Risk and Security LLC

Risk Assessments, Training and More

This content shows Simple View

risk assessment

Return of the Sea Monster as a Force of Nature

Last week I wrote about the oil spill in the Gulf and today I was looking at my Loch Ness model of a sea monster with a cute little red beret.  I thought about the concept of a SEA MONSTER. Any terrible  sea monster worth its salt would:

     1.  Kill things indiscriminately

     2.  Hide under the water until it is unleashed on an unsuspecting world.

     3.  Be very hard to kill or subdue.

Sound familiar?  Because the gulf oil spill IS a Sea Monster – probably worse because the Spill Monster doesn’t just kill virgins and itinerant fishermen – it kills everything.  Kills grass and insects and crustaceans (like shrimp) and also sucks the oxygen right out of the water so it doesn’t just kill everything now and then go about its business, but it makes recovery impossible.

If I was a senator or congressman I would be drafting up a bill requiring drilling AND mining companies to not only do a complete and comprehensive risk assessment PRIOR to exploration or drilling activity, but also to publish their contingency plans, disaster recovery plans and emergency plans.

Somewhere along the way – the phrase “disaster recovery” planning got pinned to the information technology recovery but it really applies to everything and certainly to risky endeavors like mining and drilling.

It would be tempting to say that the risk assessment and disaster recovery planning (in the broad sense) should be required on everything that has the potential to adversely affect the planet.   Who would administer it?   This is where the U.S. is again trapped into a corner by the responsibilities of each federal agency.  

In a perfect world, you’d like to think that the EPA (Environmental Protection Agency) would be in charge, but that, under the present structure, would exclude deep sea drilling and agribusiness concerns.   Because the EPA is regulating toxic substances like chemicals, and air quality, but not everything that affects the ‘natural environment’.

We need an ENVIRONMENTAL OMBUDSMAN to protect the citizens of the United States, and maybe of the whole world.   This position would cut across the current agency lines to include oil drilling/extraction; mining as in strip mining;  use of pesticides in agribusiness; industrial pollution of rivers, lakes and oceans; and deforestation.

Over-fishing belongs in the same category.  I have heard that Blue Fin Tuna is now endangered and the United Nations is going to vote this year on protective measures. 

Basically all these kind of industries, mining, drilling, fishing are all scooping raw material up out of the earth and selling it.  The companies involved seem intent on drilling, fishing or scooping up as much as they can get of FREE STUFF from the planet, and then selling it for enormous amounts of money.  Again, you would think that old self-preservation gene would kick in, but instead, it may be that when one of these industries hears that whatever they are taking could be limited, or managed, or made less easy to get, they rush to get every more before the limit or ban goes into effect. 

This behavior accelerates the underlying diminishing supply problem, drives up prices, making industries want to get even more of their oil, minerals, diamonds, fish, whales, or whatever and so the cycle becomes maximally destructive to the environment on even a shorter time line.

One of the biggest aggravating factors of the current SPILL MONSTER is that we, the taxpayers, basically financed it and now we are going to get to pay to clean it up, and the paying includes providing services for all the damaged parties.  Do you really think that BP is going to cover the entire costs by the end of the day?  I am highly skeptical.

We keep hoping that man’s (and woman’s) survival instinct is going to kick in at some point and people will think, “If we don’t keep the earth clean, it is going to negatively affect MY health, or MY business, or MY customers”, but we, as a country, are not quite a that tipping point yet.   I hope we get there sooner instead of later.



The Oil Rig Disaster and Risk Assessment — And Accountability Issues with Politicians

“Drill, baby, drill.”   We have heard that before – being from California and being a tree-hugger, I didn’t think that was a great idea, especially since I know our oceans are already struggling, but I did not expect something this bad to happen.

The politicians who were so busy expanding oil leases and the profit-rich oil companies who are raking in billions,  don’t spend much time on assessing the potential risks AND the potential losses for a catastrophic oil spill.

