Compliance with Basic Privacy Protections - Research Proposal Example

1. National governments should force all businesses to have BCP measures in place, much as the US HIPAA and the European Privacy Directive have forced compliance with basic privacy protections. Discuss pro/con. Subject: Government Regulation of BCP Topic: Wk03 Discussions Author: Ernest Stevens Date: December 16, 2007 7:22 PM HIPAA and the European Privacy Directive are meant to protect the private data of individuals. These protections are intended to make sure that data is secured from exposure; that only those persons who are authorized can make use of the data. However, Business Continuity Planning (BCP) has to do, primarily, with making sure the data is available for use in case of an interruption of some kind. HIPAA, the European Privacy Directive, and other like legislation do not concern themselves with the success or failure of a company. If a company's data is simply destroyed, then the legislation does not apply. In some cases of BCP, this type of legislation may apply, as in the case of data being maliciously copied for illegal use, and then the original source being destroyed. In this line of reasoning, the legislation that already exists is sufficient. BCP has to do with the preparation of functional copies of data that the business can use to continue to function. This will help save the business money in the case of an interruption. The success of businesses should not be legislated. It should not be against the law for a business to fail. --Doug Reply Forward Subject: Re:Government Regulation of BCP Topic: Wk03 Discussions Author: Randal Freston Date: December 17, 2007 6:32 PM Doug, Would you make an exceptions for private companies that are identified as critical infrastructure I guess I am thinking of the stock market, banks, telecommunications, and other private companies. If they don't have a BCP and their services become unavailable, there are potentially serious consequences for the Nation. Doesn't the US government have a responsbility to ensure that critical areas have a BCP so that the country can function in case of an emergency Not tell them HOW to do it, but that they must do it and have some requirements to ensure it is being done. -Randy Reply Forward Subject: Re:Government Regulation of BCP Topic: Wk03 Discussions Author: Ernest Stevens Date: December 20, 2007 5:37 PM Hi Randy, You are right. For example, the SCADA systems that govern the distribution/transmission of electricity and gas, must absolutely remain operational. Regulating BCP for energy utilities/national infrastructure, is absolutely necessary, although it is not done anywhere (that I can find). You have brought up an exception to the opinion I stated earlier. Thanks for enlightening me. --Doug Reply Forward Subject: Re:Government Regulation of BCP Topic: Wk03 Discussions Author: Randal Freston Date: December 18, 2007 9:19 AM National Governments should require private businesses that are identified at critical infrastructure to have BCP in place. There should be a standard and requirement. The private business should have the right to determine how they can meet the standard using their best and most cost efficient business models. In times of emergency, if a Nation cannot function without these critical services, the government has a National Security responsbility to ensure that it can function during an emergency. Without critical services you cannot have C3 and without it a government cannot function and there would be anarchy. BCP's help ensure these services will be available. For years, the U.S has required radio stations to test and broadcast emergency messages in case of National emergency. They should not only require BCP but require tests of them. That way if critical services lose their primary means of business, there is a BCP in place. DHS has been tasked "To develop a comprehensive national plan for securing the key resources and critical infrastructure of the United States, including power production, generation, and distribution systems, information technology and telecommunications systems (including satellites), electronic financial and property record storage and transmission systems, emergency preparedness communications systems, and the physical and technological assets that support such systems." (H.R 5005-11) I would argue that the "emergency preparedness" section includes having a BCP that ensures that business can continue when unforseen circumstances present themsevles. -Randy Works Cited: 1. Critical Infrastructure Act of 2002- H.R. 5005-11 - DHS: http://www.dhs.gov/xinfoshare/programs/editorial_0404.shtm Reply Forward Subject: Re:Government Regulation of BCP Topic: Wk03 Discussions Author: John Knight Date: December 18, 2007 3:18 PM Although a clear organizational boundary exists between the two areas, data security and BC/DR strategies and tactics represent a shared concern because information security risks might well cause an organization to execute its BC/DR plan. Thus, even if a regulation does not specify the kind of business continuity plan (BCP) or how often it must be tested, an organization remains accountable for its systems and processes related to data. The bottom line is that laws and regulations, as well as shareholders, expect organizations to exercise due care to ensure that necessary data is available. http://www.gartner.com/DisplayDocumentdoc_cd=128123 It takes time, planning, and money to adequately prepare a BCP. You may be right if I think of Mom and Pop operations but any business that has outside investors would argue that a business does not have a "right" to fail while taking investors money. Investor beware! I would be fairly unhappy if the companies I hold stock in did not take measures to ensure my pittance of a contribution was not totally lost due to some lack of basic