Wednesday, July 28, 2010

ERM-BC-COOP: It's all about T R A I N I N G


Rite Aid Agrees to Pay $1 Million to Settle HIPAA Privacy Case - Company agrees to substantial corrective action to safeguard consumer information

From an email from the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS)

"Rite Aid Corporation and its 40 affiliated entities have agreed to pay $1 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule, the U.S. Department of Health and Human Services (HHS) announced today. In a coordinated action, Rite Aid also signed a consent order with the Federal Trade Commission (FTC) to settle potential violations of the FTC Act.

Rite Aid, one of the nation’s largest drug store chains, has also agreed to take corrective action to improve policies and procedures to safeguard the privacy of its customers when disposing of identifying information on pill bottle labels and other health information. The settlements apply to all of Rite Aid’s nearly 4,800 retail pharmacies and follow an extensive joint investigation by the HHS Office for Civil Rights (OCR) and the FTC

Among other issues, the reviews by OCR and the FTC indicated that:

  • Rite Aid failed to implement adequate policies and procedures to appropriately safeguard patient information during the disposal process;

  • Rite Aid failed to adequately train employees on how to dispose of such information properly; and

  • Rite Aid did not maintain a sanctions policy for members of its workforce who failed to properly dispose of patient information.

Under the HHS resolution agreement, Rite Aid agreed to pay a $1 million resolution amount to HHS and must implement a strong corrective action program that includes:

  • Revising and distributing its policies and procedures regarding disposal of protected health information and sanctioning workers who do not follow them;

  • Training workforce members on these new requirements;

  • Conducting internal monitoring; and

  • Engaging a qualified, independent third-party assessor to conduct compliance reviews and render reports to HHS.

Rite Aid has also agreed to external independent assessments of its pharmacy stores’ compliance with the FTC consent order. The HHS corrective action plan will be in place for three years; the FTC order will be in place for 20 years. "

The other day, July 23, 2010, I blogged about "Security awareness training." I have, on numerous other occasions on the blog and on the Web site, written about the importance of training.

Usually, the focus is on personal safety; people are, after all, both an organizations most important resource and its first line of warning that a threat is about to occur or increase in intensity.

This time the focus is on The Bottom Line.

Granted, not every organization needs to be concerned with HIPAA or the FTC, but the admonishment is the same for all - on-going training is needed to help keep an organization safe - safe physically, safe financially.

Because Rite Aid, according to HHS's OCR regulators, "failed to adequately train employees on how to dispose of such information properly" the business finds itself under the HHS microscope for three years and under the FTC's close scrutiny for TWENTY years.

And of course there's the matter of the $1 million fine that, probably in the overall scheme of things, is a pittance to pay.

It might be argued that the cost of doing what should have been done before, specifically

  • Revising and distributing its policies and procedures regarding disposal of protected health information and sanctioning workers who do not follow them;

  • Training workforce members on these new requirements;
  • Conducting internal monitoring; and

  • Engaging a qualified, independent third-party assessor to conduct compliance reviews and render reports to HHS.

might have cost more than the penalty, but remember that now the organization must do all those things AND pay the $1 million fine AND suffer some PR fallout; how much of an image hit depends on how aggressively HHS's OCR publicizes its queue and how much Rite Aid competitors want to risk in a potentially mud-slinging contest.

When it comes to The Bottom Line, and that is what Enterprise Risk Management is all about, it pays to look at all the risks; the obvious (environment, technological, and human) and the less obvious (training, policies and procedures, compliance).

John Glenn, MBCI
Enterprise Risk Management Practitioner
Hollywood - Fort Lauderdale Florida

Friday, July 23, 2010

ERM-BC-COOP: Security awareness training


I preach awareness training for all hands. Mostly the training I recommend is awareness of the environment so that any changes can quickly be identified and, if necessary, dealt with.

The following article from the Washington Times, DC's "other" paper, reminds that awareness training needs to include electronics - computers, telephones, etc. - both in and out of the office.

As with all training, it must be repeated until it becomes second nature, automatic.

The article shows that even people who should know better sometimes don't - there may have been training at one point, but it apparently lacked consistency and reinforcement. While we are at it, let's also think about awareness in the parking lot and other public areas.

Fictitious femme fatale fooled cyber security
Intel, defense specialists fell for ruse in test

By Shaun Waterman Washington Times
Sunday, July 18, 2010

Call her the Mata Hari of cyberspace

Robin Sage, according to her profiles on Facebook and other social-networking websites, was an attractive, flirtatious 25-year-old woman working as a "cyber threat analyst" at the U.S. Navy's Network Warfare Command. Within less than a month, she amassed nearly 300 social-network connections among security specialists, military personnel and staff at intelligence agencies and defense contractors.

But Robin Sage did not exist.

Her profile was a ruse set up by security consultant Thomas Ryan as part of an effort to expose weaknesses in the nation's defense and intelligence communities - what Mr. Ryan calls "an independent 'red team' exercise."

* Ms. Sage's connections invited her to speak at a private-sector security conference in Miami, and to review an important technical paper by a NASA researcher. Several invited her to dinner. And there were many invitations to apply for jobs.

* One soldier uploaded a picture of himself taken on patrol in Afghanistan containing embedded data revealing his exact location.

* A contractor with the NRO who connected with her had misconfigured his profile so that it revealed the answers to the security questions on his personal e-mail account. "This person had a critical role in the intelligence community," Mr. Ryan said. "He was connected to key people in other agencies."

* Many other connections also inadvertently exposed personal data, including their home addresses and photos of their families.

He added that he was surprised about the success of the effort, especially given that Ms. Sage's profile was bristling with what should have been red flags.

"Everything in her profile screamed fake," he told The Times. She claimed to have 10 years' experience in the cyber security field - which would mean that she entered it at age 15 - and there is no such job as "cyber threat analyst" at the Naval Network Warfare Command. Even her name is taken from the code name of an annual U.S. special-forces military exercise, as a two-second Google search establishes.

Several people with whom she attempted to connect spotted the fakery, Mr. Ryan said, "I was pretty much busted on Day Two." He said some people with whom Ms. Sage tried to connect took simple precautions such as trying to call the phone number she provided, or by asking her to e-mail them from her military account. Others checked public records on her purported National Security Agency information security qualification or reviewed the college alumni network for the Massachusetts Institute of Technology, where she claimed to have been educated.

David Wennergren, the deputy chief information officer for the Department of Defense, said in an e-mail that the answer was to continue the Pentagon's effort to "ensure our folks are well trained on responsible use of the Internet - at work and home."

"We should address the behavior, not abandon the tool."

But Paul Strassmann, a professor at George Mason University who was the Pentagon's director of defense information in the early 1990s, said the unrestricted use of social networking by Defense Department personnel poses unacceptable risks.

Mr. Strassmann, who said he was recently engaged by a U.S. agency he declined to name to help develop a policy on social networking, added that it didn't matter that the security breaches in the case were unintentional. "In intelligence, many of the most important leaks are inadvertent."

Another person involved at a senior level in the U.S. military's cyber security efforts, who asked for anonymity because he was not authorized to speak about the case, called it "an object lesson in the dangers of social networking."

"People feel they are safe" on the Internet, he said, but in reality, "it is a perfect environment for preying on people's weaknesses."

John Glenn, MBCI
Enterprise Risk Management practitioner
Hollywood - Fort Lauderdale Florida

Monday, July 19, 2010

ERM-BC-COOP: Do my job for me

Dear All
Can you please provide me with a risk management report or risk assessment report or any report to indentify risks in the bank
(Name withheld to protect the guilty)

The above was posted to - well what is supposed to be - a professional list.

Note the petitioner is not asking for help or how to go about the task at hand; he is looking for a check list.

"I don't have time to look around the organization to see what risks might be lying in wait. I don't have time to check the regulatory agencies and their examining arm (FFIEC) to see what they might think appropriate to consider."

Call me a curmudgeon, but I chose to ignore the plea. Actually, I showed unusual restraint - I didn't flame the lad. I save that - flaming - for people who pretend to know what they are doing; this tyro, correctly, never made that claim.

I get frustrated both by organizations that engage tyros for jobs best left to experienced practitioners, and by the tyros who take on these jobs. Actually, if a tyro undertakes - and that may be a very appropriate word in this instance - such a job and makes an effort to self-educate before appealing to the lists, I'm inclined to lend whatever limited knowledge I've acquired over a baker's dozen years in the field.

We have lost a valuable resource - the DRJ Forum. It's been down so long I wonder if it will, like the phoenix, ever rise from the ashes. We're left with the Blog - a rather off-putting name, "blog" - several lists, and a few relevant non-commercial Web sites.

There seem to be more and more of these "innocents thrown to the wolves" of late. Maybe it is because of the economy; people looking for cheap product. As a word smith, rest assured I use the word "cheap" with its worst connotation, (There's a difference between "cheap" and "inexpensive" or the "cost effective" euphemism.) As the old grammatically incorrect saw goes: "You get what you pay for."

