Effective IT Risk Management for Small Businesses

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Effective IT Risk Management for Small Businesses"

Transcription

1 Effective IT Risk Management for Small Businesses A Small Business Gets Some Lessons in IT Risk Management Although large and publicly traded companies often get the most attention, small, private, entrepreneurial businesses really contribute to driving the Canadian economy in a significant way. Small businesses make up 98.2% 1 of all Canadian businesses. As with the majority of companies today, most rely to a great extent on information technology (IT) to support their business back office and operations, and to enable them to have a greater presence than their size in delivering competitive goods and services to local customers, or to enter global markets. Managing IT risks therefore becomes critical to their survival and success. Many small business owners have embraced technology, but some are still discovering the risks involved. Come join Gabriel Schmidt, our fictional owner of a small business, as he deals with an IT crisis and learns valuable lessons along the way. Gabriel Schmidt is a successful entrepreneur who has passionately grown FSG Inc. into a company with annual earnings of $2.5 million. FSG, which stands for Fire Safety Gear, manufactures special safety equipment used by firefighters. He started his business five years ago and currently has 15 employees. Gabriel s business has been growing rapidly, and he was recently listed as one of the top 250 Canadian entrepreneurs in a popular business magazine. Gabriel was looking forward to the gala dinner, where he would be presented with an award in front of all his peers. After a profitable year of hard work, he was even thinking 1 Industry Canada, Small Business Statistics August 2013 report: 1

2 2 Effective IT Risk Management for Small Businesses of taking a vacation in the Caribbean with his wife. As Gabriel was contemplating his company s success, an urgent call came from his operations manager, Carlos Santos, who wanted to meet with him immediately. As Carlos explained the emergency, Gabriel s optimism began to evaporate. The company s main servers had crashed early that morning. The servers that supported all operations including manufacturing, purchasing, finance and customer service had all failed. Even was unavailable. Carlos and his team had been trying all day to fix the problems. Gabriel asked Carlos about his plan to recover the systems. Surely the data had been backed up and could be loaded onto new servers, and the company would be back in business within hours. Carlos revealed that the data might not have been backed up. The IT contractor in charge of the servers had left FSG a month ago because he was unhappy that he had not been given the rate increase he wanted. His replacement had just been hired but would not be starting until next week. Gabriel was speechless. How was it possible that they had suddenly lost all their computer operations and data? His mind reeled with questions: What could have caused the servers to fail? Was it a virus? Or was it a cyber-attack from his competition? Since the magazine article about his company had been published, he had been getting a lot of congratulatory calls, some of them from his competitors. Could they have had a hand in this? Was it possible that the new intern they had hired from the technology college had gone in and tinkered with the servers, either intentionally or accidentally? Was it possible that the disgruntled IT contractor had compromised the server files? FSG had not changed the passwords to its remote access system since the IT contractor left last month. How about backups? Why had the operations team not been diligent about making sure there were adequate and regular backups? Hadn t staff figured out a business continuity plan for FSG? Gabriel felt guilty about this. He had heard about the importance of business continuity planning in the last small business conference he had attended; however, he had gotten so busy that he had failed to mention it to his operations department. How was he going to continue operating his business, or follow up with his customers, or pay his staff? How would FSG compile the financial data needed for tax purposes, or for supporting workers compensation premiums, or for the banks as part of their regular debt covenant reporting?

3 Gabriel needed help. He wanted to know what he should do to fix the immediate problem, and he wanted to know how to go about making sure that an IT crisis never happened again. Gabriel knew that RRJL, his local accounting and consulting firm, had CPAs specializing in the technology area. So he called the firm, told them about the problem, and asked them to assist. The firm assigned its top two consultants to assist Gabriel. After reviewing the situation, the consulting team met with Gabriel to discuss the following recommendations. Immediate Recommendations 1. Meet with key staff to gather as much information as possible about what might have happened, and to determine the immediate impacts of this situation, both internal and external to FSG. 2. Bring in a specialized technology team to examine the FSG servers and determine if there is any possibility of retrieving or re-creating the data. The team should work with the supplier of the servers and software to identify possible solutions. If retrieval of the data is not possible, then it will be necessary to re-create transactional records based on the last good backup, using whatever paper trail there may be. If this situation arises, the consulting team will provide detailed steps in a separate memo. 3. Should the servers and systems become functional, certain steps should be taken to manage any current risks. These actions would include keeping the systems off-line from external access, performing a review for viruses, changing passwords on all access points, and then carefully restoring connectivity when sufficient assurance has been obtained that systems and data are restored, tested and operating as expected. 4. If necessary, develop a communications plan to notify affected parties about what has occurred and what actions are being undertaken to reassure them that FSG has things under control. Response from the Server Manufacturer Gabriel got in touch with the supplier of the servers, who sent his technicians to start working on the issue immediately. Fortunately, the technicians were able to find a solution. They found that the servers had been configured to create an automated backup to a separate disk on the server every night. In the past, this data would then have been backed up to removable media and taken off-site. Once it could be estimated at what time the good data existed, it would be possible to segregate and retrieve the good data for recovery purposes. After further investigation, it was found that the data was fine the previous night up until 10:17 p.m. The servers were then restored back to that time. Since there had not been any transactions over night, FSG staff had been able to capture today s activities on paper and could now input the transactions into the recovered systems. Gabriel finally breathed a sigh of relief. Effective IT Risk Management for Small Businesses 3

