Enterprise Risk Management

 

 

Report--Most InfoSec Professionals Think Their Companies’ Security Solutions Are Outdatedhttps://sm.asisonline.org/Pages/Report--Most-InfoSec-Professionals-Think-Their-Companies’-Security-Solutions-Are-Outdated.aspxReport--Most InfoSec Professionals Think Their Companies’ Security Solutions Are OutdatedGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a43444652017-07-14T04:00:00Zhttps://adminsm.asisonline.org/pages/megan-gates.aspx, Megan Gates<p>​A majority of information security professionals said they believe some of their organizations’ existing security solutions are outdated and inadequate, according to a new report released this week.</p><p><em><a href="https://www.citrix.com/content/dam/citrix/en_us/documents/analyst-report/ponemon-security-study.pdf" target="_blank">The Need for a New IT Security Architecture: Global Study,</a> </em>sponsored by Citrix and conducted by the Ponemon Institute, is a three-part report that surveyed 4,268 IT and IT security practitioners in 14 countries to find out why security practices and policies need to evolve to deal with threats from disruptive technologies, cybercrime, and compliance.<br></p><p>In response, 69 percent of respondents said their organizations’ security solutions are outdated and inadequate, making them unable to manage emerging risks.<br></p><p>“What is needed, according to 74 percent of respondents, is a new IT security framework to improve their security posture and reduce risk,” the report found. “A new strategy is especially important in order to manage such potential risks from the Internet of Things (IoT).”<br></p><p>The report also found that 83 percent of respondents think their organization is at risk of a security breach because of the complexity of business and IT operations. <br></p><p>“Business and IT complexity are leading to more employees circumventing security policies and sanctioned apps,” wrote Stan Black, CISSP, chief security officer and vice president of Citrix, in a <a href="https://www.citrix.com/blogs/2017/01/10/ninety-nine-problems-and-security-is-the-biggest-one/" target="_blank">blog post.</a> “Bottom line, if it’s too complex, employees will find a way around it in order to do their jobs effectively and according to their own preferences.”<br></p><p>Additional factors that respondents said are putting their organizations at risk include:<br></p><ul><li><p>The growth of data assets (78 percent)<br></p></li><li><p>Integration of third parties into internal networks and applications (76 percent)<br></p></li><li><p>Silos and the lack of collaboration between IT security and lines of business (76 percent)<br></p></li><li><p>Inability to secure access rights (74 percent)<br></p></li><li><p>Inability to integrate disparate technologies (67 percent)<br></p></li><li><p>Lack of funding to support cyber defense (67 percent)<br></p></li></ul><p>To address these concerns, the respondents said their organizations’ new IT security infrastructure should include technology for identity and access management (78 percent), machine learning (77 percent), and configuration and log management (76 percent), among other technologies. <br></p><p>Black agreed with this assessment and wrote that virtualization, containerization, and enterprise mobility management and visibility will be needed to get employees to follow security rules. <br></p><p>“Containerization affords employees anytime, anywhere access on their device of choice while still protecting any apps and data accessed,” he explained. “Virtualization allows for information to be delivered at the pixel level, ensuring it doesn’t leave the data center. Combined, using these can significantly reduce the available attack surface, since information is delivered only via the secure channel and can be revoked or removed at any time.”<br></p><p>Black also suggested companies adopt identity and access management protocols to create trust and grant access based on contextual awareness.<br></p><p>“Without it, your business will be stuck in the dark ages as more new technologies surface in the workplace,” he wrote.<br></p><p>To read all three <em>The Need for a New IT Security Architecture</em> reports, visit <a href="https://www.citrix.com/it-security/resources/ponemon-security-study.html">Citrix’s landing page.</a><br></p><p><br> </p>

Enterprise Risk Management

 

 

https://sm.asisonline.org/Pages/Report--Most-InfoSec-Professionals-Think-Their-Companies’-Security-Solutions-Are-Outdated.aspx2017-07-14T04:00:00ZReport: Most InfoSec Professionals Think Their Companies’ Security Solutions Are Outdated
https://sm.asisonline.org/Pages/NIST-Releases-Digital-Identity-Guidelines.aspx2017-06-23T04:00:00ZNIST Releases Digital Identity Guidelines
https://sm.asisonline.org/Pages/Book-Review---Info-Risk.aspx2017-05-01T04:00:00ZBook Review: Info Risk
https://sm.asisonline.org/Pages/The-Roots-of-Risk.aspx2017-05-01T04:00:00ZThe Roots of Risk
https://sm.asisonline.org/Pages/Facebook-Takes-Action-To-Limit-Spread-of-Propaganda.aspx2017-04-28T04:00:00ZFacebook Takes Action To Limit Spread of Propaganda
https://sm.asisonline.org/Pages/Cinco-Acontecimientos-que-Moldearon-la-Gestión-de-Crisis.aspx2017-04-12T04:00:00ZCinco Acontecimientos que Moldearon la Gestión de Crisis
https://sm.asisonline.org/Pages/ERM-Best-Practices.aspx2017-04-01T04:00:00ZERM Best Practices
https://sm.asisonline.org/Pages/Book-Review---Enterprise-Risk-Management.aspx2017-03-29T04:00:00ZBook Review: Enterprise Risk Management
https://sm.asisonline.org/Pages/Lessons-in-Liability.aspx2017-03-01T05:00:00ZLessons in Liability
https://sm.asisonline.org/Pages/SM-Online-February-2017.aspx2017-02-01T05:00:00ZSM Online February 2017
https://sm.asisonline.org/Pages/Trade-Secrets-2.0.aspx2017-02-01T05:00:00ZTrade Secrets 2.0
https://sm.asisonline.org/Pages/Book-Review---Secrets.aspx2017-01-01T05:00:00ZBook Review: Secrets
https://sm.asisonline.org/Pages/December-2016-Industry-White-Papers.aspx2016-12-01T05:00:00ZDecember 2016 Industry White Papers
https://sm.asisonline.org/Pages/Book-Review---Security-Matters.aspx2016-12-01T05:00:00ZBook Review: Security Matters
https://sm.asisonline.org/Pages/Metrics-and-the-Maturity-Mindset.aspx2016-12-01T05:00:00ZMetrics and the Maturity Mindset
https://sm.asisonline.org/Pages/What-If-It’s-Real.aspx2016-11-01T04:00:00ZWhat If It’s Real?
https://sm.asisonline.org/Pages/Book-Review---COSO-ERM.aspx2016-11-01T04:00:00ZBook Review: COSO ERM
https://sm.asisonline.org/Pages/Bringing-Clarity-to-Chaos.aspx2016-10-01T04:00:00ZBringing Clarity to Chaos
https://sm.asisonline.org/Pages/CSO-Center’s-Petri-Ponders-a-Matter-of-Trust.aspx2016-09-13T04:00:00ZCSO Center’s Petri Ponders a Matter of Trust
https://sm.asisonline.org/Pages/Compliance-Trends.aspx2016-09-01T04:00:00ZCompliance Trends

 You May Also Like...

 

 

