Special Considerations
Risk management and contingency planning activities make good business sense. They help an organization prepare for threats and events that harm its ability to meet its business goals. Organizations that engage in these activities understand their information security posture and know where they have weaknesses. They also know the threats to the confidentiality, integrity, and availability of their IT resources and data.
Addressing Compliance Requirements
For many organizations, RM and contingency planning are not just good business practices. Sometimes they are required by law. Many laws require the organizations they cover to complete risk assessments and create contingency plans. TABLE 14-5 reviews some laws that have these requirements.
TABLE 14-5 Laws With Risk Assessment and Contingency Plan Requirements
| NAME OF LAW | RISK ASSESSMENT REQUIRED? | DR/BC PLAN REQUIRED? |
|---|---|---|
Gramm-Leach-Bliley Act Consumer financial information |
Yes |
Yes |
Payment Card Industry Standards* Companies that accept credit cards for payment |
Yes |
Yes |
Health Insurance Portability and Accountability Act Protected health information |
Yes |
Yes |
Sarbanes-Oxley Act Corporate financial information |
Yes |
Implied if contingency plans are indicated as an internal control required to secure financial reporting processes and systems |
Federal Information Systems Modernization Act Federal information systems |
Yes |
Yes |
*The Payment Card Industry (PCI) Standards are not a law. Organizations that wish to accept credit cards for payment of goods and services must follow these standards. Banks that process credit card information enforce PCI compliance.
When to Call the Police
Children learn the basics of “when to call 9-1-1” at a very early age. Children are taught to call the police or emergency responders when:
- Someone’s life is in immediate danger
- When smoke or fire is present
- When emergency medical help is needed
- When a crime is being committed
These are good rules for an organization as well. Organizations should include rules for when to call law enforcement or emergency responders in their contingency plans.
Must People Report Crime?
Under common law, in general, a person has no duty to report a crime that he or she witnesses. For purposes of the law, an organization is considered a “person.” Thus, most organizations also have no obligation to report crimes they witness.
There are some instances where people are required by law to report crimes, however. For instance, in the United States most people are required to report crimes where children or vulnerable adults are in danger. These laws require people to report suspected abuse and neglect to law enforcement.
Some U.S. states have laws that require IT workers to report the discovery of child pornography on computers. They must report the discovery to law enforcement. The IT worker must have discovered the pornography within the scope of his or her employment. An IT worker is not required to search for this type of material. However, if it is discovered, he or she must report it. At the time that this was written, at least 12 states had such laws.7
Most organizations should report any criminal activity that involves their IT resources or data. It is important to contact law enforcement right away to start investigating the crime.
Sometimes it is hard to know if a crime is committed. If the organization experiences a data breach, it is likely that a crime upon the organization was committed. Possible crimes include trespass, theft of data, theft of resources, unauthorized access, and similar crimes.
One of the most important reasons to promptly report crimes involving IT resources is so that forensic evidence can be collected. This type of evidence can be used to investigate computer crimes. However, this type of evidence is very volatile and must be preserved properly.
One of the things that organizations must account for in their contingency plans is the fact that communications systems will likely be overloaded in a regional disaster or emergency. It may take time to contact first responders, as well as extra time to receive their assistance. In regional natural disaster situations, people are usually discouraged from calling emergency responders unless a person’s life is in immediate danger. This is to keep emergency phone lines, such as 9-1-1 trunk telephone lines, from being overloaded with calls.
Public Relations
An organization’s contingency plans must consider its public relations strategy. Public relations (PR) is a marketing field that manages an organization’s public image. It includes marketing the organization’s products and services, as well as protecting the organization’s reputation and image. PR includes responding to crises that threaten that image.
An organization’s PR team develops communication strategies. These strategies are used to guide communications with employees, customers, and stakeholders. Coordinating an organization’s public message is sometimes difficult under normal business operations. It is even more difficult in an emergency. A PR strategy for emergencies must consider:
- Who is authorized to make comments on the organization’s behalf?
- Who is authorized to approve the contents of comments shared with the public?
- How often should information be shared with the public?
- How should information be shared with the public?
- How should information be shared if normal communications methods are unavailable in an emergency?
It is important that an organization have a PR strategy for emergencies. The organization must make sure that information is given to stakeholders in a reliable and organized manner. It also must make sure that reliable information is communicated to employees. An organization’s reputation can suffer if it does not share enough information or shares it in a chaotic manner. Its reputation also can be harmed if the organization distributes conflicting information from different sources.