Thursday, June 5, 2008

ERM-BC-COOP: Security an ERM issue?

All of the following are from SC Magazine's URL,

    AT&T management staff data on stolen laptop: An undisclosed number of management-level workers at AT&T have been notified that their personal information was stored unencrypted on a stolen laptop. (June 4)

    Walter Reed suffers peer-to-peer data breach: Unauthorized file-sharing is to blame for a data breach at Walter Reed Army Medical Center that exposed the personal information of nearly 1,000 patients. (June 3)

    Medical data breaches on the rise: During the month of May, for example, patients at Staten Island University Hospital in New York were told that a computer with their medical records was stolen four months earlier, while information on patients of the University of California San Francisco (UCSF) Medical Center was accessible on the internet. The affected patients were told six months after it was discovered. (May 14)

    Deloitte stolen laptop: A laptop containing the personal information of an undisclosed number of Deloitte & Touche partners, principals and other employees was stolen while in possession of a contractor responsible for scanning the accounting firm's pension fund documents, learned today. (Dec 4)

The above are just the "tip of the iceberg." Stolen notebook computers, data removed on floppies, memory sticks, external hard drives, and other media, compromised passwords and more.

All are a security manager's nightmare.

But are the Chief Security Officer's (CSO) worries an ERM practitioner's worries?

Let me rephrase the question (a technique every ERM practitioner needs to practice): is security - data and physical - a risk to the enterprise and any or all of its components?

The answer to the question, as I see it, is a resounding "YES!" Security, in all its forms, falls within the "interest" of the ERM practitioner.

That is not to suggest the CSO should report to the ERM practitioner any more than the Chief Financial Officer (CFO), concerned with financial risks, or the Chief Information Officer (CIO), or any other Chief anything should report to the ERM practitioner (who, if you ask me, also should be a "C"-level officer).

These people need to be allies; they need to work together for the good of the organization.

I work with a CSO - we used to sit in adjacent cubes 'til he moved up (literally, to the 6th floor). We share many of the same concerns, albeit sometimes from a different perspective.

My cube used to back to a physical security person's cube.

My ERM interests and her security (badging, mostly) interests generally aligned.

We - the three of us - became, and remain, a "mutual admiration society."

While the CSO's mandate is computer security and the "badger"'s is physical security, mine covers both areas. When ERM is in the lead role, these two people are my Subject Matter Experts (SMEs) in their respective fields - and believe me, they ARE experts in their fields.

All of this, of course, still fails to identify a means to stop security violations and "just plain stupidity."

Training? That's a start.

Carrot and stick? Might prove useful; or it could antagonize.

Tighter security; "Big Brother" at the portals and physical doorways?

So far, nothing seems to be all things to all people.

What is certain is that something needs to be done.

Maybe the "something" needs to vary by organization.

The bottom line is security is an ERM concern and the ERM practitioner is in an ideal position to gather ERM allies to coordinate and promote security measures appropriate for the organization, and to assure the measures are current as the organization evolves.

Late email on June 5


ID Experts: Customers Cut Ties After a Data Breach

According to "The Consumers' Report Card on Data Breach Notification," a study by the Ponemon Institute released in April 2008, 31 percent of respondents cut ties with the organization responsible for the breach of their personally identifiable information.

That helps make my point about security being an ingredient of Enterprise Risk Management.

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
Planner @

No comments: