Risk and Security LLC

Risk Assessments, Training and More

This content shows Simple View

June 2011

Prev Month( 5th ) Next Month( 7th )

Unsnarling political differences based on Type preferences

Posted on June 28, 2011 1:28 pm by Caroline Ramsey-Hamilton Comment

A key component of decision making is laying out all the options to make an informed decision.

Watching the angst of the political parties trying to solve the debt problem shows that they are both charging around saying their favorite rallying cries, which does not promote dialogue, but just inflames the other party.

Think of these two parties, Dems and Repubs, as made up of two TYPES of individuals.  The MBTI (Myers Briggs Type Indicator) personality test is made up of 16 distinct types of people and you can summarize and put them into two main groups – the Traditionalists and the Innovators.

See if this sounds familiar – Traditionalists like for things to stay the same, they always support the status quo.  They dislike change for change’s sake, so they don’t want to raise taxes.  They like to keep a strong sense of order so they
are often military, law enforcement, corporate titans, etc.  They are often presidents of associations and organizations and they are great at keeping things running efficiently.

Innovators want to explore and try new things – in life AND in politics. They want to get out of Afghanistan and put in a new tax structure, and reinvent old institutions, instead of cherishing them, as the Traditionals do.

Both these groups have great contributions that they make to society – Traditionals keep things organized and running and Innovators find new, better ways of doing things.

Innovators are always searching for the next new thing so it’s so coincidence that
California has more than it’s statistical share of Innovators – they keep kept going west, and kept looking until stopped by the Pacific ocean.

Type preferences are set before you are 5 years old and indicate preferences for your entire life.  I am already seeing types emerge from watching toddlers under the age of 2.

When you understand the values of the other party, according to type preferences, you can have a more civil dialogue because you can now understand where the other side is coming from, so to speak. 

You can find out which type you are,  or just find out more about the MBTI at www.myersbriggs.org.



5 Tips to Prevent Workplace Violence

Posted on June 24, 2011 3:22 pm by Caroline Ramsey-Hamilton Comment

After studying the twenty-seven state guidelines and also new guidance from
OSHA on how to prevent workplace violence incidents,

Here are 5 tips of what areas to work on in your organization:

1.  Redo Policies – Make sure you have a clear ‘no weapons’ policy and make
     employees sign a pledge when they join the organization.

2.  Dynamic Awareness Training   – Make sure that EVERY employee attends
     a training program about workplace violence issues,  whether it’s 1 hour or
     4 hours  annually.  But boring computer training is not enough.

3.  Do a Baseline Violence Assessment   – See where your organization
     rates compared to other companies and see how closely you match to
     new standards and guidelines on Workplace Violence issues.

4.  Require Employees to Report Every Incident – Communicate to employees
     that they are required to report EVERY incident, whether it is domestic
     violence at work,  Patient violence, or anything else.  Be tough!

5.  Use Incident Tracking  – Work with both Security and HR to make sure
     every incident is tracked for analysis, and all employees know where and how
     to report incidents



Using Risk Assessments as a Business Process

Posted on June 21, 2011 1:43 am by Caroline Ramsey-Hamilton Comment

Risk assessments are increasing in utility and popularity – being used for everything from compliance to safety assessments, and used by financial institutions, healthcare organizations, manufacturers, government of the world and think tanks. 

Many regulators require formal risk assessments on everything from gauging political risk in an unstable country, to protecting consumer financial information, to assessing workplace violence potential.  

Here’s a definition of a risk assessment:   A process to determine what controls are necessary to protect sensitive or critical assets both adequately and cost-effectively. Cost effectiveness and Return On Investment (ROI) are required elements of a risk assessment.  

A risk assessment is not a democratic process where the most popular answer wins.  It is not consensus driven.  Instead, it is a business process that manages a security function.   Security is very process centered.  Because security often consists of many different elements which are critically important, such as managing network access,   it makes sense to manage it as a process.