At least I know if the lad is working for a bank in the U.S. whatever he does will be critiqued by someone from FFIEC; hopefully, for the lad's sake as well as the bank's, the examiner will be knowledgeable. A good examiner - auditor - is worth his, or her, weight in gold.

Knowing that there IS someone to cover the lad's (and the bank's) assets only slightly mollifies my umbrage at once again being asked to put my expertise to work for a person apparently too lazy to do anything on his own other than to ping a list.

  If we continue to tolerate this we truly will be a Rodney Dangerfield* profession.

COMMENTS ARE WELCOME but must be in English; all others will be rejected.

John Glenn, MBCI
Enterprise Risk Management practitioner
Hollywood - Fort Lauderdale Florida

Friday, July 16, 2010

ERM-BC-COOP: BSI to compare DHS BCM standards


Reston, VA -- -- 07/15/2010 -- BSI is hosting an important free webinar on July 20, 2010 at 1:00 pm ET to review the three Business Continuity Management (BCM) standards recently adopted by the Department of Homeland Security for the Voluntary Private Sector Preparedness Accreditation and Certification Program (PS-Prep).

BSI’s Product Manager for the Americas, Robert Whitcher, will provide a brief overview of three standards, BS 25999, NFPA 1600 and ASIS SPC-1, and discuss some of the similarities and differences among BS 25999, NFPA 1600 and ASIS SPC-1.

Business Continuity Management helps organizations minimize the risks involved in the event of disruption of business. With a certified BCM plan in place, businesses develop resilience and recovery strategies that protect staff, preserve the organization’s reputation and provide the ability to continue operating during the most challenging and exceptional circumstances.

To register for this free webinar, go to

According to the blurb on the registration page, "Robert Whitcher, BSI’s Product Manager for the Americas, will provide a brief overview of three standards the United States Government has chosen for their Voluntary Private Sector Preparedness Accreditation and Certification Program (PS-PREP). He will discuss some of the similarities and differences among BS 25999, NFPA 1600 and ASIS SPC-1. Come prepared to ask questions so you can determine which standard is right for your organization.

"Whitcher is the Americas Product Manager for IT Service Management (ISO/IEC 20000), Information Security Management (ISO/IEC 27001) and Business Continuity (BS 25999) at the BSI. He is an Information Security and IT professional with over 34 years experience within the IT industry and more than 24 years experience in Information Security, Privacy and Business Continuity. "

It will be interesting to see

    (a) how neutral the presentation will be

    (b) if it will address enterprise risk management (vs. just IT D/R)

    (c) if it will be made clear that DHS accepts NFPA 1600 and ASIS SPC-1 as well as the British BSI-25999.

Caveat: Having last looked at BS 25999-1 and -2 in draft form, I am less than enthusiastic about the British standard. My main problem with BS 25999 - and I have several issues with the document - is that the draft version failed to mention avoidance or mitigation, two key components of risk management. (It may have been corrected before the final release.)

BSI is trying very hard to turn BS 25999 into "the" business continuity management standard with an International Standards Organization ID, this despite NFPA's acceptance well beyond the borders of the United States.

The Webinar should prove interesting.

John Glenn, MBCI
Enterprise Risk Management Practitioner
Hollywood - Fort Lauderdale Florida

Thursday, July 15, 2010

ERM-BC-COOP: Responsibility (liability) does not stop at the door


Store may be liable for attack in parking lot, rules Indiana Supreme Court [Lawyers USA]

From AdvisenFPN

A grocery store may be liable for a criminal attack upon a customer in its parking lot, even though the store was allegedly located in "low-crime" area, the Indiana Supreme Court has ruled in affirming the denial of summary judgment.

Read entire article linked from above URL.

Wednesday, July 14, 2010

ERM-BC-COOP: Risk of not "going green"


"Going Green" is good PR, good for the environment, and good for the bottom line.

FAILING to go green might be a serious risk to the bottom line.

I was reminded that "environment as a risk" means more than just protecting against floods, hurricanes, tornados, earthquakes, sink holes, and the like when I read an article from AdvisenFPN at titled "Biodiversity Inches Up the Corporate Agenda".

The article cited a study that is part of a series titled The Economics of Ecosystems and Biodiversity , a joint initiative by industrialized nations and the United Nations Environment Program intended to draw attention to the global economic benefits of fostering biodiversity.

