Thursday, January 31st, 2008
|
The recent release of part two of the British Standard for Business Continuity Management (BS25999) has given planners another avenue to explore when designing their business continuity program.
The British Standards Institution (BSI) released the second part of BS25999 in late October 2007 and it has been well received by global organizations.
BS25999 actually includes two standards, BS25999-1 and BS25999-2. The first was released in 2006 and addresses practices and policies; the second specifies procedures for business continuity management. The standard’s intent is to provide guidelines for implementing business continuity management within an organization.
According to BSI, BS25999 is the world’s first internationally recognized standard for Business Continuity Management (BCM). It includes requirements covering the whole BCM lifecycle, based on BCM best practices.
The standard has garnered much attention from businesses around the world. It has become the most downloaded standard from the BSI website. In fact, thousands of companies in the United Kingdom are implementing BS25999.
The basic intent of the standard is to provide best practices for an organization’s personnel, infrastructure and information technology in order to get back in business with minimal disruption if disaster strikes.
While it may seem this is similar to other standards in the market, there are some notable differences.
“BS25999 is unlike other directives, policies or standards that are prescriptive in nature,” said Bob Reilly, senior associate at Booz Allen Hamilton. “It is a management standard that audits processes and procedures to establish and maintain a continuity program.”
Those who complete the BS25999 procedures can apply for certification through BSI. External auditors will evaluate an organization’s business continuity management process. If certification is achieved, it can provide suppliers, investors and clients assurance that rigorous methods will be used to protect the organization in the event of a disruption.
“The standard audits continuous process improvement and compliance to corporate policies, unlike other certifications or audits that just represent a snap-shot in time,” said Reilly.
According to the BSI website, the auditors will be looking for documented evidence that processes are in place and will bring technical experts with them to ask why particular decisions were made.
Whether the BS25999 standard becomes a hit in North America remains to be seen. Organizations who are interested should discern the differences between this standard and others that are available on the market and make decisions on what, if any, works best in their organization.
For further input and comparison on the BS25999 standard, visit the ongoing discussion at www.drj.com.
|
Posted in BS 25999, Business Continuity Management, General | No Comments »
Thursday, January 31st, 2008
|
|
According to a recently released study by the University of Southern California’s School of Urban and Regional Planning, Los Angeles area businesses lost $5.9 billion from interruptions caused by the 1994 Northridge earthquake. The study polled 389 companies and 504 business sites of which 81.8 percent of the businesses surveyed suffered interruptions in their operations.
The most common reason for business interruption was employees attending to personal matters; 73.5 percent of the companies polled were affected in this way.
We can decrease employee absenteeism by encouraging the employee to participate in a Personal Disaster Communications Exercise (PDCE). Our main objective of the PDCE is to encourage the employee to communicate through company sponsored support groups and identify and share their personal concerns in a "what if scenario" given a future disaster.
We know that disasters can produce major interruptions in the natural flow of life. Employees will be less likely to attend to personal matters following a disaster if they have rehearsed the safety measures to be taken in future disasters. By rehearsing their safety measures, we find that the employee feels in control over their life and will deal with the distress more easily when a disaster occurs.
Click Here to Read the Entire Article
|
|
Posted in Business Continuity Management, Disaster Recovery, General | 1 Comment »
Wednesday, January 30th, 2008
Jaikumar Vijayan | ComputerWorld.com
January 28, 2008 (Computerworld) Data broker ChoicePoint Inc. has agreed to pay $10 million to settle the last remaining class-action lawsuit filed against the company in connection with a data breach disclosed in early 2005 in which the personal information of more than 160,000 people was exposed.
Alpharetta, Ga.-based ChoicePoint announced the settlement last Thursday, along with its financial results for last year’s fourth quarter (download PDF). ChoicePoint said it didn’t admit to any liability for the breach as part of the settlement, which is still subject to court approval.
According to a company spokesman, the legal settlement involves a shareholder lawsuit filed against ChoicePoint in U.S. District Court in Georgia. All of the other lawsuits brought against the company in connection with the data breach had previously been settled, dismissed or otherwise resolved, the spokesman said.
Separately last week, ChoicePoint disclosed that the U.S. Securities and Exchange Commission has concluded a breach-related investigation that included a probe of stock trades by the company’s top two executives, without recommending any enforcement actions against either of them or ChoicePoint itself.
The SEC’s investigation involved the sale of nearly $18 million worth of ChoicePoint stock by Chairman and CEO Derek Smith and Douglas Curling, the company’s president and chief operating officer, in the months between the initial discovery of the breach in October 2004 and its public disclosure the following February.
Whereas the SEC is letting ChoicePoint off the hook, the Federal Trade Commission last year assessed a $10 million civil penalty against the company for violations of the Fair Credit Reporting Act. The FTC said that ChoicePoint had failed to implement reasonable procedures for protecting the billions of personal records — including the names, Social Security numbers, and bank and credit card information of consumers — that it collected and maintained.
At the time, FTC Chairman Deborah Platt Majoras described the fine as the largest ever levied by the commission. In addition to the penalty, the FTC ordered ChoicePoint to set up a $5 million trust fund for individuals who might have become identity-theft victims as a result of the breach. ChoicePoint also was required to submit to comprehensive security audits every two years for the next 20 years.
Last May, ChoicePoint reached another agreement with the attorneys general in 43 states and the District of Columbia, under which it promised to make substantial changes in the way it screens and authenticates new customers. As part of that settlement, the company also agreed to pay a total of $500,000 to the states to cover legal fees and costs.
When it disclosed the breach three years ago, ChoicePoint said that no computer systems had been broken into or otherwise compromised. Rather, the data was stolen when "a small number of very well-organized criminals posed as legitimate companies to gain access to personal information about consumers," the company said.
The breach led lawmakers at both the state and federal levels to call for tougher controls on ChoicePoint and other data aggregators. However, Congress has yet to approve any legislation of that sort.
Posted in General | No Comments »
