Posts Tagged ‘compliance documentation’

Risk Management is more than a Risk Assessment

Tuesday, November 4th, 2014

Earlier this year after a session I gave at a conference, an attendee who was new to information security, and had just been assigned this responsibility at a mid-sized organization in the healthcare industry, asked if he could visit with me for a while about risk management. Well, of course! During the course of our conversation I learned that he had gotten some very bad advice about risk management in general, and risk assessments in particular. I know from reading various comments throughout the social media discussion sites that bad advice is becoming far too common, with many (more…)

6 Actions Businesses Should Take During Cyber Security Awareness Month

Tuesday, October 21st, 2014

October is National Cyber Security Awareness Month. It would seem the breaches announced virtually every day of this  month so far were orchestrated to highlight the need for organizations to beef up their information security efforts and improve their controls.

Sadly instead, cyber incidents seem to have become de rigueur these days. Consumers are getting fed up, and government agencies are proposing more laws. The tide is turning, and soon organizations will be held accountable for more effectively protecting their systems and information, or they will likely face much steeper fines and penalties than ever before. So, now’s the time to take action! Here are six actions you to take this month to start improving your organization’s information security program and associated efforts. (more…)

Every Business Must Be Prepared for the Unimaginable

Tuesday, September 30th, 2014

Were you surprised to hear about the worker at the Chicago O’Hare airport last Friday? Certainly I was. Who would have ever thought someone working in the control center would light the hardware on fire, and then try to commit suicide? Unimaginable, right? However, what I was more surprised about was that there was no roll-over contingency operations center in place in the event something catastrophe took out the O’Hare operations center. After all, Chicago is in an area with a wide range of weather events, from blizzards and ice to severe storms and tornadoes, and everything in between. Not to mention that all airports are considered to be a target of a wide number of terrorist groups.

Just two days prior to the incident (more…)

If Compliance Isn’t Documented It Didn’t Happen

Monday, September 22nd, 2014

Most of the 250+ organizations I’ve audited, and the hundreds of others I’ve had as clients, hate documentation. At least creating documentation. So, they don’t do it, or they do it very poorly. Or, they document things they don’t need to, and fail to document the important things. And then, considering all that documentation, they often don’t retain it long enough, or forget where they put it.

Last year I wrote an article about legal retention length requirements. Now I’m focusing on the types of compliance activities organizations need to document, and then the need to retain that documentation for the appropriate periods of time. (more…)