https://sm.asisonline.org/Pages/ERM-Best-Practices.aspxERM Best Practices<p>​With the rise of Enterprise Risk Management (ERM) programs in the security field, some leaders are on the hunt for ERM best practice guidance resources. One recent report, courtesy of the U.S. government, contains guidance that may be applicable to private sector security operations.​</p><p>Last year, the U.S. Office of Manage­ment and Budget (OMB) called on federal ag­encies to implement ERM so that federal managers could more effectively manage risks that could affect agency strategic objectives. Given OMB’s call, the U.S. Government Accountability Office decided to update the government’s risk management framework and identify good practices that some agencies have been using. </p><p>The new report, <em>Enterprise Risk Man­age­ment: Selected Agencies’ Experiences Illustrate Good Practices in Managing Risk,</em> identifies six components of successful ERM programs, and then describes best practices that apply to each.  <img src="/ASIS%20SM%20Callout%20Images/0417%20NT%20Safety_FB.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:479px;" /></p><p>The six components and their best practices are as follows:</p><p><strong>Element One: Align the ERM process to goals and objectives.</strong></p><p>Senior leaders are fully engaged and committed to the ERM process, and they support how ERM contributes to the agency’s goal-setting process. This engagement helps demonstrate the importance of ERM to agency staff. </p><p><strong>Element Two: Identify risks.</strong></p><p>Successful agencies develop an organizational “risk-informed” culture in which employees are encouraged to identify and discuss risks openly. This openness is critical to ERM success.</p><p><strong>Element Three: Assess risks.</strong></p><p>Successful agencies can integrate prioritized risk assessments into their strategic planning and organizational performance management processes. This integration of risk assessments helps improve the budget process, resource allocation planning, and other aspects of operations. </p><p><strong>Element Four: Select risk response</strong>. </p><p>Successful agencies establish an ERM program that is customized to fit their particular operations. Once established, risk factors are regularly considered, and leaders select the risk response that is most appropriate for the structure and the culture of the agency. </p><p><strong>Element Five:</strong> <strong>Monitor risks.</strong></p><p>Successful agencies are able to continuously manage risk by conducting the ERM reviews on a regular basis. Leaders also monitor the selected risk response with performance indicators that allow the agency to track results and the response’s impact on the mission. Leaders can then determine if the risk response is successful or if it requires additional actions.</p><p><strong>Element Six</strong>: Communicate and report on risks. </p><p>Sharing risk information and in­corporating feedback from internal and external stakeholders helps organizations better identify and manage risks. It also increases trans­parency and accountability to Congress and taxpayers. ​</p>GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/Practical-Handbook-for-Professional-Investigators-3rd-edition.aspxPractical Handbook for Professional Investigators, 3rd edition<h6>​Practical Handbook for Professional Investigators, 3rd edition. By Rory J. McMahon. CRC Press; crcpress.com; 580 pages; $99.95.</h6><p><br>Author Rory McMahon began his career as a probation officer in 1973 and he hasn’t stopped since. Today he is a successful investigator in the private sector and his book, Practical Handbook for Professional Investigators, displays his expertise. His style, approach, and methodologies reflect years of hard work and immense experience. Without reservation or any sense of hesitation, he puts his extensive knowledge to excellent use. Starting with the fundamentals, he walks the reader through topics ranging from interviews and interrogations to ethics and the operation of one’s own investigative agency. Though in places a tad disorganized, the book is a compelling and largely useful work. <br></p><p>McMahon boldly states in his preface, “This book is designed for individuals studying to become investigators, as well as investigators of all types and with all levels of experience.” [Reviewer’s emphasis]. That’s a promise he clearly has some trouble fulfilling. Indeed, this is an excellent reference for those studying to become professional investigators; however, those with extensive experience may be disappointed. For example, in the chapter titled “Fraud Investigations,” he offers “10 basic rules in fraud investigations.” The first rule is “Never overlook the obvious!” and the last is the useless “Detecting fraud is hard work.” Such banality will certainly bore some readers. Later on, McMahon attempts to sell the reader a prescription for investigating “boiler rooms” and “telemarketing fraud”—really. <br></p><p>Aside from these minor shortcomings, the author does a good job. He effectively lays out the fundamentals and guides the reader through the many types, forms, and methods of professional investigations in the private sector. As a reference and text for the novice or student, it is an excellent resource, but for the experienced fact-finder, there is a lot more to choose from. <br></p><p>Reviewer: Eugene F. Ferraro, CPP, PCI, CFE (Certified Fraud Examiner), SPHR (Senior Professional in Human Resources), is a member of ASIS International and currently sits on the ASIS Standards and Guidelines Commission. <br></p>GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/Compliance-Trends.aspxCompliance Trends<p>​<span style="line-height:1.5em;">In r</span><span style="line-height:1.5em;">ecent years, security professionals have been bombarded with rules and regulations on corruption as well as court rulings on discrimination