4 4 Effective IT Risk Management for Small Businesses Call for Advice for the Future Gabriel now wanted to take proactive steps to prevent a similar incident from happening again. He asked for guidance from the RRJL consulting team about what IT risks he should be aware of, and what measures he should consider to better manage and mitigate these risks. The consultants provided Gabriel with the top seven issues that he should attend to in order to manage his technology risks. They qualified their recommendations by stating that there is no guarantee that the following strategies would prevent any incidents from happening again. They would, however, help Gabriel and FSG better mitigate the potential risks, and be more prepared to deal with such incidents if they ever did happen in the future. Gabriel specifically requested that the consulting team keep the recommendations simple and actionable so that he and his staff could easily understand them. Top Seven Issues and Recommendations The consultants presented Gabriel with the following issues, potential risks and implications of these issues to FSG and other small businesses, and recommendations or possible solutions to help mitigate these risks. 1. Having a Business Continuity Plan is Essential The issue: As the server crash incident indicated, FSG did not have a proper IT Disaster Recovery Plan (DRP) to support business continuity. The operations department may have lacked the sophistication to develop and maintain a DRP that sufficiently reflected the company s system availability requirements, or it may not have planned adequately to ensure such availability. The risks: There is a risk that a business may not be able to continue if a system disruption happens due to any of the following reasons: 2 Equipment failure Disruption of power supply or telecommunications Application failure or corruption of the database Human error, sabotage or strike Malicious software Hacking or other Internet attacks Social unrest or terrorist attacks Fire Natural disasters The solutions: For the initial draft of a DRP, FSG may benefit from engaging a professional who can help it determine what its needs are and develop procedures that can readily be acted upon. These procedures should include a cycle of backups of key systems and data. After the initial draft, FSG operations personnel could then keep the plan up to date in-house. Responsibility for performing these procedures needs 2

5 to be specifically assigned, and a senior employee needs to check periodically to ensure that they are being performed and kept current. FSG may consider outsourcing backup processes to an external cloud service provider, who will be able to back up data through the Internet. Business continuity planning is not only the responsibility of the employees responsible for systems; in order to make it work, key employees in all business areas have to engage at some level with the plan. 2. Effective Management of IT Vendors is Needed The issue: Small businesses tend to rely too heavily on the assistance of contractors or third-party vendors to perform IT functions and support for them. This is true for FSG. The risks: With such arrangements, there is sometimes the risk of an inadequate legal contract to communicate expectations, service level agreements, policies and standards to meet the organization s requirements. This includes protection if the vendor is developing software specific to its customers and either stops operating or terminates the contract, and the customer does not have the original software (source code) to be able to further maintain it. Without proper professional review of new contracts, a company may get locked in to a vendor with no easy termination. There may also be too much trust and reliance placed on individual contractors, and this creates a risk that if a contractor leaves, the company may not have sufficient capacity or cross-training of IT in place to support its activities until a replacement is found. There can also be a lack of understanding of what contractors are doing and not doing, and unfettered remote access may be provided to the vendor without proper access and change controls in place. The solutions: Possible steps to undertake include the following: Before signing the contract with the vendor, have it reviewed by a lawyer who specializes in such contracts. Determine your service delivery expectations and find out if the preferred vendor can meet those expectations, including required internal controls. Do a reference check, and find out whether the vendor can deliver on your service expectations. If utilizing a sole proprietor, ensure that internal oversight personnel are knowledgeable enough to oversee the contractor s work and can potentially fill in for a short time if the contractor were to leave. Maintain a list of backup contractors, just in case the main contractor decides to leave. Put appropriate controls in place to monitor remote access to your systems. Effective IT Risk Management for Small Businesses 5

6 6 Effective IT Risk Management for Small Businesses 3. Data Security Needs to be Actively Managed The issue: FSG may not have the awareness or funds to implement appropriate data security mechanisms. The risks: Managing data security risk should take into account the potential for accidental loss or display/release of data; intentional/unintentional theft or destruction of data; loss of intellectual property; and lack of compliance with regulatory authorities. The cost of addressing these considerations must be weighed against the direct impact on the bottom line and cash flow. The solutions: There is value in obtaining professional assistance in reviewing your security posture, and helping to ensure that you are taking advantage of the security features provided in your existing software and network. Implementing security will be more successful if you develop minimum policies and standards that provide direction on how much security you want; again, professional one-time assistance in this area could be valuable. Another possible solution is to outsource security monitoring, as this could be more cost effective than hiring or training someone internally to be your security advisor. Also, it is prudent to communicate expectations defined in your policy through a general annual security awareness and training program. Finally, you should think about the balance between technical security controls and the strength of your business process and review controls to detect and correct any events that slip through your technical controls. 4. Updated Anti-Virus and Anti-Malware Controls are a Must The issue: FSG may not have invested in appropriate virus and malware prevention and detection software, or if it has, it may not have kept the software current. The risks: If malware or a virus affects the systems, there is a potential for data loss, data theft or data corruption. The solutions: Acquire and install anti-virus programs through a major virus protection vendor (McAfee, Norton) that will perform virus prevention/detection activities and notify FSG of any new updates. It is important to make someone at FSG responsible for making sure that updates are being applied on a regular basis, and that maintenance fees are kept up to date based on the number of users. 5. Access Needs to be Controlled The issue: FSG does not have a sufficient number of employees/contractors to enable appropriate segregation of duties and to control users with privileged access to the system.