Maybe we should require them to do REAL risk assessments on the total possible impact of an oil disaster.    It would not be an environmental impact statement, which downplays the risk by putting in lots of scientific jargon and ASSUMES that proper safety controls and contingency plans are in place.  But obviously that either was not done;  or it was not accurate, or it was done and burned so no newsperson would ever see the smoking document (or should I say, the oily document).

If we go back to the classic risk model – we are by listing the assets at risk:

  1. The Cost of the Original Rig and Drill Equipment – $500,000,000
  2. The Value of the Lives of the 11 workers who died –    25,000,000
  3. The Value of the Oil itself, with replacement value
    (5 million gallons at  $2.00 per gallon = $10 million dollars)
  4. BP’s Reputation as a good company – $2 million
  5. Gulf Fishing and Shrimp Industries Value – $2.5 billion dollars for

Just Louisiana – add in Alabama, Mississippi and Florida and quickly     the bill runs up to $10 billion dollars.

  1. Value of Summer Beach Tourist Business in the Gulf – $20 billion
  2. Value of lives of 20,000 – 50,000 shorebirds; 10,000 turtles; 0ther assorted marine mammals, birds, and fish   – $25 million.

So we have a resource worth about $33.5 billion dollars – that is potential loss estimate.

What we will lose if a threat materializes?    Keep in mind, for comparison purposes, that BP had recently doubled it’s profits from $3 billion to $6 Billion a quarter,  which calculated out to about  $24  Billion Dollars a Year.

Next we factor in the likelihood of a threat occurring.  Reviewing the frequencies of and problems problems with oil rigs, and oil spills, we find:

There are an average of about 2000 oil spills a year of various degrees.

There are an average of 1 million gallons spilled each year (going back 7 years).

(Already you can start to get a idea of how terrible this spill is.)

Next we list all the problems (vulnerabilities) that could or would have made it more likely to have a disaster occur,  you will recognize many of these from the latest news conference

  1. New,  untried technology
  2. No recovery plan if secondary shut offs fail
  3. Difficulty of working on deep ocean
  4. No reliable oil containment systems have ever been developed

SO – if British Petroleum is making $24 BILLION A YEAR and because of this spill, BP loses about $1 billion dollars. That’s not a bad Return.

The problem comes in with the $30 Billion dollars that is borne and felt, not by BP, who goes on to drill somewhere else, but by the citizens of the affected states and the whole United States due to the incalculable environmental damage.

The last thing we look at in a risk assessment model is the potential controls that could have been put in place to reduce the likelihood of the threat materializing, and the cost of those controls that could either reduce the threat, or, and even more important in this case, minimize the damage if the threat occurs anyway.

What controls could have been improved in this model?

Development of effective oil capping techniques BEFORE a disaster

Better training of oil rig workers

Better fire controls which might have saved the rig from sinking.

Accountability Increased for the Materials Management Service (MMS)

Tougher Regulations for Oil Companies

Better oil containment tools

Better oil absorption tools

Regular drills so that workers are better prepared in an emergency like this.

I’m still here watching the news coverage but I have learned why this happened – because BP was making so much money, it just didn’t have that much to lose from a disaster.  So it avoided improving its technology and spending money on controls that might have helped.

And the former and current U.S. administrations are to blame for not requiring accountability from the MMS.  And the rest of us, including the bluefin tuna, the birds, the jellyfish, the crabs, the shrimp, bottlenose dolphin, sperm whale, dozens of varieties of sharks, manatees, oysters, warblers, terns, swallows, egrets, plovers, sandpipers, pelicans,  loggerhead turtles, Ridley’s turtle, diamondback terrapins, and alligators.

According to the Louisiana Department of Wildlife and Fisheries,   here are the numbers of species that will be affected:

445 species of fish,

45 species of mammals

32 species of amphibians and reptiles

134 species of birds,
and the ocean itself, and all of us.



All about the HIPAA Risk Analysis — from the Department of Health & Human Services Office of Civil Rights (OCR).