and harassment. The upcoming compliance trend centers around safety and health. A new rule on reporting workplace fatalities, injuries, and illnesses will bring workplace safety practices under scrutiny. Almost 5,000 U.S. employees were killed at work in 2014, a 5 percent increase from the number of reported fatal work injuries in 2013. And nearly 3 million people experienced a workplace injury or illness in 2014, according to the U.S. Department of Labor’s (DOL) Bureau of Labor Statistics (BLS). </span></p><p>To make data about these incidents more accessible to the public, the DOL’s Occupational Safety and Health Administration (OSHA) issued a final rule, Improve Tracking of Workplace Injuries and Illnesses, in May 2016, that requires many employers to electronically submit information about workplace injuries and illnesses to the government. The government, in turn, will then make this information available online in a public database.</p><p>“Since high injury rates are a sign of poor management, no employer wants to be seen publicly as operating a dangerous workplace,” Assistant Secretary of Labor for Occupational Safety and Health Dr. David Michaels said in a statement. “Our new reporting requirements will ‘nudge’ employers to prevent worker injuries and illnesses to demonstrate to investors, job seekers, customers, and the public that they operate safe and well-managed facilities.”</p><p>Additionally, Michaels said that greater access to injury data will also help OSHA better target compliance assistance and enforcement resources to “establishments where workers are at greatest risk, and enable ‘big data’ researchers to apply their skills to making workplaces safer.”​</p><h4>What’s in the new rule?</h4><p>Under the Occupational Safety and Health Act of 1970, employers are responsible for providing a safe workplace for employees. As part of this act, OSHA already required many employers to keep a record of injuries and illnesses, identify hazards, fix problems, and prevent additional injuries and illnesses. </p><p>Under the new rule, all employers with 250 or more employees at a single facility covered by the recordkeeping regulation must electronically submit injury and illness information to OSHA in three forms: 300 (log of work-related illnesses and injuries), 300A (summary of work-related illnesses and injuries), and 301 (injury and illness incident report).</p><p>OSHA argues that, together, these forms will paint a picture of the number of injuries, number of fatalities, lost time, total lost days, total restricted work days, and the total number of employees at each location of a company.</p><p>And OSHA will be able to use it to answer certain questions. For example, within a given industry, what are the characteristics of establishments with the highest injury and illness rates? What are the characteristics of establishments with the lowest rates of injuries and illnesses? What is the relationship between an establishment’s injury and illness data and data from other agencies?</p><p>Facilities with 20 to 249 employees in certain high-risk industries will also be required to submit information from form 300A electronically. These are 67 industries identified by OSHA that have historically high rates of occupational injury and illness, including manufacturing, construction, urban transit systems, utilities, and more.</p><p>The requirement for facilities to submit the 300A summaries electronically goes into effect on July 1, 2017. If required, facilities must submit forms 300 and 301 electronically by July 1, 2018, and will be required to submit all three forms electronically by March 2, 2019.</p><p>OSHA will upload this data, after ensuring that no personally identifiable information is included, to a publicly accessible database. The details of the database, however, have not yet been released because OSHA is still creating it.</p><p>OSHA’s mission is to protect the safety and health of workers. This new rule, OSHA’s Office of Communications tells Security Management, will support that mission.</p><p>First, as previously noted, access to injury data will help OSHA better target compliance assistance and enforcement resources to establishments where workers are at greatest risk.</p><p>“The final rule’s provisions requiring regular electronic submission of injury and illness data will allow OSHA to obtain a much larger data set of more timely, establishment-specific information about injuries and illnesses in the workplace,” the rule says. “This information will help OSHA use its enforcement and compliance assistance resources more effectively by enabling OSHA to identify the workplaces where workers are at greatest risk.”</p><p>One example OSHA gives in the rule itself is that the data will help it identify small and medium-sized employers who report high overall injury and illness rates for referral to its consultation program. </p><p>“OSHA could also send hazard-specific educational materials to employers who report high rates of injuries or illnesses related to those hazards, or letters notifying employers that their reported injury and illness rates were higher than the industry-wide rates,” the rule explains.</p><p>The practice of sending high-rate notification letters, for instance, has been associated with a 5 percent decrease in lost workday injuries and illnesses in the following three years, OSHA says.</p><p>OSHA also maintains that publicly disclosing work injury data will encourage employers to prevent work-related injuries and illnesses.</p><p>The new reporting requirements are also designed to save government time and money. The agency believes that the new rule will convince “employers to abate hazards and thereby prevent workplace injuries and illnesses, without OSHA having to conduct onsite inspections.” ​</p><h4>What else does the rule do?