7 The risks: This increases the risk of processing errors, fraud or lost data. The solutions: Effective controls are needed to ensure that proper approvals are required for any new requests for system access, and that immediate steps are taken to remove the access of individuals who no longer require it. Furthermore, periodic reviews of access should be conducted to ensure that only approved and current employees/contractors have system access. Individuals should be given access only to system functions and data that they require to do their day-to-day work. Logs should be maintained for certain key activities within the system, such as failed log-on attempts (three or more), the activities of privileged users, use of certain key commands (adding users, changing access) and updates to specific critical files (payroll, employee information, credit card numbers). Periodic review of these logs should be performed by someone independent of these functions, or by peers in similar functions. If this segregation isn t possible, consider creating special user IDs for activities that only need to be performed periodically so that the additional access can be more readily logged and reviewed, or outsource the monitoring activities to an external security monitoring firm. Consider asking a professional to help you develop the guidelines around segregation of duties. 6. Cyber Threats Need to be Considered The issue: We don t know what caused FSG s servers to go down, but the threat of cyber security risks can t be ruled out. With all of the media coverage of cyber attacks, most prudent CEOs are actively trying to understand the implications for their own organizations. The risks: You may question how many potential threats are actually out there given you are a small business and there are bigger and more interesting targets to be pursued. However, you must understand that your small business could be viewed as an easy target, or an opportunity to use your unprotected network as an entry point to your customers or suppliers. The solutions: Consider obtaining a professional security advisor to work with you in understanding the potential adversaries and resulting threats against your business, including the threats that are typical in your particular industry. This process would go beyond your financial systems, and would identify the various access points into your systems through the Internet, your website, your different physical locations, and your customer and supply chain partners. You would also want to examine the strength of security controls in any business partners that you allow to access your systems, as they may be the route of attack. Then at least you would know where to direct your limited funds for security. Effective IT Risk Management for Small Businesses 7

8 8 Effective IT Risk Management for Small Businesses 7. IT Risk Mitigation Strategy Should be Deliberate The issue: Many smaller businesses believe they are successful because they are smaller, more nimble, and not impeded by time-consuming bureaucracy and formal policies. Owners of these companies believe they can effectively manage and stay on top of all activities through their own involvement and the business savvy that led to the success they currently enjoy. The risks: The risk that comes with an informal approach to IT risk mitigation is that the owner cannot do it all. Staff may not be aware of the risks, and without a formal plan to develop mitigating controls and keep staff informed about them, the company is at risk of lost data, unavailability of systems, errors in processing transactions, and susceptibility to attack from either internal or external parties. The solutions: As they evolve in size and complexity, companies need to be thoughtful about understanding their IT risks, developing their mitigation strategies and documenting them in a way that can be communicated and understood by staff. Besides this basic IT risk register, every business needs to document and communicate certain key positions on how it will address risk through simple policies and procedures that staff can understand and comply with, and that are then monitored by the owner and senior staff. Conclusion As the owner of a small business, Gabriel learned the hard way that he needs to be vigilant about understanding and managing IT risks. This time he was fortunate that things worked out for him, but if he doesn t pay proper attention to IT risks, his hard-earned success could be jeopardized in the future. Following the recommendations he was given will help him better manage his company s IT risks. During his discussion with the RRJL consultants, Gabriel noted other IT areas that he would like to discuss with them after his immediate concerns are resolved. These areas include making decisions related to new systems; development of an IT strategy aligned with the business strategy; and compliance with technology-related regulations such as privacy requirements. Prepared by: Robert Reimer, CPA, CA and Jodie Lobana, CPA, CA DISCLAIMER This publication was prepared by the Chartered Professional Accountants of Canada (CPA Canada) as non-authoritative guidance. CPA Canada and the authors do not accept any responsibility or liability that might occur directly or indirectly as a consequence of the use, application or reliance on this material.

Cyber Security: Are You Prepared?

Cyber Security: Are You Prepared? Cyber Security: Are You Prepared? This briefing provides a high-level overview of the cyber security issues that businesses should be aware of. You should talk to a lawyer and an IT specialist for a complete

More information

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility CYBER SECURITY AND RISK MANAGEMENT An Executive level responsibility Cyberspace poses risks as well as opportunities Cyber security risks are a constantly evolving threat to an organisation s ability to

More information

Business Continuity Planning in IT

Business Continuity Planning in IT Introduction: Business Continuity Planning in IT The more your business relies on its IT systems, the more you need to consider how unexpected disruptions might affect your business. These disruptions

More information

THE NEXT GENERATION OF DATA INSURANCE

THE NEXT GENERATION OF DATA INSURANCE THE NEXT GENERATION OF DATA INSURANCE High Indemnity and Broad Coverage Against Permanent Loss A Data Insurance Licensing Ltd. White Paper Version 2013.4.4 Data Insurance Licensing Ltd. THE NEXT GENERATION

More information

Mitigating and managing cyber risk: ten issues to consider

Mitigating and managing cyber risk: ten issues to consider Mitigating and managing cyber risk: ten issues to consider The board of directors is responsible for managing and mitigating risk exposure. A recent study conducted by the Ponemon Institute 1 revealed

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

WHY CLOUD BACKUP: TOP 10 REASONS

WHY CLOUD BACKUP: TOP 10 REASONS WHITE PAPER DATA PROTECTION WHY CLOUD BACKUP: TOP 10 REASONS Contents REASON #1: Achieve disaster recovery with secure offsite cloud backup REASON #2: Freedom from manual and complex tape backup tasks

More information

Why cloud backup? Top 10 reasons

Why cloud backup? Top 10 reasons Why cloud backup? Top 10 reasons HP Autonomy solutions Table of contents 3 Achieve disaster recovery with secure offsite cloud backup 4 Free yourself from manual and complex tape backup tasks 4 Get predictable

More information

White Paper. 1 800 FASTFILE / www.ironmountain.ca Page 1

White Paper. 1 800 FASTFILE / www.ironmountain.ca Page 1 White Paper LIVEVAULT Top 10 Reasons for Using Online Server Backup and Recovery Introduction Backup of vital company information is critical to a company s survival, no matter what size the company. Recent

More information

Information Security Insights From and For Canadian Small to Medium Sized Enterprises

Information Security Insights From and For Canadian Small to Medium Sized Enterprises Information Security Insights From and For Canadian Small to Medium Sized Enterprises Paying Attention to Information Security CPA Canada recently completed an online study conducted by Nielsen called