An amazing development in HIPAA compliance took place on May 7th.  What a great surprise for a Risk Analysis/Risk Assessment Person!  The Department of Health and Human Services, Office of Civil Rights finally came out with their draft guideline for the HIPAA Risk Analysis on May 7th!

While hospitals and health plans, business associates, technical service providers and physicians have struggled to understand the original HIPAA risk analysis requirement, the Health & Human Services Department finally published the draft guidance to help healthcare providers understand what is expected of them in doing a risk analysis of their protected patient health information (ePHI).

This is a critical part of the HIPAA Security Rule, but there was never any ‘official’ guidance of exactly what was expected and how they should accomplish the risk analysis. 

Why the Office of Civil Rights?  Because the new HITECH Act (February 2010) directed that OCR oversee health information privacy including the enforcement of the HIPAA requirement.   And the guidance is long overdue.  I have had dozens of conversations with individuals at hospital and, discussing what a risk analysis is, what are the basic elements, and I am THRILLED to report that the OCR agrees with my methodology.

 The draft guideline on risk analysis also takes the same track that the financial institutions have given as guidance to banks and credit unions.  That is risk analysis is a foundational document that should be used (and referenced) as the organization evaluates and implements appropriate controls.

OCR refers to the risk analysis, not as a one-time drill, but instead, as an ongoing process to help organizations evaluate their risk focusing on the confidentiality, integrity and availability of protected health information.  The Risk Analysis Report, creates the blueprint that an organization will follow as they improve their compliance – for example, deciding what data should be authenticated in particular situations, deciding, when, if or how to use data.

A risk analysis is also the basis for an understanding by organizations of the technologies they will need to secure protected health information, OCR said in the draft guidance May 7. 

To quote directly:  “We begin the series with the risk analysis requirement in § 164.308(a)(1)(ii)(A).  Conducting a risk analysis is the first step in identifying and implementing safeguards that comply with and carry out the standards and implementation specifications in the Security Rule.

Therefore, a risk analysis is foundational, and must be understood in detail before OCR can issue meaningful guidance that specifically addresses safeguards and technologies that will best protect electronic health information.”

Among the basic elements of a risk analysis, OCR said, organizations must identify data collections, document threats to information that could create a potential for inappropriate disclosure and assess current security measures the organization uses to protect patient information. This was great to read because it follows the elements I have built our solutions around.

Those elements, which were reinforced by the draft guideline include the following five elements of risk analysis (and risk assessment).

1.     Identify and characterize the assets that need protection,  including the databases, the applications, etc.

2.    Analyzing the relevant threat data – focusing on what could adversely affect the assets (ePHI) in this case.

3.    Modeling the potential losses that could result from the threat actually materializing.

4.    Finding the existing vulnerabilities in the current security situation that would increase the odds of the loss actually occurring.

5.   Developing appropriate controls to reduce potential loss, reduce existing vulnerabilities and make sure the controls are cost effective.

 The OCR also referenced the NIST 800-66 to show sample questions that need to be part of the risk analysis.  Luckily – we totally agree with them and have included the NIST 800-66 Guidance in every HIPAA Risk Analysis software solution.

 Here’s another short excerpt from the OCR:

 “Risk Analysis Requirements under the Security Rule

 The Security Management Process standard in the Security Rule requires organizations to “[i]mplement policies and procedures to prevent, detect, contain, and correct security violations.” (45 C.F.R. § 164.308(a)(1).)  

Risk analysis is one of four required implementation specifications that provide instructions to implement the Security Management Process standard.  Section 164.308(a)(1)(ii)(A) states:

RISK ANALYSIS (Required).

Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization].

OCR went on to cite NIST 800-66:  “The following questions adapted from NIST Special Publication (SP) 800-66  are examples  organizations could consider as part of a risk analysis. These sample questions are not prescriptive and merely identify issues an organization may wish to consider in implementing the Security Rule:    Have you identified the e-PHI within your organization? This includes e-PHI that you create, receive, maintain or transmit.    What are the external sources of e-PHI?

