Focusing your Business Continuity Management (BCM) (Continuity of Operations (COOP))

The arrival of Covid-19 two years ago posed a serious and more difficult threat to most enterprises’ existence. The importance of business continuity management (BCM) in reducing possible hazards, speeding recovery, and meeting customer expectations has become critical for every firm, regardless of size, business vertical, government, or private entity. BCM is a methodology for determining an organization’s risk of being exposed to both internal and external threats. The purpose of BCM is to give the organization the capacity to respond effectively to risks such as pandemics, natural disasters, and data breaches while also protecting the organization’s commercial interests. Disaster recovery, business recovery, crisis management, incident management, emergency management, and contingency planning are all included in BCM.

When done correctly, BCM may provide any organization a competitive advantage. This is especially true if a disruption affects an entire group segment and you are able to respond or recover faster than your competition, reducing consumer inconvenience. When it becomes evident that you excel at dealing with operational disturbances, your brand will gain trust and certainty, allowing you to position your organization as a preferred alternative for your clients and even bolstering confidence and increasing shareholder value. This is no different in being a trusted government entity, department, or agency.

Understanding continuity and preparedness requirements, establishing business continuity management policies and objectives, implementing and operating controls and measures for managing an organization’s overall continuity risks, and continual improvement based on objective measurements are all covered by one internationally recognized standard, that being ISO 22301. The standard highlights the need of meeting and exceeding customer expectations in order to secure business longevity and revenue development.

It is critical that the thought leadership and every level of the organization understand the importance of readiness and continuity.

The most crucial part of developing a BCM is clearly articulating stakeholder demands; consequently, consumers must receive special attention because they are critical to the organization’s success. Focusing on customer needs will also allow the BCM to be fit for its purpose and provide the organisation with a clear picture of process criticality. As a result, you can expect positive results if you design and implement the business continuity plan from a customer’s perspective to drive the business impact analysis. Understanding your customers’ demands is critical to determining where you add value to them, as it allows you to prioritise and determine how much downtime is tolerable in various areas before affecting your bottom line.

Be S.M.A.R.T. about creating strategies and objectives for business continuity management.

Doing this guarantees that objectives are defined and matched with customer-oriented criteria. Internal and external dependencies that may have the greatest impact on an organization’s consumers are identified when policies and objectives are developed. Customer objectives should attempt to surpass consumers’ expectations rather than merely satisfying their requirements. As a result, any organization should make sure to provide top-notch quality consumer objectives. The goal of this setup is to ensure client retention, brand image, and eventually revenue growth.

There exists the importance of putting in place operational controls and procedures to manage an organization’s overall continuity risks.

Following the identification of customer demands and the establishment of essential policies and objectives for the organization, the next stage will be to implement controls that address and mitigate the identified risks. Because risks and changes are unavoidable in the environment in which your organization operates, a systematic approach to putting in place controls to reduce hazards is required. Setting up disaster recovery sites, business continuity strategies, and business continuity procedures are examples of these controls. Lack of these will eventually cause an organization to fail, leaving clients with little choice but to shift to competitors who will provide better choices, or at minimum a choice.

It’s a cycle of continuous development and improvement.

Continuous improvement is a continuous, cyclical endeavour to enhance goods, services, or processes. Processes are assessed and adjusted on a regular basis based on their efficiency, effectiveness, and adaptability to changing consumer requirements and business circumstances. Organizations employ a variety of approaches to structure the process of recognising and acting on opportunities for improvement. Six Sigma, Kaizen, Lean, and the Toyota Production System are examples of prevalent approaches. Although these approaches differ, they all share a common foundation in the continuous improvement paradigm and principles.

Small tweaks, rather than significant paradigm leaps or new breakthroughs, lead to improvements. One percent improvement a month leads to a 12% improvement annually. Employee suggestions are quite helpful. When Employees take ownership and are involved in incremental changes, which are often affordable to execute, improvement occurs.

And finally…one more thought.

Customers are the lifeblood of every organization, and this is something that every organization understands, or should understand. As a result, their pleasure is critical to the organization’s success, which may be secured by providing exceptional customer service. Customer happiness, brand image, and revenue growth have all been shown to improve when BCM is implemented. BCM is critical in this age of unpredictability, and enterprises are encouraged to use it to provide corporate stability and sufficiency for ever-changing client demands.