According to the statistics, risk assessments are way up in popularity in 2011.  Maybe
it’s economics – maybe it’s result of the previous economic downturn, but the requirements for risk assessments have never been broader, and there have never been more of them than there are now.  Here’s a partial list:  

The Joint Commission
HIPAA, HITECH, NIST 800-66
FFIEC, BSA-AML,
ISO 27001 and 27000 series; NIST 800-53
Red Flags Identity Theft
NCUA Part 748
FEMA 426, FEMA 428

The exercise of doing a risk assessment affords a level of protection which is related to how many other people actually contribute to the risk assessment results.   Using an online compliance survey as a participatory measure takes the onus of absolute responsibility away from the manager/analyst and distributes it throughout the organization where it belongs.

Obviously people are a critical component of information security.  In a risk assessment, people are also important to include because they are able to report what’s going on in their workplace every day.  How can one analyst know enough to do the entire risk assessment by themselves?  They would have to be everywhere at once – in the morning, late at night, on the weekends, and also be able to channel the work of everyone from the newest tech support person to the director of the data center.   And the inclusion of a variety of individuals adds weight and power to the risk assessment.

The true value of the risk assessment is in the cost benefit analysis, which details what controls need to be implemented, how much they cost and how much they would protect the organization by either prevent threats from occurring or by mitigating the impact of the incident if it occurs. 

While the analysts may be accountable for the reporting or analysis of potential risk, the responsibility for any action that needs to be taken is up at the C level, or with the Board of Directors.  In fact, in the FFIEC IT (Federal Financial Institutions Examination Council Information Technology ) Handbook, they spell out, “The Board is responsible for holding senior management accountable”.  Often we have found that the actual President of a bank or credit union doesn’t always KNOW that he is going to be held responsible – this information is down another level in the organization.

I recommend getting management to sign off on the basic assumptions,  in writing,  in the course of completing the risk assessment – and of course, on the final reports. Areas where senior management can review and approve include: 

  • Calculation of asset values, including the value of the organization in total
  • The potential costs of implementing different controls, singly or in combination.
  • Validating which controls are currently in place and how well they are working.
  • The conclusions from the draft report, and the final report.

The analyst is just the messenger, doing the work of assembling the risk elements and calculating their potential results.  But senior management makes the final decisions on each element.   There’s nothing like a signature on a piece of paper to foster a climate of accountability. 

Risk Assessments have the potential to save corporations and governments millions of dollars by making decision-making based on real analytics, instead of just guesses – plus they are an essential element of compliance.  These are good reasons to evaluate whether it’s time for you to do a Risk Assessment!



A Short Note on Father’s Day

Posted on June 19, 2011 8:23 pm by Caroline Ramsey-Hamilton Comment

A Father’s Day about Remembering

My father was a teenager during the Depression.  That means there was no college for my very intelligent and very creative father.   Here are some of his best moments, commemorated in a great photo of him barbequeing on the green Weber grill, wearing only swim trucks, a big Chef’s apron and a chefs hat!

When I was sixteen, I went outside to tell my father that I didn’t believe in the Easter  Bunny anymore, so he didn’t go have to go thru the whole Easter Bunny drill which included getting up in the middle of the night and putting pieces of cotton on the underside of the chain link fence, so he could take us outside and say, “The bunny was leaving your Easter baskets and he heard you waking up and he ran out so fast, he left a little bit of tail on the fence,” and then he’s bend down to show us the Actual Easter Bunny evidence.

Finally, after an hour of discussion – he said, “OK – you win, I’m the Easter Bunny”.  I locked myself in my room and cried all day.

My dad always made the best of whatever happened, a lesson he passed on to me, the eldest child.  He always had a job – usually a great job with perks like boxes of oranges and pears at Christmas, and he taught adult Baptist Sunday school for 36 years.  What a commitment.

My dad should have been an artist, because he had the most beautiful handwriting, and could draw anything.   One of the great things he did for us was put together a whole book of photos of us for our 21st birthdays.  Mine had a Winnie-the-Pooh theme, totally illustrated, of course.  It included a list of the all the 20 songs I could sing at the age of 2!

My dad was also a fantastic grandfather to my two sons and they were only in their teens when he died, way too young, at 72.  He still swam 60 laps of the pool every day. 

