April 2009 – Risk and Security LLC

April 2009

Assessing Risk of Swine Flu (H1N1)

Posted on April 30, 2009 9:22 pm by Caroline Ramsey-Hamilton Comment

Largest webinar ever was today on the current pandemic (Swine or H1N1) flu. I was surprised at how many organizations participated and we reviewed the different areas that business need to review when a flu like this threatens.

Last year we created six different pandemic flu assessment questionnaires, differing on whether the business is tagged as a “critical industry”; whethere is is domestic, or has international offices; whether it’s a hospital or healthcare provider and also sliced and diced by the state of their pandemic and emergency plans such as continuity of operations planning. Disaster planning is not really the same because in disaster planning, you assume the rest of the world is constant, instead of in the state of flux a real pandemic would produce.

In Maryland, there are six cases, and three of those in this county — they closed a school this morning. So it is of concern to employees and the webinar centered on the different decisions business execs need to make about:

1) communicating with their employees and suppliers

2) making plans for auxcillary workforce members

3) doing advance planning and creating mechanisms for people to work from home, if necessary.

4) looking at last-minute cross training and making sure that everyone knows how to do almost everything.

The other aspect was understanding that this flu, at least initially, looks relatively mild, and as such, it makes a great case to run preparedness drill when people are watching the media coverage. Also probably a good time to get budget approved for things like back up supplies, face masks (if execs are planning travel), or the business is very customer facing.

Reviewing training and trade show plans for the summer and fall would be a useful exercise. And I think it is a service to employees to explain how to create a family pandemic stash of medicine, toilet paper, food, water and all the other necessities of life that would hold a family over for 3-6 weeks of isolation in the house.

These basic planning elements are all over the web and all over the news, but sometimes still hard to assimilate. One of things we have developed is a spreadsheet of the planning elements, and I’d be happy to send it to you, if you send me a request to this blog.

Categories:
1

Tags:
H1N1
pandemic flu
Swine Flu

Building a Model for Security Governance, Risk and Compliance

Posted on April 3, 2009 1:35 am by Caroline Ramsey-Hamilton Comment

I recently began to think about how to integrate security seamlessly into an organization — without having security activities and processes pigeonholed into a stovepipe like physical security (the 3 Gs, guns, guards and dogs); or in the rarified atmosphere of the IT Department.

Other business processes are already thought of as an integral part of a business. Think personnel, finance, shipping, sales. All basic parts of any organization, including government agencies (which are another kind of business), have these different categories but security is never mentioned as one of these basics.

Of course, my readers know that none of the other pieces would get very far without good, or even great security. You can’t run an organization without locks on the doors. You can’t run a network with security controls or it would just collapse into a heaping pile of spam within a few hours and become totally useless.

So if we wanted to integrate security and use the risk assessment process to do it — what are the pieces we would integrate? One night over dinner with other security people, we started to build a security model, which could then by assessed and each category would have steps which could be combined to create THE PERFECT INTEGRATED SECURITY GOVERNANCE MODEL!!

I am open to suggestions about other aspects but here’s the list of the ones we started off with:

1. Access Controls

2. Accountability

3. Budget/Fiscal Responsibility

4. Compliance

5. Information Technology

6. Investigations

7. Measurement/Evaluation

8. Personnel Management

9. Policies & Procedures (Ps & Ps)

10. Risk Assessment & Management

11. Security Planning

12. Training and Awareness

In the model I’m proposing, each of these areas could by quantified into a 5-step program with zero meaning no progress in that area, and five meaning it has been integrated into the organization as a standardized, budgeted process.

Send me an email if you’d like to see a graphic of the model. The point of a model is to get an idea of where you are on the pathway to integration of the security model into the business process. For example, you could find out that you doing great on access control and technology, but not so good on accountability or awareness. Then you could put more emphasis, or resources into those deficient areas.

If you’ve ever read this blog before, you know that my mantra is, “if you can’t measure it — you can’t manage it” (quote by the late, great Dr. Peter Drucker).

While listening to talk radio people discussing the problems of AIG, I heard another great line, “Companies that are ‘to big to fail’ … are probably ‘to big to manage’. And that’s probably right, because those companies, with tentacles out into industries all over the world, are probably ALSO TOO BIG TO MEASURE!

So having metrics applies to all these corporate processes and managing security using metrics must be an idea whose idea has come. Often the security departments in companies are isolated from the C-level and may not be included as often as other corporate or department managers are. This is why the breakdown occurs that leads to weakness in compliance with regulations, which can destroy the entire organization, or, if you’re a bank, can lead at a CDO (Cease and Desist
Order).

Often these twelve critical security elements are absolutely essential to the running of the organization and that is why it is important to create a management model to measure how they are working in YOUR organization!