The Michael White Group International is an approved PECB ISO Standard(s) training provider. It all starts with a conversation.

Plan the Work. Work the Plan.

Reach out. We can help.

Should your Municipality need assistance, contact Michael White Group International today, and we will be happy to answer your questions. Visit michaelwhitegroup.com/contact/

Share

Are you practicing SITUATION AWARENESS?

Situation Awareness is a skillset that should be practiced daily and is a valuable tool for staff.

Increasing situation awareness, through constant development and use increases security, protection of staff, protection of assets and overall resiliency of staff and the organization.

Training Situation Awareness benefits every department across the organization.

This training can take many forms. The focus however should always be the same. Elevate the staff member’s capability of being aware of their surroundings and the different influences, factors, items, and people that make up the environment they’re in. Situation Awareness is a mental image of what is happening all around you. Hearing, seeing, feeling for information and the various cues and clues that those influences, factors, items, and people are making in that environment and piecing them together so that they can have a good idea of what is happening and then using that information to predict what happens next.

There are many reasons why we need to be situationally aware.

  • Personal Safety & Security
  • Crime
  • Workplace Safety

 

Personal Safety & Security

Situation Awareness training can greatly improve an individual’s personal safety and security, regardless of if they’re at work, home or at play. Being aware of the environment you’re in reduces the risk of placing yourself in harms way or removing yourself from harms way. Being aware of the individual that wants to or is about to cause you harm or steal some of your personal belongings, unfortunately in some locals, environments and situations is much needed. Unfortunately for most, we traverse through many different environments on a daily basis that vary in degrees of safety.

 

Crime

Levels of crime or criminal activity vary geographically and from environment to environment. Unfortunately, criminal activity affects many of us, especially crimes against a person, theft, verbal abuse, physical abuse all the way to the far end of the spectrum of terrorist events. In efforts to be continuously aware, individuals should keep themselves abreast of local news and events and equally important when travelling, their destinations local news and events.

Workplace Safety & Security

It is everyone’s collective and individual responsibility to make and improve workplace safety and security. Law enforcement organizations, Crime Stoppers chapter always encourage us to “See something. Say something”. This very same message applies equally from our personal lives to our working environment. “That’s not my job” just doesn’t cut it anymore. Situation Awareness training assists organizations in bettering the safety, security and overall resiliency of their employees resulting in a more safe, secure and resilient organization.

 

Situational Awareness Training Delivery

There are options for organizations when seeking out Situation Awareness training.

  •          In Person
  •          Virtual Classroom

 

In Person Training

It has been said that In Person training is the best delivery method and most beneficial for the participants. It can create an environment of interactivity between the instructor, the participant and with the other participants also. Our delivery of this training will only take up to half a day.

 

Virtual Training

The recent and ongoing pandemic also allowed us to pivot the training and provide it in the virtual world in the varying platforms of virtual meeting spaces. Virtual training offers benefits also in that, we can bring together staff from geographically challenging locals where costs to bring them together is prohibitive making an even larger training group more feasible.

Benefits

The benefits of Situation Awareness training are many for al individuals. Increased personal safety and security, increased security culture in the workplace and increasing the individual’s knowledge of the environment around them. Whether it is a high or low risk environment, situation awareness belongs there.

The value of the training, the value of the results shouldn’t be overlooked or underestimated.

Should your Municipality need assistance, contact Michael White Group International today, and we will be happy to answer your questions. Visit michaelwhitegroup.com/contact/

Share

UCaaS is critical for any authority service improvement

what is UCaaS?

Unified Communications as a Service (UCaaS)  is a network of cloud-based telephone system that controls the flow of calls coming in and out of your organization. We replace your on-premises PBXs, as well as your SIP, PRIs, and POTS lines. UCaaS enables you to use a variety of hosted programs and services (including instant messaging, video conferencing, file sharing, and email) over the Internet from any location and at any time.  In addition, UCaaS provides security, allows flexibility, and integrates well with your other software applications including MS Teams. UCaaS systems are updated frequently by the provider ensuring that your communication methods will always be up-to-date in our ever-evolving world.

Why UCaaS is critical for all customer-guided corporations?