Daddy, I think about you all the time, and wish you were here.



The 5 Missing Elements of Most Workplace Violence Prevention Programs

Posted on June 10, 2011 4:38 pm by Caroline Ramsey-Hamilton Comment

The 5 Missing Elements of Most Workplace Violence Prevention Programs

After working with a variety of organizations on a baseline Workplace Violence assessment, there are several areas that seem to be common problems for most organizations.  These elements are not expensive, and not timing-consuming, so they are natural candidates for improvement.

A baseline workplace violence assessment is a survey of employees in different roles, combined with a threat analysis and an analysis of existing controls and a historical incidents that can be reviewed and aggregated.

Here are the top 5 most common missing elements, with potential solutions.

1.  Missing workplace violence awareness/training programs.  Many organizations report that they have set these up, that they have sent out emails to all employees, but we consistently find that the employees didn’t read the emails, didn’t know the training was available, or that it wasn’t included in their initial company orientation.

2.  Mis-categorization of workplace violence incidents.   There is a mistaken (in my opinion) idea that domestic violence incidents that happen at work should not be categorized or reported as a Workplace Violence incident.  This is a mistake, and leads to bad information about the true nature of the problem.  If someone comes and shoots her significant other at work (IN THE WORKPLACE) – it is a workplace violence incident.

3.  Staff feels subtle pressure from management not to report every incident.
In my research, management wants every incident reported, every time, but
staff members report that their own direct supervisors may discourage them by not taking time to discuss these pre-incidents, and also by chalking up comments as merely office gossip.

4.  Not linking Human Resources with Security on the issue of Workplace Violence Prevention.  This is a management issue, but organizations that create bridges between HR and security are way ahead because this is one issue where cooperation makes a big difference in results.  HR can’t do a security assessment and security can’t write termination policies and set up employment screening. They are both absolutely necessary.

5.   Not doing an Annual Workplace Violence Assessment.  Since late 2008, when the economy suffered major job losses,  the number of workplace violence assessments have increased dramatically, especially in the healthcare field.  Annual assessments are best way to stay on top of the ‘potential’ for violence in your organization.

Check out one of our regularly scheduled webinars to learn more about this important issue.

 

REMEMBER – Workplace Violence is the one threat that is PREVENTABLE!

 

                                        — Caroline Hamilton

                                                                 Caroline.r.hamilton@gmail.com

                                                                 chamilton@riskwatch.com

 


                                  www.riskwatch.com



Using a Project Plan for your HIPAA Risk Analysis

Posted on June 4, 2011 1:16 am by Caroline Ramsey-Hamilton Comment

When HIPAA first became a law, at the end of 1997, most healthcare organizations were so sure that it would be repealed or rescinded when Bush came into office, that they never quite got around to doing that first risk analysis.

Later, the risk analysis requirement got harder and tougher, when the Office of Civil Rights (OCR) added their guidance document in May 2010, and suggested that in addition to HIPAA Security and HIPAA Privacy, and the HITECH ACT, that organizations should also use NIST Special Publication 800-66 as a reference guide for the risk analysis and the protection of electronic Protected Health Information (ePHI).

The risk analysis has gotten more complicated, by the tightening of requirements, and by the need to include business associates, third party vendors, and an all-hazards threat approach.

Using a detailed project plan as you start the risk analysis is a good way to not only deal with the technical requirements, but also to inform management and stakeholders in the organization what a risk analysis includes, and to outline their potential participation.

There are different roles including IT users who will answer questions related to HIPAA control standards, management who will provide financial data and approve different values, and department managers, who will supervise their own staff and make sure they answer the surveys and cooperate with the analyst in a timely manner.

After the roles have been assigned, the data gathered, the reports approved, the project plan can be used to create the mitigation activites, a corrective action plan, and used to manage and track the new controls that are implemented.

If you’d like to see a HIPAA Project Plan, just email me at chamilton@riskwatch.com

 

 

 

 

 

 

 

 




top

Prev Month( 5th ) Next Month( 7th )