The publication of this first draft guideline gives healthcare organizations and other affected organizations a hint about which direction the OCR enforcement is going to go.  As I mentioned previously, the regulators are likely to follow the example of financial audits and ask for the current copy of the organization’s risk analysis and use that as the blueprint to measure how well the organization used the risk analysis to prescribe and dictate all other actions which were taken to protection the organization’s protected health information.

In the words of the OCR –

In Summary, Risk analysis is the first step in an organization’s Security Rule compliance efforts. Risk analysis is an ongoing process that should provide the organization with a detailed understanding of the risks to the confidentiality, integrity, and availability of e-PHI.

For a complete copy of the 8 page OCR guideline, please send an email to chamilton@riskwatch.com.

.



BLUES ON THE BORDER – WILL SECURITY FINALLY GET A BREAK?

Arizona finally did it.  They called DHS’s bluff, and actually DID SOMETHING about the US-Mexican border.  it has nothing to do with racial profiling and nothing to do with discrimination — it has everything to do with America’s security against terrorism.

Everyone who is so shocked, appalled and worried – shouldn’t be.   Everyone wants to prevent the next 911, they want to keep out drug traffickers….. and you cannot get that done with an open border to our south. 

I say it over and over – PLEASE QUOTE ME – you can’t have homeland security with an open border!  You can NEVER have homeland security unless you have security at the border first. This is a key risk assessment vulnerability that anyone doing a formal assessment would spot immediately. 

What good is having a checkpoint on the I-5 interstate in San Ysidro if illegals can avoid the border crossings and run right into the U.S.? 

Look at strictly as a cost issue – looking at the real numbers helps… 

  • Cost of maintaining our phony border controls   $100 Million Dollars for 2010

(from the total ICE (U.S. Immigration & Customs Enforcement) budget of  $5.7 Billion Dollars). 

  • The Drug Enforcement Agency (DEA) says that since 2005, 15% of domestic arrests are arrest of illegal aliens!
     
  • Budget for DEA to combat Drug Traffic from Mexico   – over $25 Million Dollars (just to add an additional 128 agents along the southwest border). 
     
  • The Southwest Border Initiative Virtual Fence Project – $800 Million dollars
  •  The Secure Fence Act – over $7 Billion dollars 

AND OUR BORDER is still wide open.    Federal agents trying to police the border do not have the proper support and are discouraging from killing murderous drug dealers and human trafficking mules.   

If you look even farther – take the entire budget of the Department of Homeland Security, which is  $55 Billion dollars.   This money can largely be considered as wasted, if there is no control over our border with Mexico.  

You see it all the time at companies out in rural areas – they have a chain link fence around the back of the property, but the fence has a 14 foot gap in it, and all it does is concentrate the intrusions right through the gap in the fence.  It does not deter crime, it cannot prevent theft – because the fence is not secure, there is an open gap.  

That analogy works with our borders, too.  If you wanted to get into the U.S. illegally, would you choose to drive thru the checkpoint at El Paso?  Through San Ysidro?  Fly in from Mexico City and have to show a passport?   NO – you would breach the border and just walk across someone along the thousands of miles of unsecured border. It is a no-brainer, even for a terrorist.

As a risk assessment expert, I am personally thrilled that Arizona has pushed the envelope and passed a bill that at least attempts to find a solution to our horribly expensive and totally ineffective southwest border controls.  It might galvanize enough people to actually get something done about this open border policy. 

Remember, you cannot have a secure country without securing the borders.



Risk Assessment: Too much emphasis on PROCESS hampers rescue efforts in Haiti

From the night that CNN showed Dr. Sanjay Gupta staying up all night to attend to patients in a field hospital, because the UN thought it was unsafe for their doctors and medical staff, you can’t help but feel like the security threat there has been used to avoid taking any chances — while the Haitian people are having to absorb all the risk!