More information

Is online backup right for your business? Eight reasons to consider protecting your data with a hybrid backup solution

Is online backup right for your business? Eight reasons to consider protecting your data with a hybrid backup solution PARTNER BRIEF: IS ONLINE BACKUP RIGHT FOR YOUR BUSINESS?........................................ Is online backup right for your business? Eight reasons to consider protecting your data with a hybrid Who

More information

Better secure IT equipment and systems

Better secure IT equipment and systems Chapter 5 Central Services Data Centre Security 1.0 MAIN POINTS The Ministry of Central Services, through its Information Technology Division (ITD), provides information technology (IT) services to government

More information

Don't Wait Until It's Too Late: Choose Next-Generation Backup to Protect Your Business from Disaster

Don't Wait Until It's Too Late: Choose Next-Generation Backup to Protect Your Business from Disaster WHITE PAPER: DON'T WAIT UNTIL IT'S TOO LATE: CHOOSE NEXT-GENERATION................. BACKUP........ TO... PROTECT............ Don't Wait Until It's Too Late: Choose Next-Generation Backup to Protect Your

More information

Top 10 Reasons for Using Disk-based Online Server Backup and Recovery

Top 10 Reasons for Using Disk-based Online Server Backup and Recovery ADVISORY Top 10 Reasons for Using Disk-based Online Server Backup and Recovery INTRODUCTION Backup of vital company information is critical to a company s survival, no matter what size the company. Recent

More information

2012 NCSA / Symantec. National Small Business Study

2012 NCSA / Symantec. National Small Business Study 2012 NCSA / Symantec National Small Business Study National Cyber Security Alliance Symantec JZ Analytics October 2012 Methodology and Sample Characteristics JZ Analytics was commissioned by the National

More information

Supplier Security Assessment Questionnaire

Supplier Security Assessment Questionnaire HALKYN CONSULTING LTD Supplier Security Assessment Questionnaire Security Self-Assessment and Reporting This questionnaire is provided to assist organisations in conducting supplier security assessments.

More information

Why is online backup replacing tape? WHITEPAPER

Why is online backup replacing tape? WHITEPAPER Why is online backup replacing tape? WHITEPAPER By 2008, the majority of data restores will occur from disk, not from tape. Gartner Group www.jcom.co.uk/cloudsecure 1 As there are many shortcomings of

More information

Disaster Recovery Planning Save Your Business

Disaster Recovery Planning Save Your Business Disaster Recovery Planning Save Your Business Your business at risk! Your company is at risk for failure in the event of disaster Your data is at risk for costly loss Your revenue is at risk with lack

More information

MAXIMUM PROTECTION, MINIMUM DOWNTIME

MAXIMUM PROTECTION, MINIMUM DOWNTIME MANAGED SERVICES MAXIMUM PROTECTION, MINIMUM DOWNTIME Get peace of mind with proactive IT support Designed to protect your business, save you money and give you peace of mind, Talon Managed Services is

More information

Cybersecurity Report on Small Business: Study Shows Gap between Needs and Actions

Cybersecurity Report on Small Business: Study Shows Gap between Needs and Actions SURVEY REPORT: cyber security Cybersecurity Report on Small Business: Study Shows Gap between Needs and Actions Confidence in a connected world. Executive summary An online survey revealed that while U.S.

More information

ADRI. Advice on managing the recordkeeping risks associated with cloud computing. ADRI-2010-1-v1.0

ADRI. Advice on managing the recordkeeping risks associated with cloud computing. ADRI-2010-1-v1.0 ADRI Advice on managing the recordkeeping risks associated with cloud computing ADRI-2010-1-v1.0 Version 1.0 29 July 2010 Advice on managing the recordkeeping risks associated with cloud computing 2 Copyright

More information

HIPAA Security Alert

HIPAA Security Alert Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information

More information

5 DEADLY MISTAKES THAT BUSINESS OWNERS MAKE WITH THEIR COMPUTER NETWORKS AND HOW TO PROTECT YOUR BUSINESS

5 DEADLY MISTAKES THAT BUSINESS OWNERS MAKE WITH THEIR COMPUTER NETWORKS AND HOW TO PROTECT YOUR BUSINESS 5 DEADLY MISTAKES THAT BUSINESS OWNERS MAKE WITH THEIR COMPUTER NETWORKS AND HOW TO PROTECT YOUR BUSINESS 1 Introduction As small and mid-sized companies rely more heavily on their computer networks to

More information

ISO 27001 Controls and Objectives

ISO 27001 Controls and Objectives ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements

More information

Nine Steps to Smart Security for Small Businesses

Nine Steps to Smart Security for Small Businesses Nine Steps to Smart Security for Small Businesses by David Lacey Co-Founder, Jericho Forum Courtesy of TABLE OF CONTENTS INTRODUCTION... 1 WHY SHOULD I BOTHER?... 1 AREN T FIREWALLS AND ANTI-VIRUS ENOUGH?...

More information

Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006

Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,

More information

Which Backup Option is Best?

Which Backup Option is Best? Which Backup Option is Best? Which Backup Option is Best? Why Protect Your Data? Data loss disasters happen more frequently than you would think, for many different reasons: Human error and accidental

More information

Our Colorado region is offering a FREE Disaster Recovery Review promotional through June 30, 2009!