 
GUARANTEES YOUR BUSINESS CONINUITY & SECURITY

Experteers can easily answer this for all municipalities and companies who care about their customers.

First of all we have to emphasize about the importance of continuity in all circumstances, UCaaS provides the best option to avoid your business any hiccups along the road because of any reasons. UCaaS is available on any communication device, laptop, or PC anywhere at anytime to be able to efficiently communicate with your customers.

Security is another crucial requirement for all connected networks, voice calls, video conferencing, and instant messaging are parts of all departments communications to enable them to work properly and deliver services. Experteers, as part of security provider, enable first layer of security by having all our servers in Canada, maintaining 100% availability by having four communication centers in main four cities in Canada in Montreal, Calgary, Vancouver, and Toronto, and to maintain the second layer of security by having all SOC certified centers.

INCORPORATES THE LATEST FEATURES

When you have UCaaS, you’ll be able to use all the latest functions and features without any additional cost. You’ll also have the assurance that your information is kept safe and secure in a reliable data center. Having the ability to keep your communications up-to-date allows you to remain competitive and helps to increase your overall performance.

 

OFFERS FLEXIBILITY AND SCALABILITY

UCaaS allows organizations to add and remove users (for example, temporary employees) without any significant infrastructure changes or capital investments. UCaaS also provides seamless work experiences for your employees since they are cloud-based and accessible from any location – great for those working remotely.

 

PROMOTES PRODUCTIVITY

By using a UCaaS system, your productivity increases. All of your employees have unified communications support that is sharable amongst all departments, and UCaaS integrates well with your other software applications (like CRM). UCaaS keeps communication lines open and provides ways for your employees to log into various devices to access their information (such as voicemails).

 

LAST BUT NOT LEAST

SAVES YOU MONEY

When switching to UCaaS, there are minimal upfront hardware costs – you only need phones. You will also have the ability to choose the services you need (and not waste money on the ones you do not). UCaaS allows you to concentrate on growing your business by decreasing your dependence on capital investments.

 

UCaaS

 

We at EXPERTEERS are helping municipalities, utility companies, and medical centers increase employee productivity by adding a state of the art Unified Communications Solution, enhancing collaboration and increasing employee efficiency.

  • Enable your team to work remotely (hybrid)
  • Train employees more efficiently with sentiment analysis
  • Monitor key performance metrics with automated reports
  • Boost company performance through detailed analytics & collaboration
  • .. and more

Let us help you improve your client experience, call us at EXPERTEERS to learn how we can help enable your business for success in 2022.

 

Experteers is a system integrator SI and managed service provider MSP for the following services:

– SASE / SD-WAN: to secure all ur networking between all branches.

– NGFW: Next Generation Fire Wall centralized to keep all networks secured in almost real-time updated system.

– NMS: Network Managed System to keep your visibility on all network elements and servers to improve your systems availability.

– Cyber-Security on all endpoints and servers

EXPERTEERS CORPORATION

WWW.EXPERTEERS.COM

Share

Can Public Service Access Be as Easy as Online Shopping?

For all levels of government, including municipalities, on-line services are no longer something to be considered for some unspecified future date. The private sector has set a new standard for a streamlined customer experience, and this has translated to much higher expectations for access to public services as well. This speaks to a demand to digitize citizen service request processes, from reporting concerns through to requesting permits or making payments. An increasingly tech-savvy population, continued evolution in technology, and the realities of the pandemic are all contributing to an accelerated need for this to be underway now and to happen quickly.

Benefits of digitizing citizen service requests

The benefits of digitizing public services are numerous. At the core, citizens who are satisfied with how they are served are far more likely to trust in their local governments, and far more likely to remain engaged the process of making their communities better. But there are more tangible benefits as well. For example, unlike brick & mortar service offices, online services make it easy to offer the convenience of 24/7 access from anywhere.  Studies have also shown that time spent by citizens or businesses interacting with public employees can be reduced by 50% or more. And furthermore, automation has the potential to reduce service request handling effort by as much as 60% resulting in a far more productive and satisfied workforce, shorter turnaround times, reduced backlogs, and more time to focus on innovation.