Even Anderson Cooper said, from his position in the ground, that the security fears were overblown and other doctors have corroborated this! So why is the UN using security as a cover….

The UN is an organization that often favors PROCESS over ACTION. I can understand that they are used to having convoys attacked in dangerous areas like Cambodia and Ethiopia — but this is Haiti…. we know Haiti… no rocket launchers in Haiti — no political goals on display in Haiti. Just poor, starving, sick people with no homes, no resources, no medical facilities, no food, and no water.

As a risk person, I just wonder if they actually did a quick 1 hour risk assessment on this disaster which would have pointed out that the risk of slow, un-action is much worse in this case – than the risk of a security incident.



Fireworks Ignite After Latest Airline Terrorism Incident

It was a surprise to see the biggest news on Christmas was that a Nigerian terrorist managed to get on a plane coming to Detroit from Amsterdam with some sort of explosive strapped to his leg.

AND – the alleged terrorist was on the NO-FLY LIST. Just think about this for a moment. A recent paper from the Naval Postgraduate School on Homeland Security estimated that the costs of the no-fly list, since 2002, range from approximately $300 million (a conservative estimate) to $966 million! And after spending over $300 million, the terrorist is able to get right on the plane, WITH EXPLOSIVES STRAPPED ON, and fly to the U.S.

Besides being a risk expert, I was mom who didn’t let her boys have toy guns. So imagine my shock at THINKING (to myself) that maybe we should let certain
Cleared passengers fly PACKING.

The passengers on the flight under discussion are the ones who subdued the perp, and I have a feeling that US airlines passengers would all be happy to take over their own security while flying the un-friendly skies.

Despite spending billions on patting down the grannies and business travelers along with 9 year old girls – someone can still board a plane and fly right into the U.S. with
explosives strapped on.

A simple risk formula applied to this entire passenger screening program shows that the entire TSA passenger screening program is too expensive for the results they are getting. The biggest cost waster is the idea that every single air traveler is treated exactly the same way. This is the elephant in TSA’s conference room. Every traveler is NOT the same. The most simplistic metrics show that:

1) Terrorists are more likely to be men.

2) Women over 60 are not likely to blow anything up.

3) Small children and federal employees are unlikely to be
Smuggling in explosive devices.

As the noted expert, Stephen Flynn, pointed in his book, America the Vulnerable, this policy creates huge cost, creates inefficiency and does not stop the dedicated terrorist.

Instead of being run as a gigantic stimulus program for the underemployed, TSA should sharpen it’s focus and began to start a true profiling program. A profiling program doesn’t have to target certain groups or type of individuals, but it should work towards automatically EXCLUDING the large groups of people who are unlikely to be a threat; let them opt for “cleared” status by completing a background check, and if these many individuals were automatically cleared, it would leave the TSA screeners more time to MORE RIGOROUS checks on potentially dangerous individuals, and ENSURE THAT PEOPLE ON THE NO-FLY LIST — DO NOT FLY!

Sounds obvious doesn’t it, but instead, the U.S. budget is being squandered on thousands of unnecessary screens, while the potential targets are not getting the indepth, and in-airport screenings they need to have.

These inane policies are not just indefensible – they are dangerous – and the latest incident just proves the point.



Pandemic H1N1 – Part 2

This is my second post on the H1N1 flu. I have a daughter-in-law in the high risk category — she’s expecting twins in December and didn’t want to get the vaccine — but I did finally convince her. Also: while I was hosting my 150+ person webinar on how to handle the pandemic’s effect on your business — one of my employees came down with the ful. He was very sick for the first 3 days, and then slowly improving but still with a fever after five days.

We asked several questions during the webinar, which was very well attended by banks, hospitals, credit unions, and other companies. The one that surprised me was that only 40 percent of the people had a pandemic plan in place and about 20 percent didn’t know if they had plan or not. When we are discussing alternate staffing plans, the place where you might see the most impact is in the IT area. IT managers and network managers usually have knowledge not shared with the rest of the organization.