Our Colorado region is offering a FREE Disaster Recovery Review promotional through June 30, 2009! Disaster Recovery Review FREE Promotional Offer Our Colorado region is offering a FREE Disaster Recovery Review promotional through June 30, 2009! This review is designed to help the small business better

More information

for Critical Infrastructure Protection Supervisory Control and Data Acquisition SCADA SECURITY ADVICE FOR CEOs

for Critical Infrastructure Protection Supervisory Control and Data Acquisition SCADA SECURITY ADVICE FOR CEOs for Critical Infrastructure Protection Supervisory Control and Data Acquisition SCADA SECURITY ADVICE FOR CEOs EXECUTIVE SUMMARY Supervisory Control and Data Acquisition (SCADA) systems are used for remote

More information

2011 NATIONAL SMALL BUSINESS STUDY

2011 NATIONAL SMALL BUSINESS STUDY 2011 NATIONAL SMALL BUSINESS STUDY The National Cyber Security Alliance has conducted a new study with Symantec to analyze cyber security practices, behaviors and perceptions of small businesses throughout

More information

Information Security Management: Business Continuity Planning. Presentation by Stanislav Nurilov March 9th, 2005 CS 996: Info. Sec. Mgmt.

Information Security Management: Business Continuity Planning. Presentation by Stanislav Nurilov March 9th, 2005 CS 996: Info. Sec. Mgmt. Information Security Management: Business Continuity Planning Presentation by Stanislav Nurilov March 9th, 2005 CS 996: Info. Sec. Mgmt. Overview BCP: Definition BCP: Need for (Why?) BCP: When BCP: Who

More information

Managing Cyber Risk through Insurance

Managing Cyber Risk through Insurance Managing Cyber Risk through Insurance Eric Lowenstein Aon Risk Solutions This presentation has been prepared for the Actuaries Institute 2015 ASTIN and AFIR/ERM Colloquium. The Institute Council wishes

More information

IT Disaster Recovery Plan Template

IT Disaster Recovery Plan Template HOPONE INTERNET CORP IT Disaster Recovery Plan Template Compliments of: Tim Sexton 1/1/2015 An information technology (IT) disaster recovery (DR) plan provides a structured approach for responding to unplanned

More information

<Client Name> IT Disaster Recovery Plan Template. By Paul Kirvan, CISA, CISSP, FBCI, CBCP

<Client Name> IT Disaster Recovery Plan Template. By Paul Kirvan, CISA, CISSP, FBCI, CBCP IT Disaster Recovery Plan Template By Paul Kirvan, CISA, CISSP, FBCI, CBCP Revision History REVISION DATE NAME DESCRIPTION Original 1.0 2 Table of Contents Information Technology Statement

More information

How to Build a Comprehensive Business Continuity Plan

How to Build a Comprehensive Business Continuity Plan How to Build a Comprehensive Business Continuity Plan Business continuity planning is essential for any business. A business continuity plan carried out effectively will enable any business to continue

More information

Corporate Incident Response. Why You Can t Afford to Ignore It

Corporate Incident Response. Why You Can t Afford to Ignore It Corporate Incident Response Why You Can t Afford to Ignore It Whether your company needs to comply with new legislation, defend against financial loss, protect its corporate reputation or a combination

More information

Music Recording Studio Security Program Security Assessment Version 1.1

Music Recording Studio Security Program Security Assessment Version 1.1 Music Recording Studio Security Program Security Assessment Version 1.1 DOCUMENTATION, RISK MANAGEMENT AND COMPLIANCE PERSONNEL AND RESOURCES ASSET MANAGEMENT PHYSICAL SECURITY IT SECURITY TRAINING AND

More information

Privacy Rights Clearing House

Privacy Rights Clearing House 10/13/15 Cybersecurity in Education What you face as educational organizations How to Identify, Monitor and Protect Presented by Jamie Gershon Sr. Vice President Education Practice Group 1 Privacy Rights

More information

CYBER RISK SECURITY, NETWORK & PRIVACY

CYBER RISK SECURITY, NETWORK & PRIVACY CYBER RISK SECURITY, NETWORK & PRIVACY CYBER SECURITY, NETWORK & PRIVACY In the ever-evolving technological landscape in which we live, our lives are dominated by technology. The development and widespread

More information

Birkenhead Sixth Form College IT Disaster Recovery Plan

Birkenhead Sixth Form College IT Disaster Recovery Plan Author: Role: Mal Blackburne College Learning Manager Page 1 of 14 Introduction...3 Objectives/Constraints...3 Assumptions...4 Incidents Requiring Action...4 Physical Safeguards...5 Types of Computer Service

More information

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225

More information

KEY STEPS FOLLOWING A DATA BREACH

KEY STEPS FOLLOWING A DATA BREACH KEY STEPS FOLLOWING A DATA BREACH Introduction This document provides key recommended steps to be taken following the discovery of a data breach. The document does not constitute an exhaustive guideline,

More information

Business Continuity and Disaster Recovery Planning

Business Continuity and Disaster Recovery Planning Business Continuity and Disaster Recovery Planning Jennifer Brandt, CISA A p r i l 16, 2015 HISTORY OF STINNETT & ASSOCIATES Stinnett & Associates (Stinnett) is a professional advisory firm offering services

More information

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4 WHITEPAPER Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4 An in-depth look at Payment Card Industry Data Security Standard Requirements 10, 11,

More information

Moving to the Cloud? DIY VS. MANAGED HOSTING

Moving to the Cloud? DIY VS. MANAGED HOSTING Moving to the Cloud? DIY VS. MANAGED HOSTING 12 Factors To Consider And Why You Should Be Looking for a Managed Hosting Provider For Your Site or Application as You Move to the Cloud Your site or application

More information

always on meet the it department PROPHET managed services ebook Business Group Meet the Always On IT Department

always on meet the it department PROPHET managed services ebook Business Group Meet the Always On IT Department managed services ebook Meet the Always On IT Department meet the always on it department PROPHET Business Group 1 MEET THE ALWAYS ON IT DEPARTMENT As IT gets more complicated it gets easier for the daily