But there are challenges

Government agencies have considerable ground to make up in building a more citizen-centric culture and, in recent years, satisfaction with government agencies has actually declined. According to the 2021 American Customer Satisfaction Index (ACSI), satisfaction with local government agencies ranks last in customer satisfaction among the 10 sectors and 47 industries included. Much of this can be attributed to differences in the degree to which services can be transacted online, but also to the fact that the private sector continues to raise the bar on online service expectations quicker than the public sector’s ability to keep up. Adding to this challenge is that the number of customer journeys requiring attention and automation within the public sector is typically greater than is the case for private businesses, while access to internal technical talent to execute is often in shorter supply.

Thoughts on How to be Successful

Given these challenges, digitization of public services can seem daunting, and will surely take time to fully realize. But to be successful, there are some key elements that need to be part of any transformation effort.

Clear Intent

Positive change through digitization will happen more quickly and will be more sustainable if there is clear intent from the outset, common and well-articulated goals, and genuine excitement and confidence on what the transformation team can accomplish together. This needs to start with committed leadership. To be successful however, there needs to be a collective sense of conviction and purpose that is shared by all parties responsible for implementation.

Keep the citizen at the forefront

Efforts to bring government services online must start with and maintain focus on the complete experience a citizen has with a local government, as seen from the citizen’s perspective. Each journey will have a clearly defined beginning and end, spanning a progression of touchpoints, and citizens don’t really know or care about who owns each individual step in the process. From their perspective, these are all part of one journey. And it shouldn’t be assumed that because some individual touchpoints are performing well, the overall citizen experience is meeting the need. By making the citizen’s experience as seamless as possible, operational efficiency and employee satisfaction will naturally follow.

Look for quick wins

Digitization plans of any scale will often fail if there is a sense that everything needs to be done at the outset. It is advisable to build momentum within the team and across stakeholder groups by prioritizing a small number of particularly painful journeys and adopting an agile approach to make these journeys better. This means releasing improvements iteratively in smaller, more manageable sprints, and making refinements continually based on feedback from the field. To quickly demonstrate value, it often makes sense to start with the front-end experience and to gradually introduce backend automation and integration over time. And yes, this may require internal teams to adopt a new way of working.

Manage citizen expectations within each journey

When you make a purchase online, as part of a digitized process it is customary to receive an indication of when your purchase will be shipped. And once shipped you receive additional notification of estimated delivery date along with a tracking number. As long as the communicated expectations are met you are likely to be left with a feeling of being well served independent of the amount of time taken, and will be more likely to use the same channel for future purchases. Public services should be no different. As an example, a citizen request management system should acknowledge receipt of a reported concern, set service level expectations, automate communication to the citizen for key updates, and confirm when the concern is resolved – all of this within a timeline that can reasonably be met. Trust and citizen satisfaction are sure to benefit when such an approach is adopted.

Measure and communicate results

One final thought relates to an imperative to establish KPIs that reflect how well any investment in digitizing services is paying off.  We suggest that a measure of citizen satisfaction always be included, but others such as staff hours spent per citizen service request, percentage of requests received through digital versus other channels, abandon rates, and others will also come into play. These metrics can be used to reinforce strategies that should remain at the forefront of any ongoing digitization efforts, and highlight areas that need further refinement or rework. Of equal importance, this will provide a basis for communicating value and success to stakeholders including city council, CAOs, departmental managers, the transformation team and, of course, the citizens that stand to benefit. This is critical to build momentum towards the ultimate goal of making citizen service requests as seamless as on-line shopping.

Share

2022 Security Risk Budget Outlook

Moving on up

At the onset of the pandemic, Security Risk budgets decreased as organizations shuttered their doors and employees left the office, and organizations under duress looked for places to cut costs. Many found their savings in the Security budget. But now, the potential to double or triple budgets in 2022 maybe a reality.

Our research shows approximately two-thirds of security budgets increased in 2021 from 2020, but still have yet to reach or return to 2019 levels. 2022 has the potential to change that.

As organizations are set to come back to life in 2022 security risk events have not gone away. In fact, the COVID-19 pandemic created new security challenges. The new challenges have yet to be solved, and as schools and businesses reopen / remain open during potential future surges, the security risks of the past return as well. In order to protect themselves from past, current, and future threats, organizations need to reinvest in physical security.

