In response to the recent inadvertent TSA exposure of an improperly redacted PDF document containing highly detailed information on Passenger Screening procedures used by TSA officials at U.S. airports, several lawmakers have apparently asked Department of Homeland Security Secretary Janet Napolitano to review any legal remedies available to stop Web Sites from reposting the leaked security manual.

First a couple reminders:

• ”What Happens on the Internet, Stays on the Internet”
• The US legal system does not have jurisdiction over all of the Internet

Perhaps the same lessons being taught to students regarding the dangers of posting personal information or photographs of themselves online should be relayed to government employees with access to the Internet.  Once that information is out there, it is highly unlikely you will ever get it back…just like there is no “UNSEND” button to click after you sent an e-mail you did not mean to send.

What we really need are real solutions that address these and other real life issues.  This incident reveals the real and critical need for awareness and accountability across all levels of government.  All personnel should be provided with “situational awareness” and “customized training” to ensure all appropriate personnel understand:

• What types of information can be shared or not shared
• How to properly share information
• Who information can be shared with
• How to protect/redact sensitive information
• And many other situational awareness issues that all appropriate personnel need to know

The Transportation Security Administration said it is launching a “full review” of an incident in which the agency posted on the internet a sensitive manual outlining security procedures for law enforcement officers, diplomats, prisoners, federal air marshals and others. 

Yet another Lesson Learned in 2009.  We all need to use Lessons Learned from others so they become Lessons Implemented to ensure better safety and better results in TSA…and most every other organization.

2009 has provided hundreds of lessons learned and the majority of them reveal a widening gap involving a lack of awareness, a lack of accountability and a lack of oversight. 

Blaming the administration or calling it an honest mistake or brain fade are not solutions.  What organizations really need are better solutions and better tools to keep up with mounting risks, escalating regulations, constant changes and updates to situational awareness and a growing need to securely share information.

Organizational leaders need better management and oversight tools to “connect the dots” and implement lessons learned so we can eliminate gaps and weak links and achieve better results.

123 banks have now been closed this year and questions continue to mount with each bank closing.

One of the questions is: What role is the Killer Gap playing in these bank closures?

Have you heard of the Killer Gap?

The Killer Gap is the result of the following trends:

• Mounting Risks
• Increasing Costs (Security, Compliance, Business Continuity, Management, etc.)
• Escalating Regulations
• Changing Economic Conditions

Combined with:

• Decreasing Budgets
• Limited Resources
• Traditional Management Tools
• Poor/Outdated Decision Making

This widening gap presents difficult challenges for every organizational leader and their organization and can lead to expensive, embarrassing and business ending results.

Is your organization prepared to control and manage the Killer Gap?

Excellent Lessons Learned from Major Incidents

There is a saying that no leader will live long enough to learn from their own mistakes, so great leaders learn from other people’s mistakes too.

As I was reviewing titles from the November issue of Security Management (an ASIS publication) and on the lookout for lessons learned, I came across the following title:  Aligning Security and Company Risk

I clicked on the link and read an article that featured two major security/compliance incidents and what steps leaders from General Dynamics Corporation and Providence Health & Services took after major incidents occurred at their organizations.

The article really got my attention when I read the first paragraph:

After a major incident, companies often decide that they need to purchase new security products to prevent a recurrence of the problem. But sometimes the solution may be nontechnical: to better align security and business risks and to enforce existing policies.

The article offers lessons learned from two organizational leaders who realized their security, compliance and business management efforts needed to be better aligned and that no technology solution was going to “fix” their problems, gaps and weaknesses. 

Are you organization’s security, compliance and risk management efforts aligned?

Does your organization have policies and procedures that help all appropriate personnel understand how your organization’s business processes are aligned?

Do all appropriate personnel understand their specific roles, responsibilities and obligations with respect to Security Management?  Compliance Management?  Risk Management? Reputation Management?

Does your organization need to modernize outdated, fragmented or manually intensive efforts that are making your organization vulnerable to expensive risks or a major incident?

In my experiences performing risk, vulnerability, compliance, safety and continuity assessments…most organizations can definitely learn from other leaders’ and other organizations’ mistakes sooner than later.

Teachable Moments vs. Ongoing Awareness Reminders

As a follow up to the previous blog regarding the sensitive ethics document from the Committee on Standards that ended up in the hands of The Washington Post, I wanted to take a look at teachable moments vs. ongoing awareness reminders.

If you go to the Committee on Standards of Official Conduct web site and look up their training requirements for 2009 you will see an example of once-a-year training requirements and you will see individual training requirements are based on pay scales.  This seems ironic to me since the Committee on Standards blamed a low-level staffer for the unauthorized access to the sensitive ethics document.

One thing we know from years and years of data is that people do not do things because they are taught…people do things because they are reminded.

What is the lesson learned here?  Once-a-year training is not effective. 

What are other lessons learned?  To be effective, once-a-year training should be complemented with ongoing reminders about:

• Situational Awareness
• Risks
• Threats
• Best Practices
• Regulations
• Technology Usage
• Information Sharing Guidelines
• Information Handling Requirements
• Legal Due Diligence
• And other related issues

What other lessons learned or questions does this Committee on Standards incident reveal? 

• Should “low-level staffers” receive different training based on salary? 
• Should detailees, fellows, unpaid interns, or any other individuals who are employed by an organization and paid for less than 60 days be exempt from training?
• Should new employees be allowed to work with sensitive information before training has been completed or be given 60 days to attend live or online training?
• If live training is provided, will individuals remember everything that was blasted at them via the “megaphone training approach”?