More information

Cyber Insurance White Paper

Cyber Insurance White Paper Cyber Insurance White Paper This document provides an introduction to cyber insurance. This is a modern insurance product in response to modern security problems. Learn how to reduce your premiums. Author:

More information

Cyber Risks and Insurance Solutions Malaysia, November 2013

Cyber Risks and Insurance Solutions Malaysia, November 2013 Cyber Risks and Insurance Solutions Malaysia, November 2013 Dynamic but vulnerable IT environment 2 Cyber risks are many and varied Malicious attacks Cyber theft/cyber fraud Cyber terrorism Cyber warfare

More information

Cyber Risk in Healthcare AOHC, 3 June 2015

Cyber Risk in Healthcare AOHC, 3 June 2015 Cyber Risk in Healthcare AOHC, 3 June 2015 Kopiha Nathan, Senior Healthcare Risk Management and Data Specialist James Penafiel, Underwriting Supervisor, Insurance Operations CFPC Conflict of Interest -

More information

External Supplier Control Requirements

External Supplier Control Requirements External Supplier Control s Cyber Security For Suppliers Categorised as Low Cyber Risk 1. Asset Protection and System Configuration Barclays Data and the assets or systems storing or processing it must

More information

Silent Safety: Best Practices for Protecting the Affluent

Silent Safety: Best Practices for Protecting the Affluent Security Checklists Security Checklists 1. Operational Security Checklist 2. Physical Security Checklist 3. Systems Security Checklist 4. Travel Protocol Checklist 5. Financial Controls Checklist In a

More information

Department of Information Technology Remote Access Audit Final Report. January 2010. promoting efficient & effective local government

Department of Information Technology Remote Access Audit Final Report. January 2010. promoting efficient & effective local government Department of Information Technology Remote Access Audit Final Report January 2010 promoting efficient & effective local government Background Remote access is a service provided by the county to the Fairfax

More information

The Essential Guide for Protecting Your Legal Practice From IT Downtime

The Essential Guide for Protecting Your Legal Practice From IT Downtime The Essential Guide for Protecting Your Legal Practice From IT Downtime www.axcient.com Introduction: Technology in the Legal Practice In the professional services industry, the key deliverable of a project

More information

CYBER SECURITY Cyber Security for Canadian Directors in the Wake of Ashley Madison

CYBER SECURITY Cyber Security for Canadian Directors in the Wake of Ashley Madison CYBER SECURITY Cyber Security for Canadian Directors in the Wake of Ashley Madison Gary Solway* Bennett Jones LLP The August release of the purported names and other details of over 35 million customers

More information

Information security controls. Briefing for clients on Experian information security controls

Information security controls. Briefing for clients on Experian information security controls Information security controls Briefing for clients on Experian information security controls Introduction Security sits at the core of Experian s operations. The vast majority of modern organisations face

More information

GAO INFORMATION SECURITY. Weak Controls Place Interior s Financial and Other Data at Risk. Report to the Secretary of the Interior

GAO INFORMATION SECURITY. Weak Controls Place Interior s Financial and Other Data at Risk. Report to the Secretary of the Interior GAO United States General Accounting Office Report to the Secretary of the Interior July 2001 INFORMATION SECURITY Weak Controls Place Interior s Financial and Other Data at Risk GAO-01-615 United States

More information

Why. Your business. Needs. a Disaster RecoveryPlan. www.iconz-webvisions.com

Why. Your business. Needs. a Disaster RecoveryPlan. www.iconz-webvisions.com Why Your business Needs a Disaster RecoveryPlan 1 Disaster recovery is something that every business must plan for, but not many think about. A Disaster Preparedness Survey among 900 SMEs in the Asia-Pacific

More information

Internal Control Guide & Resources

Internal Control Guide & Resources Internal Control Guide & Resources Section 5- Internal Control Activities & Best Practices Managers must establish internal control activities that support the five internal control components discussed

More information

SECURITY, CYBER AND NETWORK INSURANCE SECURING YOUR FUTURE

SECURITY, CYBER AND NETWORK INSURANCE SECURING YOUR FUTURE SECURITY, CYBER AND NETWORK INSURANCE SECURING YOUR FUTURE Businesses today rely heavily on computer networks. Using computers, and logging on to public and private networks has become second nature to

More information

High Level Cyber Security Assessment 2/1/2012. Assessor: J. Doe

High Level Cyber Security Assessment 2/1/2012. Assessor: J. Doe 2/1/2012 Assessor: J. Doe Disclaimer This report is provided as is for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information

More information

Information Systems and Technology

Information Systems and Technology As public servants, it is our responsibility to use taxpayers dollars in the most effective and efficient way possible while adhering to laws and regulations governing those processes. There are many reasons

More information

Our Business Continuity Solutions Ensure Long-Term Success

Our Business Continuity Solutions Ensure Long-Term Success Hill Country Our Business Continuity Solutions Ensure Long-Term Success Hill Country Our Business Continuity Solutions Ensure Long-Term Success Why Business Continuity Planning Matters Whether you own

More information

Clovis Municipal School District Information Technology (IT) Disaster Recovery Plan

Clovis Municipal School District Information Technology (IT) Disaster Recovery Plan Clovis Municipal School District Information Technology (IT) Disaster Recovery Plan Revision History REVISION DATE NAME DESCRIPTION Draft 1.0 Eric Wimbish IT Backup Disaster Table of Contents Information

More information

Small businesses: What you need to know about cyber security

Small businesses: What you need to know about cyber security Small businesses: What you need to know about cyber security Contents Why you need to know about cyber security... 3 Understanding the risks to your business... 4 How you can manage the risks... 5 Planning

More information

ISO27001 Controls and Objectives

ISO27001 Controls and Objectives Introduction This reference document for the University of Birmingham lists the control objectives, specific controls and background information, as given in Annex A to ISO/IEC 27001:2005. As such, the