Really watch

Real camera surveillance and real-time monitoring integrated with a uniformed security guard force that is properly trained may be for some organizations the order of the day. High-caliber uniforms security guards and training necessary to protect against threats to an organization cost more than $15-20 an hour. Challenges will emerge to protect your organization, your information, your IP, your personnel. All of this may lead to an explosion of security requirements, and the budget.

Another factor contributing to budget increases in 2022 is executive protection. According to the Ontic 2021 Mid-Year Outlook: State of Protective Intelligence Report, 58% of CEOs and senior leaders who expressed a stance on political issues received physical threats. Senior Public Officials and local health department leadership who encouraged health measures like vaccination or mask-wearing have also become targets of physical threats. Against the backdrop of this increased threat landscape, executive protection has grown in importance among physical security professionals.

An inner look

These aforementioned types of threats could also come from inside an organization. Leadership will either take a stand, or not take a stand. The personnel of an organization expect their leaders to take a stand, whatever that might be, for or against a particular issue or concern. Unfortunately, pent up frustration surrounding decisions may not even be pandemic related, and at times still result in leaders being threatened. In many areas of the country, threats against “leadership” is foreign territory for many organizations.

Integration

The threat landscape has always been uncertain and rapidly changing. With many advancements in approach, strategy, and technology, organizations can protect themselves with integrated security risk strategies.

As both physical and cyber threats compound, organizations are tasked with protecting themselves on all sides. With increased and realized threats there is one unfortunate downside. Higher security costs as risks to supply chains, cyber and physical security risks increase. During this pandemic many organizations have unfortunately learned that their security profile may not be or has been at a level they had hoped it to be. New gaps have been found, existing weaknesses have become even weaker and due to other impacts of the pandemic, organizations may have struggled to get the necessary supplies, purchases and even personnel in a manner to which they were once accustomed.

Plug it

Identify your shortfalls, your gaps and plug the holes. A comprehensive risk assessment will assist in that process. If organizations fail to plug those holes, and as they begin to re-open even more, they unfortunately will remain or fall back into a vulnerable position.

Proactive hard work

Technology enhancements, uniformed security, executive protection, education, and plain old attentiveness and proactive behaviour towards security risks to quickly address existing and newfound challenges brought forth because of the pandemic will require increases in security budgets in 2022.

Now more than ever we need to move beyond reactive, and proactively secure our organizations.

It all simply starts with a plan.

We can Help.

Plan the Work. Work the Plan.

 

Should your Municipality need assistance, contact Michael White Group International today, and we will be happy to answer your questions. Visit michaelwhitegroup.com/contact/

 

Share

Being aware – situationally aware

Our world has always been in a state of perpetual change. Now more than ever, it is perceived to be doing that at an ever-rapid pace.

Positive changes such as economic growth, and technology advancements to note a couple. Unfortunately, with the positive, comes the negative. A continuous cycle of persons who wish to do harm.

Safety and Security experts inform us that violent events will continue to happen. The violent extremist motivated and driven by an ideology, to the targeting of individuals, place of business, worship, acts of violence that permeate into every vertical, sector of business and government.

Active safety and security programs are continuous reviewed, modified to face existing and the new challenges of tomorrow.

To make your safety and security programs more effective, the program needs ambassadors, staff.

Ambassadors need to be aware. Situationally aware.

Situational awareness training provides your staff with valuable intelligence & time when facing safety and security situations of potential harm or danger.

Being situation aware is truly a change in mindset.

It is a way of thinking that will focus a person’s behaviour, their outlook, and their mental attitude. People that are aware are no longer vulnerable but capable.

Capable individuals are always prepared. Capable individuals are not complacent, they use technology to enhance their preparedness and response and their planning always includes a contingency plan.

Situationally aware staff improve the effectiveness of your safety and security program.

Situationally aware individuals enhance the workplace and enhance their personal safety and security.

We can Help.

Plan the Work. Work the Plan.

Should your Municipality need assistance in Situation Awareness training, contact Michael White Group International today, and we will be happy to answer your questions.

Michael White Group International is Arcuri Group LLC approved Situation Awareness Specialist Certification Training provider.

 

Share

How to Find the Budget for a Municipal Project

Have you ever received an RFP that doesn’t have any budget listed?  It makes it hard to truly understand the scope of the work requested, doesn’t it?

Municipalities have their hearts in the right place, but often they throw more “wants” into an RFP than they have the budget for. When the bids come in way over their budget, they have to start the whole RFP process all over again – wasting everyone’s time.  