planning. No one plans to fail but to many fail to plan for such things as lost data. Especially lost data that leads to a business failure - which would be my loss too. Reply Forward Subject: Re:Government Regulation of BCP Topic: Wk03 Discussions Author: Eric Pressley Date: December 18, 2007 4:36 PM A Business Continuity Plan has lots of benefits on paper. Some planning, beats no planning at all. If the question was is it a good idea for all businesses to have a BCP, then I answer yes. The question however is, should the government mandate a BCP In this case my answer is NO! I don't like the idea of the government mandating such a far reaching, all inclusive process that effects every part of every business. The government has a hard time overseeing its mandates, let's not give them something else to bog them down. A good business person will recognize the benefit of a well thought out BCP. The desire to protect stakeholders should drive the decision to implement a BCP not the government. A Business Continuity Plan (BCP), enables critical services or products to be continually delivered to clients. Instead of focusing on resuming a business after critical operations have ceased, or recovering after a disaster, a business continuity plan endeavors to ensure that critical operations continue to be available. Reply Forward Subject: Re:Government Regulation of BCP Topic: Wk03 Discussions Author: Eric Pressley Date: December 18, 2007 4:41 PM The World Trade Center attacks on September 11, 2001 demonstrated that although high impact, low probability events could occur, recovery is possible. Even though buildings were destroyed and all of Manhattan was affected, businesses and institutions with good continuity plans survived. A Business Continuity Plan needs a continuous risk management component, which lowers the risk of disruption and assesses the potential impacts of disruptions when they occur. Critical services or products are ones that must be delivered to ensure survival, avoid causing injury, and meet legal or other obligations of an organization. Business Continuity Planning is proactive planning that makes sure critical services or products are delivered during a disruption. A Business Continuity Plan includes plans and arrangements to ensure the continuous delivery of critical services and products, which permits the organization to recover its facility, data and other assets. A BCP needs to include identification of necessary resources to support business continuity, including personnel, information, equipment, financial, legal counsel, infrastructure protection and accommodations. Having a BCP enhances an organization's image with employees, shareholders and customers by demonstrating a proactive attitude. The lessons learned include: plans must be updated and tested frequently; all types of threats must be considered; dependencies and interdependencies should be carefully analyzed; key personnel may be unavailable; telecommunications are essential; alternate sites for IT backup should not be situated close to the primary site; employee support (counselling) is important; copies of plans should be stored at a secure off-site location; sizable security perimeters may surround the scene of incidents involving national security or law enforcement, and can impede personnel from returning to buildings; despite shortcomings, Business Continuity Plans in place pre September 11 were indispensable to the continuity effort; and increased uncertainty (following a high impact disruption such as terrorism) may lengthen time until operations are normalized. http://www.publicsafety.gc.ca/prg/em/gds/bcp-eng.aspx Reply Forward Subject: Re:Government Regulation of BCP Topic: Wk03 Discussions Author: Debby Landry Date: December 20, 2007 10:46 AM A BCP's purpose it to ensure that business continues, albiet in a limited fashion. It only concerns itself with what it takes to keep key procedures and activities going. It would be nice if everyone thought about having a BCP, tested it regularly, and trained its employees to respond appropriately. Some do and do a very nice job, others take the attitude that if something happens we'll just pick up the pieces when the smoke clears. I think if the government were to attempt to regulate and enforce BCP's it would be a disaster. BCPs are not a one-size-fits-all proposition for one thing. And this piece of legislation would go the way of the Anti-SPAM (CAN SPAM) bill...good idea, looks good on paper, and is utterly unenforceable. Reply Forward Subject: Re:Government Regulation of BCP Topic: Wk03 Discussions Author: John Knight Date: December 22, 2007 10:08 AM Reading ecerones input and as you stated again here: "BCPs are not a one-size-fits-all proposition for one thing." I have not worked at the enterprise level but have all ways been in small to medium enviorments. In small environments BCP may be as much as a fresh backup on a different machine and the business is, for the most part, up and running so far as financials, inventories and the like. But there comes a "size" or scale of business such as a corporation which takes on the personality of Boards, Stockholders, Sensitive information, etc, which many companies have not chosen to self regulate and protect their assests. Loss now is not just the loss of the business but a loss to many state holders. Government regulation normally starts when someone in business fails to take adequate steps. History has too many examples of this type of failure and history has too many examples of Government regulations going a bit far... what is the balance Where/who draws the line Enforcable or not it will keep most honest people - honest and at least attempt due dilligence. Reply Forward Subject: Re:Government Regulation of BCP Topic: Wk03 Discussions Author: Ernest Stevens Date: December 21, 2007 12:03 AM Whether or not