge investments. The paradigm shift brought by the cloud has made it possible SMB sector to explore these services.

"It won't happen to me", is some kind of self-assuring myth which mostly people feel comfortable with. I was going through a document from Texas University which tells us that only six per cent of the smaller business survives the catastrophic data losses.

University of Minnesota found that "93 percent of business that lost their data centre for 10 days or more filed bankruptcy". If these facts are true, DR and backups acts as life line for our business as bad times cannot be completely avoided. Disasters just don't happen; they are chain of critical events. Not having a robust DR could be one of them.

...

http://www.ciol.com/ciol/experts/190450/powering-backup-dr-cloud

Friday, 21 June 2013 15:31

Risk Management, Military Style

Especially in military operations, it's impossible to eliminate risk, but it can be minimized. Many of their risk-management techniques can apply to your flying.

No matter what we do in an aircraft, we cannot eliminate risk entirely. Instead, we can manage that risk and take positive steps to mitigate or reduce it; in rare cases, we may even be able to eliminate it. An example of the latter might be canceling a trip for poor weather, or because of a mechanical issue. But we should be mostly concerned with mitigating and reducing the risks our flying poses.

Of course, there are many ways to accomplish these goals. I believe most of us in general aviation have sat through a presentation or seminar discussing risk management. While serving in the U.S. Marine Corps, I sat through those classes as well as taught them, and I always came away with the same question, "How will this reduce the mishap rate?" Given the resources available, along with the missions, the military's way of managing risk can't be implemented by the average GA pilot. But it's worthwhile to examine the military's risk-management process. Using it as a template, then taking some simple steps and applying its techniques over time, on our own, can help reduce the GA mishap rate, before someone does it for us.

...

http://www.avweb.com/news/features/military_risk_management_pilots_208888-1.html

Good news for managed services providers (MSPs) offering backup and disaster recovery (BDR) solutions. Storage software revenue increased in the first quarter this year led by strength in data protection and recovery software, according to a report from International Data Corp. (IDC). Here are the details.

The worldwide storage software market grew by 3.2 percent during the first quarter of 2013 compared to the same quarter of 2012. Revenue during the quarter climbed to $3.6 billion.

Eric Sheppard, research director for storage software at IDC pulled out the key areas of strength in the market. "Demand was strongest for data protection and recovery software as well as storage and device management software. This was driven by a broad need for data resiliency, improvements to operational efficiencies, and better insights into installed data center infrastructure."

...

http://mspmentor.net/backup-and-disaster-recovery/data-protection-and-recovery-software-demand-drives-strong-demand-q1

The overall purpose of business continuity planning is to ensure the continuity of essential functions during an event that causes damage or loss to critical infrastructure. A continually changing threat environment, including severe weather, accidents, fires, technological emergencies, and terrorist-related incidents, coupled with a tightly intertwined supply chain, have increased the need for business continuity efforts.

To ensure long-term viability, companies should develop, maintain, conduct, and document a business continuity testing, training, and exercise (TT&E) program. The business continuity plan should document these training components, processes, and requirements to support the continued performance of critical business functions. Training documentation should include dates, type of event(s), and name(s) of participants. Documentation also includes test results, feedback forms, participant questionnaires, and other documents resulting from the event.

...

http://www.emergency-response-planning.com/blog/bid/59726/Business-Continuity-Testing-Training-and-Exercises

Although each business disruption is unique and many decisions will have to be made as situations unfold, a business continuity plan provides a framework and preparation to guide these decisions, as well as a clear indication of who will make them. A successful business continuity plan includes the following elements.

Define a team structure

  • Develop a clear decision-making hierarchy, so that in an emergency, people don’t wonder who has the responsibility or authority to make a given decision
  • Create a core business continuity team with personnel from throughout the organization, including executive leaders, IT, facilities and real estate, as well as physical security, communications, human resources, finance and other service departments
  • Create supporting teams devoted to related functions such as emergency response, communications, campus response and business readiness

...

http://www.citrix.com/solutions/business-continuity/best-practices.html

The effectiveness of data classification and retention policies can have strong ripple effects across an organization's entire IT risk management framework. After all, how data is classified can determine what risk management priorities are placed on it and the less data that is retained long-term, the less volume the organization has to sift through to determine appropriate protection levels.