It’s easy to get a temp to fill in as a receptionist, to add a salesperson, or replace clerical or admin functions, but to get someone who knows your network and how all the configurations work is a trickier proposition — and FLASH — IT and network people also get the flu!

One of the amazing facts from the webinar was that older people — that is, anyone who was alive in 1957 or right after, has a very low chance of getting the H1N1 virus (unless they have another underlying condition like asthma). This is because a similar strain went around the world is 1957 and so people from the era are relatively immune.

Other considerations to contemplate during this pandemic is whether to relax your requirements for employees to have to get a written doctor’s excuse — doctors may not have time to write one — and employees who only have the flu, but are staying at home sleeping, may not have to visit a physician or hospital. Another aspect to consider is whether you would rather have people stay out LONGER, to make sure they don’t infect others in your company.

A company full is 20-40 year olds is probably going to have more absences because they have small children at home. If you look at the flu maps for the last four months in the U.S., you can easily see that the flu started in March-April 2009 and then died down when school was out. School in session resulted in the 2nd wave of the pandemic that is still increasing, as we enter into the usual flu season.

If all the data was analyzed, I’m quite sure they would find that the concentration of children in school, colleges and universities is a big driver in keeping the flu numbers increasing.

One disturbing note was — children may not be protected completely from the first vaccine, but may need a booster. I saw this on the news this morning, and, with vaccine in short supply anyway, the idea that boosters may be needed would be very unwelcome.

By the end of next week, we should get a better idea of the trending of the flu waves and that will help companies in planning for increases absences. At the beginning of H1N1, experts were predicting a 20-40% absentee rate — so don’t take your eye off this pandemic.



How your health records are safer — or at least you’ll know about all the disclosures now….

Well – it wasn’t a billion dollar bailout and it wasn’t a new ‘public option’, but it was, on September 23rd, the official STARTING DAY of the new HIPAA breach disclosure rule, another tangible effect of the American Recovery and Reinvestment Act of 2009.

The breach disclosure rule is a little unusual in the way it dictates how healthcare entities have to behave if there is a disclosure of YOUR PHI (i.e. Protected Health Information). Your PHI could be interesting little tidbits of information like:

– detailed health info on 1000 Hollywood celebrities, probably all about face lifts, nose jobs and liposuction.

– Details on whose tubes got tied

– Embarrassing information on warts and other disgusting physical problems
Or
– Just info you don’t want everyone to know about.

The new Breach Disclosure rules protect you. Here are some of the details about what the organization that leaked your sensitive info has to do…

If the breach involved less than 500 individuals’ information, then you must be notified within sixty days and “without reasonable delay”. If more than 500 individuals’ information is breached, then the organization has to not only notify the Department of Health and Human Services, but also has to send out a press release and notify the media — film at eleven.

Covered organizations (covered entities) will not be penalized until February 22, 2010. So for now, organizations should make sure they have these disclosure guidelines in place and practice them, including training and awareness exercises, so they will be ready by February.

Organizations must also do an individual RISK ASSESSMENT on each breach to calculate the harm that the breach may do to an individual. For example, whether the breach would affect their health insurance, or their relationship!
There are additional considerations about whether the breach was done in error and actual disclosure was limited; or whether it was malicious disclosure – done on purpose, or for financial gain.

The breach notification rule, in my opinion, is just another manifestation of how serious the government has become about protecting personal information, whether it is protected health information, or personal financial information.

The FTC reported that identity theft is the one number consumer complaint and so protection of your information has moved up to the top of the list. Lucky us



Did you Wash Your Hands Today? RISK and the H1N1 PANDEMIC

The CDC reported on August 29, that, as of April 15, 2009, total of 9,079 hospitalizations and 593 deaths associated with 2009 influenza A (H1N1) viruses
have been reported to the CDC.

I put on a seminar last week with the Florida International Bankers Association in Miami, Florida, and one of the topics on the menu was the H1N1 Flu. Now, about ten days later, the media is starting to report on H1N1 sweeping through the college campuses and elementary schools. It hasn’t hit employers hard yet, but I am confident that it will.

