Are You Ready for the General Data Protection Regulation (GDPR)?

As we move closer to the enforceable compliance date of May 25, 2018 for the General Data Protection Regulation (GDPR), many organizations are asking themselves if they are on track to meet the regulation requirements. Many organizations are still unsure if the regulation even applies to them. Given the severity of potential penalties for non-compliance greater of €20 million or 4% of revenue for non-compliance with core tenets of GDPR, such as violation of data subject rights or transfers of data to unauthorized third countries), this perspective covers who GDPR applies to and the key items you should explore in your organization to ensure you are prepared. Continue reading

General Data Protection Regulation (GDPR)

General Data Protection Regulation - GDPRGeneral Data Protection Regulation (GDPR) is the most comprehensive personal data privacy regulation ever issued, and its implementation deadline in May 2018 is approaching quickly. With the potential fines accompanying noncompliance, GDPR has shifted the business world’s attention to privacy. However, since this regulation was issued by the European Union, there is a lot of uncertainty around how GDPR impacts US-based businesses. Bottom-line – if your business sells to or holds EU residents’ personal information, GDPR affects you. Continue reading

FFIEC Updates Business Continuity Planning Booklet with Appendix J

FFIEC_Appendix_JAppendix J: Strengthening the Resilience of Outsourced Technology Services

The Federal Financial Institutions Examination Council (FFIEC) recently released an updated a version of its Business Continuity Booklet, which is one in the series of booklets that comprise the larger Information Technology (IT) Examination Handbook.

This article provides an overview of Appendix J and discusses the confirmed importance that continuity planning isn’t limited to just your organization; rather, it extends to all outsourced and supplier relationships as well. Continue reading

GRC for Business Continuity Professionals

Many business continuity professionals have expressed concern and uncertainty regarding the future of business continuity and how it will ‘fit’ with newer concepts like GRC (Governance, Risk and Compliance) and ERM (Enterprise Risk Management). In truth, these different ways of managing risk and optimizing business performance could significantly affect how business continuity programs are run. But, in the end, the importance lies in managing obligations and risk in the most efficient and cost-effective manner possible so the organization can thrive and meet stakeholder expectations. This article dissects the current state of GRC and what business continuity professionals need to know and do about it. Continue reading

An Update on TC 223 and ISO 22301

Online Exclusive – as published on  | Updated June 2012

[EDITOR’S NOTE – Brian Zawada is a member of the US Technical Advisory Group to ISO Technical Committee 223. Zawada participated in the 2011 and 2012 meetings as a member of Working Group 4, the team charged with developing ISO 22301, 22313 and 22323.]

There are numerous articles and conversations currently taking place regarding ISO 22301 and ISO Technical Committee (TC) 223 in general – some based on fact, but many based on assumption and rumor. So, what’s the real story on ISO 22301 and the work being performed related to societal security?

The purpose of this article is to provide updated information to help business continuity professionals better understand the ISO TC 223 standards development efforts underway and when to expect final work product that can help your organization better prepare for disruption. Continue reading

Data Breaches On Deck for Federal Oversight (Again)

Data BreachIn December 2009, my perspective titled “Data Breaches: A Sidewalk Sale of Consumer and Personal Information” detailed the financial, reputational and regulatory implications surrounding a data breach occurrence. Since then, little has changed (other than the fact that the term “data breach” is now commonplace throughout workplaces and households due the continuous increase of breaches worldwide). Organizations around the world ranging from US Bank and Outback Steakhouse to the U.S. Air Force and Sony have experienced (or are currently experiencing) a data breach and the headache of breach notification. Despite numerous attempts to implement federal data breach notification legislation, little has been done on a national level to streamline the process.

This perspective highlights the data breach notification process and how recent legislation proposed by the Obama Administration is hoping to consolidate dozens of diverse state breach notification regulations into one integrated national plan. Continue reading

Business Continuity: Now Required at Most Hedge Funds

hedge fund perspectiveBusiness Continuity planning is no longer just a best practice for hedge funds, as the Securities and Exchange Commission (SEC) now requires most hedge funds to maintain up to date business continuity programs. This article explains the new regulatory mandates and describes a recommended approach that hedge funds can employ to not only meet the spirit and intent of new SEC requirements, but also begin building toward business continuity readiness. Continue reading

Plan Do Check Act (PDCA) – How it Applies To Business Continuity

PDCAThe business continuity industry has heard a lot about Plan, Do, Check Act (PDCA) recently. Nearly every emerging standard is following this approach, from BS 25999 and NFPA 1600 (2010 edition) to the new American business continuity standard being created by ASIS. However, there seems to be a lot of confusion about what PDCA is – and what it means for business continuity. Continue reading

Data Breaches: A Sidewalk Sale of Consumer and Personal Information

data breach perspectiveData breach is a growing risk for organizations of all sizes and from all industries.  The number of reported data breaches in recent years has skyrocketed, and their cost can be devastating to an organization’s reputation and finances.  In addition, effectively responding to a data breach is far more complicated than simply sending a mass mailing to affected customers notifying them of the occurrence.  Given the potential impact of a data breach on an organization, cross-functional awareness and preparedness are a necessary addition to an organization’s business continuity program.  Continue reading to learn what a data breach is and why your organization needs to be prepared for one. Continue reading

UPDATED: What Is A Management System?

hands upContent updated in September 2012Originally published in January 2009

First introduced to business continuity practitioners in British Standard (BS) 25999 as a Business Continuity Management System (BCMS), the management systems concept continues to gain traction in our profession through a number of “societal security” related standards authored by the International Standards Organization (ISO), as well as new and updated standards from the National Fire Protection Association (NFPA) and ASIS International. Continue reading