"Risk management practices should be based on data or system classification. System classification is simply the 'high water mark' of data stored, processed or transmitted on the system," says Doug Landoll, CEO of Assero Security. "The required security controls for a system are based on the system classification. Risk management, as one of those controls, would be based on this as well."

...

http://www.darkreading.com/risk/data-classification-can-boost-risk-manag/240157074

How can you prioritize various backup and disaster recovery (BDR) issues? Smart managed services providers (MSPs) focus on four potential scenarios. The idea is to understand each scenario and its correlation with time to recovery.

Strata Information Technology Inc. President Pete Robbins, a BDR specialist, uses these four scenarios to properly assess each situation:

...

http://mspmentor.net/infocenter-bdr/backup-disaster-recovery-bdr-4-scenarios-msps

Friday, 21 June 2013 15:22

Risks within risk

For want of a nail

The Atlantic hurricane season arrived June 1. The Pacific typhoon season arrived a little earlier and promptly sent a typhoon across Mexico.

Many organizations have “hurricane” plans. To my mind, that’s foolish. Any “threat specific” plan is, in my opinion, foolish.

The problem with a “hurricane” plan is that it can overlook a risk within a risk.

Consider a hurricane’s main components.

Wind.

Rain.

Storm surge (flood).

Wind is, for the most part, harmless. True, it can blow the roof off a building and that can lead to other damages to a property. And true, it can bring down power lines.

A wind’s main threat potential is carrying missiles – anything it can pick up and hurl along at high velocity.

...

http://johnglennmbci.blogspot.com/2013/06/erm-b-c-coop-risks-within-risk.html

The constant parade of new hardware and software that necessarily comes into a data center makes for a lot of moving parts that can be extremely difficult for IT managers to integrate into a business continuity plan.

It's a big, diverse IT world out there.  In any given data center, you can walk down the aisles and see racks of servers or storage from literally dozens of different companies, all doing their jobs—but not necessarily always in exact harmony. The coordination of proprietary, open-source and open-standards software that can clash is often a sore point for IT managers—and those are often found within the same data center environment. This all affects business continuity big time, because all those diverse components have to work together in order for a system to recover after being hit by an outage.

...

http://www.eweek.com/it-management/maintaining-business-continuity-in-a-diverse-it-environment/

LONDON (Reuters) - For European insurers frustrated that "cyber crime" policies have so far failed to find a ready market among skeptical companies, hope may be at hand.

Not only has a huge data loss by Sony Corp dramatically illustrated the risks of hacking raids on corporate data, but the European Union is working on regulatory requirements which threaten heftier fines on unprepared companies.

The net effect for the insurance sector is that its efforts to establish cyber cover as a lucrative business line alongside risks such as weather catastrophes may be about to bear fruit.

In the United States, cyber cover has grown to be a market worth more than $1 billion in annual premiums, but Europe has not yet followed suit, perhaps surprising given a run of high profile, and costly, hacking incidents.

...

http://www.chicagotribune.com/business/sns-rt-us-europe-insurance-cyberbre95j0cn-20130620,0,7944744.story

Thursday, 20 June 2013 15:27

Pound Foolish

Seven months after the second most costly hurricane in history, Mayor Bloomberg proposed investing $19.5 billion to make his city much more resilient to future extreme weather events. More than one-quarter of these resources will come from federal funds included in the Disaster Relief Appropriations Act, which provides aid to New York, New Jersey, and other affected states to help them recover from Superstorm Sandy. New Jersey is also investing significant portions of its Superstorm Sandy federal aid in resilience efforts, particularly along the Jersey Shore. These investments will make New York and New Jersey homes, businesses, infrastructure, and coastal areas more resistant to damage from future storms, sea-level rise, and other climate-change impacts.