Interestingly enough, the previous questions are directly related to existing guidelines on the Committee of Standards of Official Conduct web site regarding 2009 Ethics Training.

This incident seems to be a great teachable moment about the importance of lessons learned questions that need to be answered and updates that need to be provided to all appropriate individuals as ongoing awareness reminders.

Low-Level Staffer Blamed for Committee on Standards Breach

In case you missed the story last week, multiple lessons learned and teachable moments have emerged from an incident involving a sensitive ethics committee document that ended up in the hands of the Washington Post.  The ethics document exposed numerous ongoing investigations into the conduct of more than two dozen House members.  

Most articles seem to be blaming the unauthorized access to the sensitive ethics document on a low-level staffer working from home on their personal laptop using a peer-to-peer file-sharing program which provided unauthorized access to the ethics document. 

Asking good questions can be a great way to identify Lessons learned and teachable moments, for example:

• How many employees/contractors have access to sensitive and confidential information?
• How many employees/contractors in your organization work from home?
• How many employees/contractors in your organization use a personal laptop for organization related purposes?
• How many employees/contractors in your organization use peer-to-peer file sharing programs?

Do you have clear policies and procedures and enforcement and consequences defined for each of these situations? 

Do you have the ability to track and document awareness and accountability at the individual-level? (Or as the Ethics Committee defines it – low-level staffers?)

How do you keep all appropriate individuals updated on new risks, new regulations, new policies and new teachable moments?

Next lessons learned blog will look at teachable moments and ongoing reminders and which works better…

We have all heard the wise old saying….’One man’s trash is another man’s treasure’ and potentially we have yet another lesson learned for organizations who are obligated to protect their client’s personal information.

In this lesson learned from Ohio, three large storage bins were stolen from outside of three different bank branches in three different cities.  Each of the three large storage bins contained paper that was waiting to be shredded and at least one of the storage bins contained personal documents of bank customers.

A few questions this incident brings to mind:

• Should personal data be stored outside of buildings?
• Should trash/storage bins be removable?
• Should trash/storage bins be monitored by video cameras?
• How should data waiting to be shredded be handled and secured?
• Does your organization have policies and procedures for data waiting to be shredded?
• Does your organization have information handling agreement with shredder vendors?

When it comes to protecting customers’ personal information, many other questions come to mind and many risks and issues have been discussed in previous Lessons Learned Blog entries.

Oh! And don’t forget this lesson learned provides yet another ‘red flag’ that should be added to your FACTA Red Flag Rule program and communicated to all appropriate personnel.

Yes, I admit it…I was surfing the FDIC web site this past weekend and I was spending some time reviewing past Financial Institution Letters that the FDIC releases to advise the banking industry of supervisory changes and guidelines.

I came across a Financial Institution Letter for Newly Insured FDIC-Supervised Depository Institutions that included the new changes, as well as a list of common elements from troubled or failed institutions.

The list offers some potential lessons learned for organizational leaders (board of directors, executive management, compliance and others) and so I thought I would share the list.

• Rapid growth
• Over-reliance on volatile funding, including brokered deposits
• Concentrations without compensatory management controls
• Significant deviations from approved business plans
• Noncompliance with conditions in the deposit insurance orders
• Weak risk management practices
• Unseasoned loan portfolios, which masked the potential deterioration during an economic downturn
• Weak compliance management systems leading to significant consumer protection problems
• Involvement in certain third-party relationships with little or no oversight

The list identifies the difficulties and complexities of “connecting the dots” and reminds bank leaders about many different types of “dots” that need better management to ensure better results.

If you are an organizational leader in the financial sector, this is good information!

If you were busy getting your costume ready for Halloween, you might have missed the news release from HHS on October 30, 2009.  This news release should be taken seriously by all covered entities and organizational leaders that have responsibilities for protected health information (PHI)

The news release announces that HHS has issued an interim final rule to strengthen its enforcement of the rules within HIPAA to conform to the HIPAA enforcement regulations made by the HITECH Act.

As you may remember, the Health Information Technology for Economic and Clinical Health (HITECH) Act was enacted as part of the American Recovery and Reinvestment Act (ARRA) of 2009, which modified the HHS Secretary’s authority to impose civil money penalties for violations occurring after February 18, 2009.

I am curious if organizational leaders are taking notice of a trend that is catching on with strengthening enforcement of regulations?

The FDIC, OSHA, SEC, FINRA, FTC and others have announced they are also strengthening enforcement of regulations. 

Are organizational leaders are paying attention and taking steps to strengthen their management programs? 

Stay tuned….

The battle of the megaphones…it’s on!

The California Public Employees’ Retirement System (CalPERS) has launched a web site to target misinformation and offers a way to let its members, employees, employers and others keep up with issues in national health care reform, pension investments and security.

CalPERSResponds.com is the new web site that will also link to its social media posts on Twitter, Facebook and YouTube.

According to Patricia Macht, CalPERS director of external affairs, “There’s a lot of information and misinformation about CalPERS” and “We hope this site will help separate the facts from fiction and provide some education, insight and clarity to these issues.”

So now that multiple social networking sites are here to stay, are other organizations also planning to build a bigger microphone so they can shout over the top of the other microphones? 

Megaphones – especially bigger and louder ones – are they really the most effective or efficient solution for communicating information to trusted members, employees and partners when information overload is already a serious problem?