we believe that governments should do this, the SEC, apparently, already has. A May 2004 notice states that the SEC approved a series of regulations. The notice continues, "Rule 3510 requires each member to create and maintain a business continuity plan and enumerates certain requirements that each plan must address. The Rule further requires members to update their business continuity plans upon any material change and, at a minimum, to conduct an annual review of their plans." Too late to protest! --Doug http://www.finra.org/RulesRegulation/NoticestoMembers/2004NoticestoMembers/p003094 Reply Forward Subject: Re:Government Regulation of BCP Topic: Wk03 Discussions Author: Karl Peterson Date: December 22, 2007 12:14 AM The other entity that I did not realize until recent that influences security controls in the Business in the NYSE, they have listed on their site the following "NYSE Regulation protects investors by enforcing marketplace rules and federal securities laws. NYSE Regulation also ensures that companies listed on the NYSE and on NYSE Arca meet our financial and corporate-governance listing standards."(NYSE) They also have listed on their website the following, "Financial Compliance reviews a company's reported financial results both at the time of joining the Exchange and throughout its listing to ensure that it meets original listing and continued-listing requirements. Criteria include earnings, cash flow, numerical standards relating to distribution of a company's shares, trading volume, market value, and share price, as well as other criteria. When a company falls below any criterion, the Exchange notifies the company and reviews the appropriateness of continued listing. Once notified, in many cases a company has the opportunity to submit a plan to return to compliance within 18 months. If the Exchange accepts the plan, it monitors the company's performance throughout the plan period. If the company fails to achieve stated goals in a timely manner, the Exchange will move to suspend the security and remove it from the list. If the Exchange does not accept the recovery plan, it will move to immediately suspend the company's security and remove it from the list."(NYSE) My point being if a company does not have a BCP in place and a disaster occurred, it could potentially cause the company to be delisted, which would be detrimental to the stock. Works Cited NYSE, "NYSE Regulation." NYSE,New York Stock Exchange. 2007. NYSE. 21 Dec 2007 . Reply Forward Subject: Re:Government Regulation of BCP Topic: Wk03 Discussions Author: Karl Peterson Date: December 21, 2007 1:52 AM There is enough government regulation in Business, I do not feel that Sarbanes Oxley has stopped companies from failing or making bad decisions, HIPAA has stopped information from being abused or mis-handled. Both regulations have increased awareness and public knowledge of issues. Having regulation that regulates BCP is tough, for one what happens when a Tornado, lands on a company in Helena Montana that did not have a plan to handle tornados Regulations may make companies have basic plans in place, but it can nowhere near determine every risk that will affect every business. Sarbanes Oxley does have provision that point towards having a BCP in place. Strohl Systems points this out in a web article, "Section 404, titled Management Assessment of Internal Controls, does not specifically mention BCP. However, it states that management will be held responsible for ensuring that adequate internal controls are in place.In an informal interview, an auditor with a large accounting firm has confirmed that they are now reviewing corporate continuity plans as a direct result of Section 404. If the company does not have a BCP or has an inadequate BCP, the auditors are asking that the CEO and CFO sign a statement acknowledging that they are accepting the risk." (Strohl Systems) With Sarbanes Oxley and other controls that are in place, and then applying the principles of due diligence and due care Business are held accountable for not having a BCP in place to protect the interest of the stake holders of the company. The Security Exchange Commission and other government entities need to hold the CEO and the Board of directors more responsible for their actions or lack there of. Definitions Due dillegence-Is the act of investigating and understanding the risk the company faces. (Harris Shon) Due care shows that a company has taken responsibility for the activities that take place within the corporation and has taken the necessary steps to help protect the company. (Harris Shon) Works Cited Harris, Shon. All in One CISSP Certification. second Edition. Emeryville, Ca: Mcgraw-Hill/Osborne, 2003.: 85 Strohl Systems, "Regulations and Standards." recoverychronicles.com. Dec, 2003. 21 Dec 2007 . Reply Forward Subject: Re:Government Regulation of BCP Topic: Wk03 Discussions Author: Todd Knapp Date: December 22, 2007 10:04 AM Karl, You make some great points. I too do not believe that SOX has had the intended impact. I also think that HIPAA is a joke. I work in a hospital and I can tell you the regulations are incomplete, they drive up the cost of health care, and there is no way to enforce it. What is the point of passing regulations that the government cannot enforce I do not think the government would be very good at coming up with a way to regulate BCP. In my eyes, when you look at the past failures, what makes them think they are going to get it right this time They are not, and that is where the board of directors and the suits come in to play. Call it due diligence or the socially responsible thing to do. They are the ones ultimately responsible to the shareholders and the public at large. They are the ones that control the purse strings and that equates to how sound your organizations security or BCP programs are. Reply Forward Read More