Unlike New York City and New Jersey, many communities lack the financial resources to become more resilient to future extreme weather events, and the federal government woefully underfunds such resilience needs. This CAP analysis estimates that the federal government spent a total of only $22 billion on general resilience efforts from fiscal year 2011 to fiscal year 2013. The Obama administration requested an additional $13 billion for mitigation efforts in Connecticut, New Jersey, and New York after Superstorm Sandy, but it is difficult to determine the actual mitigation spending from this sum. The federal government does not have a comprehensive tally of its spending for community resilience and other pre-disaster mitigation programs.

...

http://www.americanprogress.org/issues/green/report/2013/06/19/67045/pound-foolish/

Thursday, 20 June 2013 15:27

#2: Tropical Storm Barry

As Tropical Storm Barry, the second named storm of the 2013 Atlantic hurricane season, formed yesterday in the southern Gulf of Mexico, ahead of landfall early today near the city of Veracruz, Mexico, we can’t help but wonder isn’t it a bit early?

Fortunately, one of our favorite blogs has some interesting facts and stats on early season tropical storms.

Dr. Jeff Masters’ Wunderblog tells us that Barry’s formation date of June 19 is a full six weeks earlier than the usual August 1 date of formation of the season’s second storm.

...

http://www.iii.org/insuranceindustryblog/?p=3292

“The Europeans won’t let this go. They want to know clearly what has really been going on.”

Sitting in one of the State apartments in Dublin Castle, the EU vice president and commissioner for justice, fundamental rights and citizenship, Viviane Reding, is polite, but clearly, deeply frustrated. At a joint press conference with US attorney general Eric Holder held earlier in the day last Friday, Reding had stated that the fundamental privacy and data protection rights of Europeans were “non-negotiable”.

Waiting media were eager to hear what her response would be to recent revelations by former Booz Allen Hamilton contractor Edward Snowden, on the existence of two secret schemes run by the US national Security Agency (NSA) for gathering vast amounts of personal phone and online data. One took in millions of phone call records over many years from operator Verizon; the other, named Prism, involved as yet unclear arrangements whereby nine large US technology companies, such as Skype, Apple, Facebook and Google, supplied data on request.

...

http://www.irishtimes.com/business/sectors/technology/it-s-good-to-talk-in-public-about-privacy-and-data-protection-1.1435071

NORMAN — Barely a month since their occurrence, the tornadic events of May have joined the ranks of high-profile school emergencies as a source of heightened scrutiny on schools’ emergency preparedness.

Events like the Columbine High School and Sandy Hook Elementary shootings, or the more local April 2012 tornado in Norman, have dramatically altered priorities in school design and district procedures, with May making certified storm shelters in schools a new concern.

“What gets put in school facilities is reflective of priorities at the time,” Superintendent Joe Siano said. “In 1990, I was the principal of a brand new school and it didn’t have a secured vestibule entry or storm shelters — it just wasn’t a priority to communities at that time. For a new school now, that would be unthinkable.”

...

http://normantranscript.com/headlines/x1912989696/May-tornadoes-prompt-heightened-scrutiny-of-school-shelters

The daily process of treating patients has been compared more than once to a military operation—and with good reason. After all, everything of real importance takes place on the front lines, at the point of patient contact. All else is purely support.

That analogy extends to the flow of data. Information has to make it to the front lines in order to be effective. Trouble is, that imperative also makes data—especially patient data—vulnerable to attack from multiple sources.

Since September 2009, the US Department of Health and Human Services has maintained a database of breaches in unsecured, protected health information affecting 500 or more individuals. Of these, more than 60 percent have involved some kind of endpoint computing device—desktop PCs and laptops as well as USB drives, tablets, smartphones and other portable electronic devices. Millions of individual records have been compromised from these endpoints due to unauthorized access or disclosure, theft, loss, hacking or other incident.

...

http://www.healthcareglobal.com/healthcare_technology/endpoint-devices-the-battle-for-data-security

Google filed a request with the U.S. Foreign Intelligence Surveillance Court on Tuesday to remove the gag order that prohibited it — and other technology companies — from disclosing information about data requests from the U.S. National Security Agency. Google defended its request citing the First Amendment.