Worst yet, those who bid the first time may not bother to submit a bid the second time around and the municipality may receive fewer bids and ultimately higher pricing.

In defense of municipalities, however, I’ve been on both sides of the argument on whether or not to include the budget for a project in an RFP.

As a CAO, I didn’t want to put the budget number in the RFP either, because I was afraid bidders would simply submit bids right up to the budget number. This is still a common misconception.

But now, experience has taught me, when bidders know the budget number, the reality is they more often submit bids lower than the budget, to try to win the work.

From the Bidders’ perspective though, it’s incredibly frustrating not knowing the budget number because you can’t accurately price the work without understanding the municipality’s expectations.

So, to connect the dots, here’s a tip for Bidders to find the budget for a municipal project.

 

In most cases you can, through good sleuthing, find the budget a municipality has set aside for a specific project.

  • Provincial Announcements

Often when Provinces announce funding for municipalities, they will have a press release and a link to find out which municipality received what amount for specific project(s). That’s the easiest way to find the budget for a project.  

  • Agendas & Minutes

If the municipality received funding for the project, Council will most likely have recently passed a resolution to approve the project.  By searching the municipality’s Agendas/ Minutes section of their website, you can usually find the resolution about a month or so before the RFP was issued.

Personally, I start by looking at the Agendas and searching keywords, related to whatever the RFP has been issued for.  (i.e. Service Delivery Review, Parks & Rec Roof Repairs, etc.).  The Agenda will help you narrow down the minutes that contain the resolution Council passed – and the resolution will normally have the dollar amount approved for the project.  

  • Budget

If the municipality did not receive funding for the project, you may not find a resolution approving it. So, another way you can sometimes find the budget for a project is by finding the municipality’s annual budget on their website.  

This is a bit harder to do if you’re not familiar with how a municipal budget looks, but look at the proposed expenditures for the current year, in the appropriate department and you may see the project noted separately in the annual budget. 

For example, you would most likely find the budget for “Service Delivery Review” in the General Administration part of the budget, or “Roof Repairs” in the Parks & Recreation part of the budget, etc.  

You can also check out the Special Budget Meetings of Council (again in the Agendas/Minutes section of the municipality’s website), and you may see mention of the project and how much Council wants to budget for it. 

It takes time, and it’s not always easy, but in most cases, it is possible to find the budget the municipality has set aside for a project. 

Happy Sleuthing Sherlock! 

Got questions?

Contact Susan Shannon, Founder & Principal, muniSERV.ca

855.477.5095 or [email protected]

 

Share

What type of testing is right for your website – Understanding the difference in website testing

In the last few weeks there has been a rise in reported malware and malicious attacks on small municipalities. Testing of three small municipality websites in recent weeks by our team has resulted in failures on all sites basic security parameters. We often hear small organizations saying they don’t need to worry about attacks, they aren’t “big enough” but anyone can be a target.

Regular testing your website for known vulnerabilities and emerging threats should become a part of your Cyber Security Road Map. The first step is identifying the type of web testing that is right for your infrastructure. Here are a few key questions to consider;

1) Where is your website hosted – do you host it yourself? Is it hosted by a third-party?
2) Who is responsible for the security of the host system, the operating system?
3) Do you have a web application firewall such as CloudFlare in front of your website?
4) Is your website a static page with content?
5) Do you have a login and if so what type of data is behind the login? Customer, pricing, private personal?
6) Do you have any API interactions with other applications?

When you start down the road of testing your website you want to consider the host operating system and the application. There are two key types of testing available, fully automated scanning and manual testing. Fully automated scanning is used for both host operating systems and web applications. The host operating system scan will scan for all currently known vulnerabilities affecting that operation system. It will report back on the CVE, the risk and usually suggested remediation tips. The same is true for the web application scanning. The fully automated web application scanner will scan your website at a minimum for the OWASP top 10 vulnerabilities and report back on risks and remediation. https://owasp.org/www-project-top-ten/.

Manual testing means that you have an actual person who is using various methods to determine the security of a host or the application and If the rules of the engagement permit, they will attempt to exploit a vulnerability and gain access, modify content or download information. There are varying degrees of manual testing, the simplest is one tester and one day and the more extensive 2 testers and 5 days of testing.