More information

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION Information security is a critical issue for institutions of higher education (IHE). IHE face issues of risk, liability, business continuity,

More information

Cyber Security and Information Assurance Controls Prevention and Reaction NOVEMBER 2013

Cyber Security and Information Assurance Controls Prevention and Reaction NOVEMBER 2013 Cyber Security and Information Assurance Controls Prevention and Reaction 1 About Enterprise Risk Management Capabilities Cyber Security Risk Management Information Assurance Strategic Governance Regulatory

More information

With a Data Backup Plan, Your Business is Safe. NCGIT.com

With a Data Backup Plan, Your Business is Safe. NCGIT.com With a Data Backup Plan, Your Business is Safe NCGIT.com With a Data Backup Plan, Your Business is Safe 2 NCGIT.com Why do I need a backup and disaster recovery plan? Your company s most valuable asset

More information

Small businesses: What you need to know about cyber security

Small businesses: What you need to know about cyber security Small businesses: What you need to know about cyber security March 2015 Contents page What you need to know about cyber security... 3 Why you need to know about cyber security... 4 Getting the basics right...

More information

SECTION 15 INFORMATION TECHNOLOGY

SECTION 15 INFORMATION TECHNOLOGY SECTION 15 INFORMATION TECHNOLOGY 15.1 Purpose 15.2 Authorization 15.3 Internal Controls 15.4 Computer Resources 15.5 Network/Systems Access 15.6 Disaster Recovery Plan (DRP) 15.1 PURPOSE The Navajo County

More information

Putnam/Northern Westchester BOCES Internal Audit Report on Information Technology

Putnam/Northern Westchester BOCES Internal Audit Report on Information Technology 6G Putnam/Northern Westchester BOCES Internal Audit Report on Information Technology TABLE OF CONTENTS Page Report on Internal Controls Related to Information Technology Network and Network Security 1

More information

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 5. 2. Security Standards - Organizational, Security Policies Standards & Procedures, - Administrative and Documentation Safeguards

More information

Italy. EY s Global Information Security Survey 2013

Italy. EY s Global Information Security Survey 2013 Italy EY s Global Information Security Survey 2013 EY s Global Information Security Survey 2013 This year s survey our 16th edition captures the responses of 1,909 C-suite and senior level IT and information

More information

Care Providers Protecting your organisation, supporting its success. Risk Management Insurance Employee Benefits Investment Management

Care Providers Protecting your organisation, supporting its success. Risk Management Insurance Employee Benefits Investment Management Care Providers Protecting your organisation, supporting its success Risk Management Insurance Employee Benefits Investment Management Care providers are there to help those in need. But who helps the care

More information

INFORMATION TECHNOLOGY SECURITY STANDARDS

INFORMATION TECHNOLOGY SECURITY STANDARDS INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL

More information

Lifecycle Solutions & Services. Managed Industrial Cyber Security Services

Lifecycle Solutions & Services. Managed Industrial Cyber Security Services Lifecycle Solutions & Services Managed Industrial Cyber Security Services Around the world, industrial firms and critical infrastructure operators partner with Honeywell to address the unique requirements

More information

Policy Document. Communications and Operation Management Policy

Policy Document. Communications and Operation Management Policy Policy Document Communications and Operation Management Policy [23/08/2011] Page 1 of 11 Document Control Organisation Redditch Borough Council Title Communications and Operation Management Policy Author

More information

THE CEO S GUIDE TO BUILDING A FAIL-SAFE DISASTER RECOVERY PLAN

THE CEO S GUIDE TO BUILDING A FAIL-SAFE DISASTER RECOVERY PLAN THE CEO S GUIDE TO BUILDING A FAIL-SAFE DISASTER RECOVERY PLAN By Stuart Avera, Executive Vice President Nexxtep Technology Services, Inc. Nexxtep s Leadership Team About Nexxtep 2010 Nexxtep Technology

More information

The 7 Disaster Planning Essentials

The 7 Disaster Planning Essentials The 7 Disaster Planning Essentials For Any Small Business Little-Known Facts, Mistakes And Blunders About Data Backup And IT Disaster Recovery Every Business Owner Must Know To Avoid Losing Everything

More information

Whitepaper. Best Practices for Securing Your Backup Data. BOSaNOVA Phone: 866-865-5250 Email: info@theq3.com Web: www.theq3.com

Whitepaper. Best Practices for Securing Your Backup Data. BOSaNOVA Phone: 866-865-5250 Email: info@theq3.com Web: www.theq3.com Whitepaper Best Practices for Securing Your Backup Data BOSaNOVA Phone: 866-865-5250 Email: info@theq3.com Web: www.theq3.com DATA PROTECTION CHALLENGE Encryption, the process of scrambling information

More information

Call us today 1300 724 599. Managed IT Services. Proactive, flexible and affordable

Call us today 1300 724 599. Managed IT Services. Proactive, flexible and affordable Call us today 1300 724 599 Managed IT Services Proactive, flexible and affordable We believe technology is at its best when it s invisible. When you can focus on the task you are achieving, not the technology

More information

Don t Be a Victim to Data Breach Risks Protecting Your Organization From Data Breach and Privacy Risks

Don t Be a Victim to Data Breach Risks Protecting Your Organization From Data Breach and Privacy Risks Don t Be a Victim to Data Breach Risks Protecting Your Organization From Data Breach and Privacy Risks Thank you for joining us. We have a great many participants in today s call. Your phone is currently

More information

GALLAGHER CYBER LIABILITY PRACTICE. Tailored Solutions for Cyber Liability and Professional Liability