When whistleblower Edward Snowden leaked classified information about the NSA’s practice (in place since 2008) of collecting information about the phone calls of all U.S. citizens and emails and electronic communications of foreign nationals, Google denied that it had even given the NSA unfiltered access to its data. Google said it only provided a subset of data whenever a request was made, and wrote a public letter to head of the Federal Bureau of Investigation Robert Mueller and Attorney General Eric Holder on June 11, asking permission to publish numbers about the frequency and scope of those requests. Facebook, Apple and Microsoft followed, asking the government to allow them to do the same. A week later, Google filed a formal request with FISC.

...

http://blogs.blouinnews.com/blouinbeattechnology/2013/06/19/the-irony-of-data-aggregators-fighting-data-aggregation/

Thursday, 20 June 2013 15:19

Fears of Vanishing Terror Insurance Grow

With the Terrorism Risk Insurance Act (TRIA) set to expire at the end of 2014, corporate risk managers are worrying aloud about what would happen if there’s no property, casualty or workers’ compensation coverage available in connection with a terrorist act.

The anxieties include the possible unraveling of funding for future construction projects, as financiers get cold feet contemplating the total loss that could transpire in the event of an attack. For existing multi-year projects, the risk managers fear that loan covenants could break apart if their companies can’t provide proof of coverage.

Such occurrences are more likely in the real estate industry and in densely populated urban areas. In the wake of the Boston Marathon bombings, however, the sports and entertainment industries are now seen to be at risk. The transportation and petrochemical industries have long been considered vulnerable to attack.

...

http://www3.cfo.com/article/2013/6/risk-management_terrorism-risk-insurance-act-new-york-city-council-rims-jones-lang-lasalle-aon-willis-centerline-capital

While the bombings at the Boston Marathon reminded responders and emergency managers about the importance to continue to train and plan for natural and man-made disasters, Cleveland and Cuyahoga County, Ohio, had already been planning a full-scale exercise with the city’s Major League Baseball team. Approached by representatives from the Cleveland Indians about testing their ability to respond to a terrorist attack during a major game at Progressive Field, such as a playoff game, the city reached out to Cuyahoga County to help develop the full-scale exercise.

"The Department of Homeland Security recommends preparation as the No. 1 priority in dealing with emergency situations,” said Bob DiBiasio, the Indians’ senior vice president of public affairs, in a statement. “While our safety and security policies and procedures always have maintained the highest standards, we know it is very important to be well prepared in the event of any major emergency situation."

...

http://www.emergencymgmt.com/training/Exercise-Cleveland-Indians-Tests-IED-Response.html

A recent study conducted by Ipsos Reid on behalf of Toronto-based information security company Shred-it revealed that small businesses do not fully comprehend the impact of a data security breach and, as a result, are not safeguarding sensitive information thoroughly. 
 
An independent survey conducted by Ipsos Reid and commissioned by Shred-it was conducted April 16-23, 2013, with two distinct sample groups: small business owners in the United States (1,008), which have fewer than 100 employees, and C-suite executives in the United States (100), who have executives that work for companies with a minimum of 500 employees in the United States.
 
The 2013 Shred-it Information Security Tracker indicates that an alarming number of small businesses (69 percent) are not aware of or don’t believe lost or stolen data would result in financial impact and harm to their businesses credibility.
...

Protecting a company's critical information is a value proposition. Trade secrets, confidential business plans, and operational security depend on it. Losing that kind of information can mean a plunge in stock price and market share. So who's responsible for information security in your company?

To find out, I like to ask questions. But when I put the question to top management, well, they're busy — not their problem, that's for sure — and they refer me to the chief information officer or the chief technology officer. So I knock on their doors and put the same question to them. Our job, they say, is making stuff work. If the stuff doesn't work, that's our fault. But security? They refer me to the chief information security officer, but she works for the CIO, who doesn't much like to hear what's wrong with the system he built. Besides, she says, I have nothing to do with who gets access to the system. I don't write the rules. And (she looks around nervously: you won't quote me on this, will you?) my budget is a joke.

...

http://blogs.hbr.org/cs/2013/06/is_anyone_really_responsible_for_your_companys_data_security.html

Wednesday, 19 June 2013 20:19

Security ROI: 5 Practices Analyzed

Traditionally, enterprise data security has relied on a "fortress defense" approach: keep all assets within a corporate castle and build towering walls to keep out the enemy. However, with an evolving threat landscape that includes targeted attacks, social engineering and spear phishing, the model leaves plenty of vulnerable attack points.