The leed (cq) paragraph gave four examples of companies profiting by being kind to Mother Nature:

"The report said that Wal-Mart, for example, had sought to eliminate excess product packaging, reducing its disposal expenses while increasing its customer numbers and business revenues. The mining company Rio Tinto has made progress by starting offset projects in Madagascar, Australia and North America, news-media materials accompanying the report said. The energy company BC Hydro was singled out for a policy of no net incremental ecological impact, and Coca-Cola aims to become water neutral by 2020, the materials said."

As governments, both national and "world" become more and more "environmentally aware," they are insisting that organizations that have a cavalier attitude toward nature clean up their act "or else"; the "or else" often being hefty fines.

This is not particularly new in the U.S., but the enforcement seems to be stricter; the governments are trying to avoid future Love Canal situations (see

Even when penalties are too small to seriously impact an organization's budget, there is another issue to consider: public relations; image.

Wal-Mart is very PR conscious. It has to be not only to retain its fickle customer base - after all Target and Kmart are more than willing to accommodate Wal-Mart shoppers - but in order to win community support for new stores in otherwise mega-mart free areas, a problem it encountered on several occasions recently.

While it may be true that enforcement levels vary by jurisdiction and the party in power, the environment-friendly laws are on the books and can be enforced.

The PR value of environmental concern is a two-sided coin.

Failing to implement good environmental practices can lead to fines and, more importantly, loss of stock holder and lender confidence and loss of customers.

Having, and promoting, good environemntal practices - much like having and promoting an enterprise risk management plan or SOx effort - can enhance the bottom line by giving customers and stock holders a "warm fuzzy feeling" about the organization.

Having good environmental practices, like having a viable enterprise risk management plan, is just good business, and one that could enhance the bottom line.

John Glenn, MBCI
Enterprise Risk Management practitioner
Hollywood - Fort Lauderdale Florida
JohnGlennMBCI at gmail dot com

Monday, July 12, 2010

ERM-BC-COOP: Pays to Protect People


This article, of general interest to all Enterprise Risk Management/Business Continuity professionals, has been removed from the Blog as the result of a copyright infringement claim.

Rather than send a courtesy letter requesting the article's removal - a request that would have been imediately accommodated, the copyright holder's first action was to file a suit in US District Court for the District of Nevada.

John Glenn, MBCI

ERM-BC-COOP: Airbus facility certified


I read this morning (July 12, 2010) that "Airbus has become the first aerospace manufacturing company with certification to BS 25999, the Business Continuity Management System standard. BSI Group, the London-based standards developer, performed the audit. The Airbus unit achieving certification is a wing manufacturing site in Broughton, England."

A couple of thoughts.

While I am glad to see at least one unit of Airbus Industries (the wing manufacturing site in Broughton, England) achieving certification, and while wings are important, what about the rest of the aircraft. Minor things such as the fuselage, the tail assembly, the engines, the electronics and electrical system. Sometimes bragging about something opens a Pandora's box of questions. In any even, the certification is for the facility, not necessarily the parts made there.

The other thing - and actually the thing that first caught my attention - was the brash statement that "BS 25999 (is) the Business Continuity Management System standard."

I think that needs a qualifier - it may be the British Business Continuity Management System standard, but the Business Continuity Management System standard may be a bit of wishful BS thinking.

I know the British Standards Institute (BSI) is pushing very hard to make BS 25999 an international standard, but even when it gains an ISO ID, as it surely will, there still will be a question will be about the "international" part of the name.

The US has NFPA 1600 which, in my opinion, is more of a true, all-inclusive risk management document than what I have seen of BS 25999-1 and -2. The Canadians adapted 1600 to their unique requirements (what are county-unique requirements, anyway - risks are risks and avoidance and mitigation measures are just that, regardless of country; likewise response efforts are based on the function to be restored, not the country in which the function is located). ANZ has its own standard as does Japan - neither of which is BS25999-1/-2.

I have nothing against a common standard and maybe, deep down, I'm a little chauvinistic, but even though I am a member of the BCI - often misconstrued as the "British" (vs. "Business") Continuity Institute, I have a problem with BS 25999.

When I reviewed BS 25999 I found it sorely lacking; the word "mitigation" failed to appear even one time in the draft documents. The set seemed to me more than a little "padded" to reach a desired page count and the language, typical for Europe and the island, was passive - in contrast to the typically active voice in the US and Canada; I can't speak for ANZ and Japan.

For all that, it's good to know that the British-made wing assemblies for Airbus aircraft are from a BS-certified facility.

John Glenn, MBCI
Enterprise Risk management practitioner
Hollywood - Fort Lauderdale Florida