</h4><p>Along with the electronic reporting requirements, the rule also reemphasizes whistleblower provisions for employees to report injury and illness without fear of retaliation. </p><p>“The rule clarifies the existing implicit requirement that an employer’s procedure for reporting work-related injuries and illnesses must be reasonable and not deter or discourage employees from reporting,” the office explains. “It also incorporates the existing statute that prohibits retaliation against employees for reporting work-related injuries or illnesses.” </p><p>Including the term “reasonable” is new for OSHA, says Edwin Foulke, Jr., partner at Fisher Phillips who cochairs the firm’s Workplace Safety and Catastrophe Management Practice Group and who was the head of OSHA from 2006 to 2008. </p><p>“Before, you were required to make sure that your employees knew that there was a system to report,” he adds. Now, however, OSHA requires that that system be a reasonable one.</p><p>While it is unclear how exactly OSHA is defining “reasonable,” it does explain in the rule that “for a reporting procedure to be reasonable and not unduly burdensome, it must allow for reporting of work-related injuries and illnesses within a reasonable timeframe after the employee has realized that he or she has suffered a work-related injury or illness.”</p><p>If employers are caught discouraging employees from reporting illness or injury, they can be cited by OSHA for retaliation. “Before, the employee had to file a complaint. Now, for an employer to get cited and to be penalized, OSHA can do that in an inspection under this new standard,” Foulke says. “So this is a whole new area, and they’re going to be looking.” </p><p>Actions that could be considered retaliation include termination, reduction in pay, reassignment to a less desirable position, or any other adverse action that “could well dissuade” a reasonable employee from making a report, the rule explains.</p><p>OSHA also has taken the stance in the rule that “blanket post-injury drug testing policies deter proper reporting” of workplace injuries and illnesses. Because of this, the rule prohibits employers from using drug testing—or the threat of drug testing—as a form of adverse action against employees who report injuries or illnesses.</p><p>“To strike the appropriate balance here, drug testing policies should limit post-incident testing to situations in which employee drug use is likely to have contributed to the incident, and for which the drug test can accurately identify impairment caused by drug use,” the rule says. </p><p>For instance, OSHA says it would not be reasonable to drug-test an employee who reports a bee sting or a repetitive strain injury. </p><p>“Such a policy is likely only to deter reporting without contributing to the employer’s understanding of why the injury occurred, or in any other way contributing to workplace safety,” OSHA explains.</p><p>However, if workers’ compensation laws require an employer to conduct drug testing, then this type of drug testing would not be considered retaliatory, OSHA adds.​</p><h4>What should employers do? </h4><p>Because of potential liability and opportunities for citations, Foulke recommends that companies take several actions in response to the new rule. </p><p>For instance, employers should look at how they advise their employees to report injuries and illnesses under the record keeping standard. OSHA has said that companies can meet this requirement by posting the “Job Safety and Health—It’s the Law” workers’ rights poster from April 2015.</p><p>Employers should make sure that their reporting process is “reasonable and doesn’t somehow discourage people, because, if it is, they are going to get cited for it and maybe open themselves up to a whistleblower retaliation claim,” according to Foulke.</p><p>A whistleblower retaliation claim could be likely because this is an issue that OSHA has been increasingly focused on during the Obama administration’s second term, he says. </p><p>Employers also need to know their rights during an OSHA inspection, a process that many are unfamiliar with. For example, Foulke says that when OSHA comes in to do an inspection based on a complaint it has received, it will frequently attempt to expand the visit into a “wall-to-wall” inspection.</p><p>“If the employer doesn’t assert their rights and allows a wall-to-wall, then potentially they could have many more citations,” Foulke explains.</p><p>Additionally, the business community has expressed concerns that the new rule will force them to publicly reveal secret business details that were previously considered privileged and confidential.</p><p>“When you fill out the 300 logs and also the 300A summaries, they are going to talk about departments and processes—especially in the 301, you may have some information that may be somewhat proprietary,” Foulke says. “Employers are going to have to be very careful about what they put when they’re submitting their data, that they basically look and provide only the minimum that they are required to provide.”</p><p>And employers should also recognize how the data they submit to OSHA may be used once it is publicly available. This is because using the information from the 300 and 301 forms, analysts will be able to determine the death, injury, and illness rate of a particular company to compare it to the industry average. </p><p>“Now that data could be used by union organizers who want to try to organize a company to show how bad at safety they are,” Foulke explains. “They can take that data and say, ‘Look how many injuries and illnesses this company has.’”</p><p> “Plaintiffs’ lawyers could look at it and say, ‘Look at this company. They have all these injuries there. Obviously something is going on there, so I need to go out to that plant, find one of those employees who got injured, and throw a class action against the company for all these injuries,’” Foulke says.   ​</p>GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465