The type of test that is required for your website really depends on two main factors –

 

1. Have the host and application ever been tested before?

2. What is the criticality of the data being processed or stored on this site?

 

For example, if you have a very static page of content that is hosted by a third party, chances are a good OWASP 10 scan of you site will be sufficient to let you know if you have any glaring misconfigurations that could lead to a website defacement or potential attack on your site. If your website has a login and you allow users to sign up for accounts and host dynamic content, you would want to make sure you consider a manual test at least for the first test. Once a thorough baseline has been established for the site, testing can become more routine and automated.

We recommend you develop a plan for testing and make sure to include the above considerations. There might be special notifications you have to give in writing to a third party before you test an application, you might have to have a testing IP whitelisted in a web application firewall, you may need special accounts set up in the application for testing.

If you are unsure what type of test is right for your website, reach out to us and we will be glad to discuss options with you.

http://www.mi613.ca

Share

The Importance of Third Party Vendor Assessments

Lessons learned from Cyber Incident Response

We are finding many companies that have experienced a Cyber Incident are not performing even the most basic Third Party Vendor Risk Assessment.

It is absolutely imperative that if you engage with a vendor you understand the associated risks.

5 simple questions can lead you to be a better understanding of your Vendor risks and a quicker recovery from an Incident:

 

  1. Is there an identifiable Leadership team?
    • Who is accountable?
    • Would you be able to escalate or contact them?
    • Where are they located?
  2. Do they have an Incident Response plan and Reporting Structure?
    • Do they have a response plan?
    • Are there dedicated phone numbers or emails for reporting incidents?
    • Are ticket numbers assigned and tracked?
  3. Who is responsible for security within their Organization?
    • Is there someone who is responsible for security?
    • Is there a defined role or is it an off the side of the desk of another role?
    • Does the company reside in a country that has Breach Reporting responsibilities?
  4. Do you have a Service Level Agreement for responding to incidents?
    • Do you have a defined Incident/Severity matrix with set response times?
    • How do you escalate an Incident?
    • What is your communication cadence?
  5. Can they demonstrate their current level of Cyber Security Compliance?
    • Can they demonstrate the framework they adhere to? (NIST/CIS)
    • Do they disclose if and when they do vulnerability/penetration testing?
    • Do they have any risk reports (SOC 1, SOC 2, PCI or DSS) they can share?
    • Do they have patch management?

It is important to develop a Third Party Cyber Security Screening Assessment before engaging in a new contract. We can walk you through the process and helping you to understand your Cyber Risks.

 

Let’s talk Cyber!

http://www.mi613.ca

Share

How have the pandemic adaptations affected your Physical Security?

Well into the COVID19 pandemic, organizations, governments big and small have had to take measures and make changes to their environments to adapt to the needs of their staff, customers, their service delivery model, requirements of health science, government agency regulations and perhaps “new” industry best practices and of course the ever-changing virus.

These measures have evolved into many different things. We’re going to specifically focus on physical security devices.

Two of the pervasive items that have been introduced in many environments are plexiglass and signage.

Organizations have installed plexiglass barriers at intersection points of personnel as they have the potential to interact with other personnel, customers, vendors, etc.

Informative signage itemizing physical distancing rules, self assessment health protocols have been placed all around in both strategic and random locations within the environment to ensure every opportunity for personnel and visitors to be informed.

Funny thing about all of this plexiglass barriers and signage.

In some cases, not all, we have inadvertently defeated some or many of the installed security devices functionality and purpose. That is, their ability to monitor, detect and alert (alarm).

  • Motion detectors blocked, unable to provide proper coverage
  • Cameras experiencing sun flare reflection off plexiglass
  • Nuisance alarms due to swinging signage on the increase
  • And other unforeseen affects

There are incidents where this is enough of this added material, that areas, although devices are active and functioning as per specifications, are unable to detect properly – leaving areas with no security detection or proper monitoring.

We have the answers.

Let’s go for a (physically distanced) walk and have a conversation.

Your security risk plans are more than just a motion detector or even a strategic camera placement.

We can Help.

Plan the Work. Work the Plan.

Should your Municipality need assistance, contact Michael White Group today, and we will be happy to answer your questions or provide quotations.

Share