Backup and Disaster Planning
With the highly anticipated release of its Guidelines on the National Security Review of Investments, the Canadian government has finally shed some light on circumstances which may draw investors and parties involved in the investment into the realm of a national security review.
I did a video with Joe McCafferty of MISTI last month. I am interested in whether you share my views. I also have some questions for you—after you watch the video.
I believe software is essential in managing user access risk, not only for SOX but also for other business risks. In fact, the potential harm from inappropriate access is typically greater for other business risk (such as the possibility of disruption of activities such as revenue generation or manufacturing, reputation risk, and the protection of valuable intellectual property) than it is for SOX.
James Lam has an impressive resume: Chief Risk Officer for major financial institutions, author of a respected book on ERM, consultant, and board member. Recently, he wrote a white paper that is available through RIMS or Workiva, Next Frontier: Performance-Based Continuous ERM. I think it is fair to say that James and I agree on many points but disagree on others.
Some of the most significant concerns with connected vehicles are cybersecurity and privacy protection. These concerns were the main impetus behind the creation in the US of the Auto Information Sharing and Analysis Centre (ISAC) by a group of US automakers in July of 2014. The group allows its members to share information about threats and vulnerabilities, conduct analysis and develop industry solutions. The Auto ISAC has now released its “Automotive Cybersecurity Best Practices”.
Clearly, the great majority base their audit plan on some combination of (macro) enterprise-level risks and (micro) risks at a lower level of the organization. Somewhat more have weighted their plan towards the micro level than the macro level. So what does this all mean?
As anyone who’s ever left a USB key in a Kinko’s knows, it’s easy to lose a mobile device containing sensitive user information. As a recent statement from the Newfoundland and Labrador’s Office of the Information and Privacy Commissioner shows, taking preemptive steps to make the user information on a mobile device more secure could protect the information – and your organization – if the device ever falls into the wrong hands.
Sooner or later, every enterprise will face a crisis. When it hits, the ability to side-step disaster depends on the effectiveness of your company’s response. Preparedness and oversight of crisis management is a key responsibility of the board of directors.
A recent IRS announcement raises questions about how Canadian tax authorities will treat the free data protection services that organizations often provide in order to mitigate data breaches.