By:
On:
In: *Connecting the Dots Blog*, Business Continuity, Regulatory Compliance, Risk Management

  Is Measuring Risk Possible? I saw a discussion question recently asking how to measure risk? My first reaction was…do you measure risk?  I say no. Do you measure security?  Do you measure prevention?   I would say no and no. Do you measure cake? Not usually, unless you are paying for cake by the pound, but measuring the cake does not guarantee the cake is any good. Determining if the cake is any good depends on how the cake looks and how the cake tastes.  To make a good cake, you need to measure each of the ingredients for the cake (internal) and you needRead More →

By:
On:
In: *Connecting the Dots Blog*, Regulatory Compliance, Risk Management, School Safety

  Natasha Alam from True Blood has joined the growing list of celebrities speaking out publicly against bullying.  Celebrities are raising awareness and bringing attention to this escalating challenge. Alam recently filmed an anti-bullying public service announcement (PSA), click here to learn more. Canada recently targeted bullying with their National Bullying Awareness Week and the UK recently promoted the Big March to bring attention to bullying, violence and harassment in schools. Each of these efforts encourages people to speak out about bullying and victimization, and adults are being urged to listen.  These campaigns also mention prevention, the need for awareness and how everyone (students, parents,Read More →

By:
On:
In: *Connecting the Dots Blog*, Business Continuity, Emergency Management, Human Resources, Incident Reporting, Information Security, Regulatory Compliance

  General Information Personally Identifiable Information Intelligence Information Industry Information Regulatory Information Legal Information Risk Information Customer Information Emergency Information Competitive Information Etc…. Most people and their organizations would agree they are overwhelmed by information that is spread all over in e-mails, web sites, binders, intranets, etc. BUT, most people and their organizations would also agree they are not overwhelmed by awareness, and more specifically they are not overwhelmed by Situational Awareness. Lessons learned continue to reveal that just having information is not enough.  Most of the highly publicized tragedies and incidents reveal that information in the form of red flags or intelligence or riskRead More →

By:
On:
In: *Connecting the Dots Blog*, Emergency Management, Incident Reporting, Information Security, Legal, Regulatory Compliance, Risk Management

  How is your incident reporting system working for you?  Or perhaps the question should be – Is your incident reporting system working against you? Lessons learned continue to show that organizations find themselves in ‘reaction mode’ more than they are in ‘prevention mode’.  How can this be when most every organization claims to have an incident reporting system in place? Are traditional incident reporting systems obsolete? Multiple surveys reveal that 90% of bystanders who witness a bullying incident DO NOT report the incident.  So why aren’t bystanders not reporting incidents? Perhaps bystanders are not reporting because of one or more of the following reasons:Read More →

By:
On:
In: *Connecting the Dots Blog*, Regulatory Compliance, School Safety

  Legislators in New Jersey have proposed what may be the toughest anti-bullying law in the nation with a “bill of rights” as its charter.  On the heels of the recent tragedy at Rutgers University when freshman Tyler Clementi jumped to his death, the proposed legislation builds on current laws that have not adequately protected students who are intimidated every day. New Jersey’s Anti-Bullying Bill of Rights would: Apply to bullying at school, near school and on school buses and to cyberbullying. Require training for nearly all school employees on how to identify, prevent and report acts of intimidation Set deadlines for incidents of bullyingRead More →

By:
On:
In: *Connecting the Dots Blog*, Information Privacy, Information Security, Legal, Regulatory Compliance

  A recent GAO report has revealed that federal agencies utilizing contracted workers are failing to implement contractual assurances with third-parties regarding the protection of sensitive information. GAO auditors examined the contracting practices of three of the largest federal agencies and of those three, only one (DHS) required third-party companies to sign standard contracts requiring the contractors to follow best practices in safeguarding sensitive information. In a recent data breach, a TSA contractor allegedly provided a Boston couple the social security numbers for more than a dozen TSA workers.  Third-parties are increasingly responsible for data breaches, but most often, the hiring agency or company willRead More →

By:
On:
In: *Connecting the Dots Blog*, Business Continuity, Emergency Management, Legal, Regulatory Compliance

  Most everyone has heard or muttered these words at some time or another: If I Knew Then What I Know Now…                                                                                                                                                                                                                          The saying is most often used when we look back at our life and we realize that if I knew then (when I was younger) what I know now (with more experience and wisdom), I may have made some different decisions. The saying also came to mind recently as we were reminded of the 9year anniversary of September 11th and the 5 year anniversary of Katrina and numerous other incidents that have provided experience and wisdom that we could have used before these eventsRead More →

By:
On:
In: *Connecting the Dots Blog*, Information Privacy, Information Security, Legal, Regulatory Compliance, Risk Management

  Dissemination vs. Implementation The Veterans Affairs Department recently announced they will be publishing monthly online accounts of data breaches and lost BlackBerrys and laptops in order to improve accountability and increase transparency. What was shocking to me was that from April through July of this year, the VA has lost 72 BlackBerrys and 34 laptops.  Patient information has been sent to the wrong address or mailed incorrectly 441 times.  There were 9,746 breach incidents involving notifications to patients and 2,501 incidents in which credit reporting was required. Almost 10,000 breach incidents in 3 months!  What is wrong with this picture?  Instead of just disseminatingRead More →

By:
On:
In: *Connecting the Dots Blog*, Incident Reporting, Information Privacy, Information Security, Regulatory Compliance

  Did everyone see this ultimate lesson regarding lessons learned but not implemented? Remember back in February 2009 when the Federal Trade Commission (FTC) issued a settlement against CVS Caremark?  According to the settlement, CVS Caremark violated the HIPAA privacy rule and the FTC Act when some of its stores improperly disposed of prescription information and pill bottles that had patient information on them.  The settlement resulted in a $2.25 million fine and they must ensure their security program meets the standards of the settlement [including ongoing audits] for the next 20 years. Now roll the clock ahead to July 2010 and another pharmacy chainRead More →

By:
On:
In: *Connecting the Dots Blog*, Business Continuity, Information Privacy, Information Security, Regulatory Compliance

  Last week financial executives received some valuable advice on ways to significantly reduce costs associated with an expensive non-budgeted item – cybercrime. Greg Schaffer heads up DHS’s Office of Cybersecurity and Communications and his comments on cybercrime included: “Cybercrime is not a problem that is growing, or coming, or off in the future.  This is a problem right now.” Mr. Schaffer also cited some statistics from reports and surveys: A single cyber breach costs companies an average of $6.75 million  27 countries have claimed to have experienced financial losses related to cybercrime In 2009, 30 million examples of new malicious software were released  Read More →