With increasing employee mobility, IT professionals are challenged to expand their security practices to "armor" employees individually in addition to the fortress. As a result, IT budgets are stretched thinner, resulting in the need to examine the return of investment of popular security practices. In the battle against data breaches, which practices - "fortress defense" or "armored defense" – provide the greatest ROI?

...

http://www.informationweek.com/security/management/security-roi-5-practices-analyzed/240156879

The federal government spends six times more on disaster recovery than helping communities become resilient to extreme weather that’s predicted to become more intense and frequent in a warming world, a new study shows.

The analysis by the Center for American Progress (CAP), a prominent liberal think tank, labels the approach “pound foolish” and calls for a dedicated fund for “community resilience” fed by higher levies on fossil fuel production.

“We must help communities enhance their ability to withstand the high winds, flood waters, scorching heat, searing wild fires, and parched earth from extreme weather,” states the CAP analysis released Wednesday, which alleges the federal government “woefully underfunds” such efforts.

...
Wednesday, 19 June 2013 20:16

Is Your Business Prepared For Disaster?

Most organizations understand the importance of keeping critical data safe from both manual and natural disasters. It is surprising, however, to hear just how many companies are not prepared for the day their system goes down and data is lost. And yes, the day will come that data is lost, usually due to a manual user error. Beyond the compromised data, the loss of productivity can immobilize an entire business for hours or even days. Even with the best-laid plans, disaster can strike. Those who are prepared suffer the least.

The current backup and disaster recovery environment is leaning toward solutions that offer integrated and simplified next-generation approaches. These include faster recovery times, easier rebuilds, hardware-independent recovery, bootable backups and bare-metal restore. Successful solutions will require integration with legacy and current data, scale to handle big data, span virtualized and cloud environments, and implement automation while integrating the functions of backup protection and disaster recovery. As priority grows for these solutions, so should IT budgets.

...

http://www.datacenterjournal.com/it/business-prepared-disaster/

Wednesday, 19 June 2013 20:15

Warning – Not all data is created equal

IT organizations can drive up the cost of storage unnecessarily by treating all data the same and storing it all on the same media. Let’s face the fact: my resume is not as important as the payroll database or even the email database. So, why are you using the same storage policy for both?

Stop using one policy to rule all of your data. It might be simple, but it is killing your bottom line. When looking for a data protection solution, find one that allows you to use policies to treat data differently.

Important data should be prioritized as tier one data that gets backed up most often and most quickly. Perhaps that data can stay on disk for fast restore.

...

http://www.datacenterjournal.com/dcj-expert-blogs/data-created-equal/

Wednesday, 19 June 2013 20:14

15 great crisis management songs

When you're in the midst of the next crisis, imagine a movie soundtrack playing while you deal with the incident.

What songs would play?

Members of the Crisis Communications LinkedIn group came up with a clever list of more than 30 songs. Below are the top 15 songs from that list.

Play some of these songs in your crisis command center and you might elicit much-needed smiles in the midst of a serious situation:

...

http://www.ragan.com/Main/Articles/15_great_crisis_management_songs_46836.aspx#

CIO — Despite the challenges of the budget sequestration that went into effect on March 1, federal agencies are pressing forward with big data initiatives, hoping to squeeze big savings out of more efficient use of their data.

In fact, based on the federal government's FY12 budget actual expenditures of $3.538 trillion, federal IT managers could potentially recognize nearly $500 billion in savings across the federal government via big data initiatives, according to a new study by MeriTalk. MeriTalk is a community network for government IT developed as a partnership by the Federal Business Council, Federal Employee Defense Services, Federal Managers Association, GovLoop, National Treasury Employees Union, USO and WTOP/WFED radio.

MeriTalk surveyed 150 federal IT executives for the report, Smarter Uncle Sam: The Big Data Forecast. Forty-eight percent of the respondents were from the U.S. Department of Defense. The remaining 52 percent were from civilian agencies.

...

http://www.cio.com/article/735126/Federal_Government_Wrestles_With_Big_Data_and_Sequestration