By:
On:
In: *Connecting the Dots Blog*, Information Security

  Dennis McCafferty of CIO Insight recently did a two part overview on Enterprise Security Risks and in part 2 he talked about the hottest security catch phrase of 2010 – Advanced Persistent Threat (APT). According to the overview, an Advanced Persistent Threat is an insidious attack by a well-funded, state-sponsored intelligence organization.  The overview goes on to describe how APT attackers are more patient than a bored Gen Y hacker or financially motivated crook. They are willing to slowly gather information and data from multiple sources and social media sites and then execute a targeted, social-engineering attack on their terms. Are bad guys out-thinkingRead More →

By:
On:
In: *Connecting the Dots Blog*, Incident Reporting, Workplace Violence

  What is your first thought when you hear the word WHISTLEBLOWER? Whistleblower definitions commonly say a whistleblower is any person that reveals wrongdoing or malpractices taking place within an organization.  And in many cases a whistleblower may face retaliation or other negative ramifications and by law may require special protection. What is your first thought when you hear the word HERO? Hero definitions run from mythical and legendary figures to a person that is admired for their achievements or noble qualities to a central figure in an event, period or movement. When is the last time you heard an organization promote their Hero Line? Read More →

By:
On:
In: *Connecting the Dots Blog*, Health Care, Incident Reporting, Legal

  A previous Lessons Learned Blog mentioned the Dodd-Frank Wall Street Reform and Consumer Protection Act and a special bounty program within the Act for whistleblowers.  Did you see it? An attorney at the Healthcare Financial Management Association’s Annual National Institute legal update says healthcare providers may be heading into a storm of whistleblower suits that could cause serious problems for the unprepared. The attorney predicts the new Patient Protection and Affordable Care Act could lead to an explosion of whistleblower lawsuits because the new law does not require the plaintiff to have direct knowledge of alleged fraud to file a suit. So if youRead More →

By:
On:
In: *Connecting the Dots Blog*, Information Privacy, Information Security, Legal, Regulatory Compliance, Risk Management

  Dissemination vs. Implementation The Veterans Affairs Department recently announced they will be publishing monthly online accounts of data breaches and lost BlackBerrys and laptops in order to improve accountability and increase transparency. What was shocking to me was that from April through July of this year, the VA has lost 72 BlackBerrys and 34 laptops.  Patient information has been sent to the wrong address or mailed incorrectly 441 times.  There were 9,746 breach incidents involving notifications to patients and 2,501 incidents in which credit reporting was required. Almost 10,000 breach incidents in 3 months!  What is wrong with this picture?  Instead of just disseminatingRead More →

By:
On:
In: *Connecting the Dots Blog*, Incident Reporting, Legal, Risk Management

  According to a recent Washington Post headline, law firms are gearing up for new whistleblower reward program. The new program was included in the Dodd-Frank Wall Street Reform and Consumer Protection Act signed by President Obama in July 2009 has created a bounty program that rewards individuals who provide “original information” to the SEC.  The SEC can then award the individual with up to 30 percent of any successful enforcement action that exceeds $1 million. There is no doubt that federal agencies are publicly ramping up  to police illegal corporate activity… future Lessons Learned Blogs will discuss healthcare, education and others. Here are someRead More →

By:
On:
In: *Connecting the Dots Blog*, Campus Safety, Emergency Management, Incident Reporting, School Safety

  I met some really outstanding people this month while presenting at the NASRO national conference and I deeply appreciate how school resource officers (SROs) and school security officers (SSOs) are striving to make a difference with students and with schools. Before and after my presentations I had some interesting conversations with several SROs from schools all across the U.S.    One of the SROs I spoke brought up an ongoing challenge with cameras.  He would like to replace outdated analog cameras that do not give him the clarity he needs to recognize and identify people.  He also wants to add more cameras for better coverageRead More →

By:
On:
In: *Connecting the Dots Blog*, Incident Reporting, Information Privacy, Information Security, Regulatory Compliance

  Did everyone see this ultimate lesson regarding lessons learned but not implemented? Remember back in February 2009 when the Federal Trade Commission (FTC) issued a settlement against CVS Caremark?  According to the settlement, CVS Caremark violated the HIPAA privacy rule and the FTC Act when some of its stores improperly disposed of prescription information and pill bottles that had patient information on them.  The settlement resulted in a $2.25 million fine and they must ensure their security program meets the standards of the settlement [including ongoing audits] for the next 20 years. Now roll the clock ahead to July 2010 and another pharmacy chainRead More →

By:
On:
In: *Connecting the Dots Blog*, Business Continuity, Human Resources, Risk Management, School Safety, Workplace Violence

  In my previous blog I suggested that building a successful preparedness campaign is like building a skyscraper…and in some cases it seems like building a skyscraper may actually be easier than building a successful campus-wide or organization-wide preparedness effort. I mentioned that building a skyscraper and building a campus-wide or organization-wide preparedness effort have a lot in common and one of those common items is blueprints. Blueprints can be a technical drawing, a mechanical drawing, an architectural plan, a model, a prototype, a detailed plan of action and etc.  Blueprints can also include programs, policies, procedures, processes, guidelines, checklists and etc. But blueprints areRead More →

By:
On:
In: *Connecting the Dots Blog*, Business Continuity, Emergency Management, Risk Management, School Safety, Workplace Violence

  I attended the Virginia Governor’s Campus Preparedness conference last week and had an interesting discussion with one of the attendees.  We were talking about how building preparedness across an organization or an entire campus is becoming more complex and more difficult due to escalating challenges, regulations, obligations, liabilities and much more. As our discussion continued, we started talking about how important tools can be when building campus-wide preparedness programs.   In reference to whether tools can make a difference, I offered the following analogy: Could a skyscraper be built using a hammer, a saw and some nails? The attendee responded quickly, yes the skyscraper couldRead More →

By:
On:
In: *Connecting the Dots Blog*, Information Privacy, Information Security, Risk Management

  Lessons learned from a recent hacking competition at Defcon revealed yet again that your employees are the biggest threat to your organization. With just two phone calls, a hacker posing as a Louisiana-based employee handling claims involving the Gulf oil spill was able to trick a computer support employee at BP into divulging sensitive information that could have proved crucial in launching a network attack.  The employee provided information to the caller including the model of laptops BP used, the specific operating system, browser anti-virus and VPN software.  The hacker also convinced the employee to visit an unknown web site, Social-Engineer.org. Other hackers inRead More →