And this time it comes with some surprising statistics. The younger you are, the more at risk you are. Apparently if you are over 60, or born after 1956, you are mostly immune because a similar flu that made the rounds in ’57 gave people alive at the time, antibodies that will protect you this time.

I have noticed the increase in sincere doctors talking about how they are going to immunize their own children – that is, after the new vaccine comes out in mid-October.

Hospitals have already been hit especially hard by the recession, due to the increase of patients who have lost their jobs, and therefore their health insurance; and that has increased activity in the local emergency rooms. But look what the forecast is for hospitals at the height of the possible epidemic — Under some models, seriously ill influenza patients could require 50 to 100 percent of intensive care unit (ICU) beds at the epidemic’s peak, stressing the medical and public health systems to the point of overwhelming some hospitals, and could cause from 30,000 to 90,000 deaths, concentrated among children and young adults.

I went to the local grocery and stocked up on hand sanitizer for the office and also lots of foil-wrapped sanitizing wipes – keeping them in my purse and suitcase, for those occasions where I have to shake a lot of hands.

What is the effect on a business if H1N1 does reach pandemic proportions?
Your personal risk varies depending on your age. Older workers will not be affected but take a look at your workforce and calculate how many have young children or school age children.

Since transmission increases in group settings, and kids are known for not being the most hygienic of creatures – there is a better than fair chance that your employees will have children who get sick and they will have to stay home with their children.
Some schools may have to close for 4-8 weeks. Especially since elementary school teachers are often in the target group and often have small children themselves. In my own office, two-thirds of the associates are under forty and half of those have small children. One expert said that if the 30% figure holds, then expect a ten-fold increase in absenteeism.

If your organization is part of the critical infrastructure, you might want to get a professional assessment of your risk, not just to identify it, but to get a set of operating procedures you can use if the pandemic does materialize.

Here are a few things to think about:

1. Encouraging an option for employees to work at home.
2. Deciding in advance what to do when an employee tells you he has H1N1.
3. Cross-training for important as well as critical functions.
4. Think about curtailing employee travel, if necessary.
5. Consider the impact if public transportation is not available, or
Not safe to use.

Seriously consider getting some No-Doz for your employees over sixty who may have to work much longer hours!!

AND DON’T FORGET TO WASH YOUR HANDS.



How to get Management On Board with Security Enhancements — or how to avoid cocktail party security decisions.

One of the most aggrevating issues that security people have to deal with is someone who has no security background and knows little about the current technology, who decides what should be funded based on:

1. My wife thinks cameras are an invasion of privacy.
2. My secretary like X instead of Y
3. My friend, Sam, said his company was adding
some new widget.

This applies whether you are doing corporate security or information security and it is basically having your management make an emotional decision, or what I call a “cocktail party decision” about where the security budget should be spent.

Don’t confuse them with the facts. In fact, most of this is from people who do not understand the complexities of security or the interactions of various security solutions with each other.

Last evening, I spent quite a bit of time with a client from Asia, who had a big client who couldn’t decide which solutions they wanted to implement. Should it be A or B; and how to set it up? Regionally? by Business Unit? By Subsidiary? By Sub-subsidiary?

As we discussed it, I realized that the Director in question was really avoiding having to spend any money! It wasn’t about the decision – it was sort of smoke and mirrors to avoid having to admit a lack of funding for security.

In these cases, when your organization may have had the budget trimmed, cut or slashed — it is imperative to be able to use some quantative measurement of the risk to justify the cost of the controls. Whether you have enough budget for one control, or for everything, it must always be prioritized by NEED and by RISK. By Return On Investment. What losses can we prevent or avoid if we add this specific control? How much loss are we preventing? What is our potential exposure if we do nothing?

These are the elements that need to be understood by management in order to get the right controls in place, in the right amounts, at the right time.




top