GALLAGHER CYBER LIABILITY PRACTICE. Tailored Solutions for Cyber Liability and Professional Liability GALLAGHER CYBER LIABILITY PRACTICE Tailored Solutions for Cyber Liability and Professional Liability Are you exposed to cyber risk? Like nearly every other business, you have probably capitalized on the

More information

TO AN EFFECTIVE BUSINESS CONTINUITY PLAN

TO AN EFFECTIVE BUSINESS CONTINUITY PLAN 5 STEPS TO AN EFFECTIVE BUSINESS CONTINUITY PLAN Introduction The Snowpocalypse of 2015 brought one winter storm after another, paralyzing the eastern half of the United States. It knocked out power for

More information

Privilege Gone Wild: The State of Privileged Account Management in 2015

Privilege Gone Wild: The State of Privileged Account Management in 2015 Privilege Gone Wild: The State of Privileged Account Management in 2015 March 2015 1 Table of Contents... 4 Survey Results... 5 1. Risk is Recognized, and Control is Viewed as a Cross-Functional Need...

More information

What Do You Mean My Cloud Data Isn t Secure?

What Do You Mean My Cloud Data Isn t Secure? Kaseya White Paper What Do You Mean My Cloud Data Isn t Secure? Understanding Your Level of Data Protection www.kaseya.com As today s businesses transition more critical applications to the cloud, there

More information

STRATEGIC POLICY REQUIRED HARDWARE, SOFTWARE AND CONFIGURATION STANDARDS

STRATEGIC POLICY REQUIRED HARDWARE, SOFTWARE AND CONFIGURATION STANDARDS Policy: Title: Status: ISP-S9 Use of Computers Policy Revised Information Security Policy Documentation STRATEGIC POLICY 1. Introduction 1.1. This information security policy document contains high-level

More information

WHAT YOU NEED TO KNOW ABOUT CYBER SECURITY

WHAT YOU NEED TO KNOW ABOUT CYBER SECURITY SMALL BUSINESSES WHAT YOU NEED TO KNOW ABOUT CYBER SECURITY ONE CLICK CAN CHANGE EVERYTHING SMALL BUSINESSES My reputation was ruined by malicious emails ONE CLICK CAN CHANGE EVERYTHING Cybercrime comes

More information

Operational Risk Publication Date: May 2015. 1. Operational Risk... 3

Operational Risk Publication Date: May 2015. 1. Operational Risk... 3 OPERATIONAL RISK Contents 1. Operational Risk... 3 1.1 Legislation... 3 1.2 Guidance... 3 1.3 Risk management process... 4 1.4 Risk register... 7 1.5 EBA Guidelines on the Security of Internet Payments...

More information

Cloud Computing: Legal Risks and Best Practices

Cloud Computing: Legal Risks and Best Practices Cloud Computing: Legal Risks and Best Practices A Bennett Jones Presentation Toronto, Ontario Lisa Abe-Oldenburg, Partner Bennett Jones LLP November 7, 2012 Introduction Security and Data Privacy Recent

More information

Privilege Gone Wild: The State of Privileged Account Management in 2015

Privilege Gone Wild: The State of Privileged Account Management in 2015 Privilege Gone Wild: The State of Privileged Account Management in 2015 March 2015 1 Table of Contents... 4 Survey Results... 5 1. Risk is Recognized, and Control is Viewed as a Cross-Functional Need...

More information

The IT Advisor. Cost of Your. March 2015. Inside This Issue

The IT Advisor. Cost of Your. March 2015. Inside This Issue www.asgct.com Tel: 203-440-4413 As a business owner, you may be too busy running your business to worry about the security, reliability, stability, or problems with your computer network. ASG Information

More information

Internet threats: steps to security for your small business

Internet threats: steps to security for your small business Internet threats: 7 steps to security for your small business Proactive solutions for small businesses A restaurant offers free WiFi to its patrons. The controller of an accounting firm receives a confidential

More information

Your guide to choosing an IT support provider

Your guide to choosing an IT support provider Your guide to choosing an IT support provider T: 08452 41 41 55 Contents Introduction 3 IT and business continuity 4 About managed services 5 Modular vs packaged support 6 Checklist of supplier questions

More information

Facing Information Security Challenges

Facing Information Security Challenges AKTINA Event Information Security & Cloud Challenges March 17, 2016 Facing Information Security Challenges ISACA Cyprus Chapter Paschalis Pissarides CRISC, CISM, CISA Immediate Past President (2010-2014)

More information

KEEPING PATIENT INFORMATION SAFE AND SECURE IN THE CLOUD

KEEPING PATIENT INFORMATION SAFE AND SECURE IN THE CLOUD CASE STUDY Take Cover The costs of exposing or losing patient information can ruin a dental practice. Cloud-based solutions can protect your business and your patients against these threats: Unauthorized

More information

Professional Indemnity Insurance for Security Companies Proposal Form

Professional Indemnity Insurance for Security Companies Proposal Form Professional Indemnity Insurance for Security Companies Proposal Form Important Notice 1. This is a proposal for a contract of insurance, in which 'proposer' or 'you/your' means the individual, company,

More information

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c INFORMATION SECURITY MANAGEMENT SYSTEM Version 1c Revised April 2011 CONTENTS Introduction... 5 1 Security Policy... 7 1.1 Information Security Policy... 7 1.2 Scope 2 Security Organisation... 8 2.1 Information

More information

About Us. Records Managements. Digitalization & Blackbox Backup Solution. Corporate Membership & Representative Engagements.

About Us. Records Managements. Digitalization & Blackbox Backup Solution. Corporate Membership & Representative Engagements. About Us Records Managements Data Protection & Disaster Recovery Digitalization & Blackbox Backup Solution Corporate Membership & Representative Engagements Contacts emanage Africa is a limited liability

More information