Focusing your Business Continuity Management (BCM) (Continuity of Operations (COOP))

The arrival of Covid-19 two years ago posed a serious and more difficult threat to most enterprises’ existence. The importance of business continuity management (BCM) in reducing possible hazards, speeding recovery, and meeting customer expectations has become critical for every firm, regardless of size, business vertical, government, or private entity. BCM is a methodology for determining an organization’s risk of being exposed to both internal and external threats. The purpose of BCM is to give the organization the capacity to respond effectively to risks such as pandemics, natural disasters, and data breaches while also protecting the organization’s commercial interests. Disaster recovery, business recovery, crisis management, incident management, emergency management, and contingency planning are all included in BCM.

When done correctly, BCM may provide any organization a competitive advantage. This is especially true if a disruption affects an entire group segment and you are able to respond or recover faster than your competition, reducing consumer inconvenience. When it becomes evident that you excel at dealing with operational disturbances, your brand will gain trust and certainty, allowing you to position your organization as a preferred alternative for your clients and even bolstering confidence and increasing shareholder value. This is no different in being a trusted government entity, department, or agency.

Understanding continuity and preparedness requirements, establishing business continuity management policies and objectives, implementing and operating controls and measures for managing an organization’s overall continuity risks, and continual improvement based on objective measurements are all covered by one internationally recognized standard, that being ISO 22301. The standard highlights the need of meeting and exceeding customer expectations in order to secure business longevity and revenue development.

It is critical that the thought leadership and every level of the organization understand the importance of readiness and continuity.

The most crucial part of developing a BCM is clearly articulating stakeholder demands; consequently, consumers must receive special attention because they are critical to the organization’s success. Focusing on customer needs will also allow the BCM to be fit for its purpose and provide the organisation with a clear picture of process criticality. As a result, you can expect positive results if you design and implement the business continuity plan from a customer’s perspective to drive the business impact analysis. Understanding your customers’ demands is critical to determining where you add value to them, as it allows you to prioritise and determine how much downtime is tolerable in various areas before affecting your bottom line.

Be S.M.A.R.T. about creating strategies and objectives for business continuity management.

Doing this guarantees that objectives are defined and matched with customer-oriented criteria. Internal and external dependencies that may have the greatest impact on an organization’s consumers are identified when policies and objectives are developed. Customer objectives should attempt to surpass consumers’ expectations rather than merely satisfying their requirements. As a result, any organization should make sure to provide top-notch quality consumer objectives. The goal of this setup is to ensure client retention, brand image, and eventually revenue growth.

There exists the importance of putting in place operational controls and procedures to manage an organization’s overall continuity risks.

Following the identification of customer demands and the establishment of essential policies and objectives for the organization, the next stage will be to implement controls that address and mitigate the identified risks. Because risks and changes are unavoidable in the environment in which your organization operates, a systematic approach to putting in place controls to reduce hazards is required. Setting up disaster recovery sites, business continuity strategies, and business continuity procedures are examples of these controls. Lack of these will eventually cause an organization to fail, leaving clients with little choice but to shift to competitors who will provide better choices, or at minimum a choice.

It’s a cycle of continuous development and improvement.

Continuous improvement is a continuous, cyclical endeavour to enhance goods, services, or processes. Processes are assessed and adjusted on a regular basis based on their efficiency, effectiveness, and adaptability to changing consumer requirements and business circumstances. Organizations employ a variety of approaches to structure the process of recognising and acting on opportunities for improvement. Six Sigma, Kaizen, Lean, and the Toyota Production System are examples of prevalent approaches. Although these approaches differ, they all share a common foundation in the continuous improvement paradigm and principles.

Small tweaks, rather than significant paradigm leaps or new breakthroughs, lead to improvements. One percent improvement a month leads to a 12% improvement annually. Employee suggestions are quite helpful. When Employees take ownership and are involved in incremental changes, which are often affordable to execute, improvement occurs.

And finally…one more thought.

Customers are the lifeblood of every organization, and this is something that every organization understands, or should understand. As a result, their pleasure is critical to the organization’s success, which may be secured by providing exceptional customer service. Customer happiness, brand image, and revenue growth have all been shown to improve when BCM is implemented. BCM is critical in this age of unpredictability, and enterprises are encouraged to use it to provide corporate stability and sufficiency for ever-changing client demands.

The Michael White Group International is an approved PECB ISO Standard(s) training provider. It all starts with a conversation.

Plan the Work. Work the Plan.

Reach out. We can help.

Should your Municipality need assistance, contact Michael White Group International today, and we will be happy to answer your questions. Visit michaelwhitegroup.com/contact/

Share

Are you practicing SITUATION AWARENESS?

Situation Awareness is a skillset that should be practiced daily and is a valuable tool for staff.

Increasing situation awareness, through constant development and use increases security, protection of staff, protection of assets and overall resiliency of staff and the organization.

Training Situation Awareness benefits every department across the organization.

This training can take many forms. The focus however should always be the same. Elevate the staff member’s capability of being aware of their surroundings and the different influences, factors, items, and people that make up the environment they’re in. Situation Awareness is a mental image of what is happening all around you. Hearing, seeing, feeling for information and the various cues and clues that those influences, factors, items, and people are making in that environment and piecing them together so that they can have a good idea of what is happening and then using that information to predict what happens next.

There are many reasons why we need to be situationally aware.

  • Personal Safety & Security
  • Crime
  • Workplace Safety

 

Personal Safety & Security

Situation Awareness training can greatly improve an individual’s personal safety and security, regardless of if they’re at work, home or at play. Being aware of the environment you’re in reduces the risk of placing yourself in harms way or removing yourself from harms way. Being aware of the individual that wants to or is about to cause you harm or steal some of your personal belongings, unfortunately in some locals, environments and situations is much needed. Unfortunately for most, we traverse through many different environments on a daily basis that vary in degrees of safety.

 

Crime

Levels of crime or criminal activity vary geographically and from environment to environment. Unfortunately, criminal activity affects many of us, especially crimes against a person, theft, verbal abuse, physical abuse all the way to the far end of the spectrum of terrorist events. In efforts to be continuously aware, individuals should keep themselves abreast of local news and events and equally important when travelling, their destinations local news and events.

Workplace Safety & Security

It is everyone’s collective and individual responsibility to make and improve workplace safety and security. Law enforcement organizations, Crime Stoppers chapter always encourage us to “See something. Say something”. This very same message applies equally from our personal lives to our working environment. “That’s not my job” just doesn’t cut it anymore. Situation Awareness training assists organizations in bettering the safety, security and overall resiliency of their employees resulting in a more safe, secure and resilient organization.

 

Situational Awareness Training Delivery

There are options for organizations when seeking out Situation Awareness training.

  •          In Person
  •          Virtual Classroom

 

In Person Training

It has been said that In Person training is the best delivery method and most beneficial for the participants. It can create an environment of interactivity between the instructor, the participant and with the other participants also. Our delivery of this training will only take up to half a day.

 

Virtual Training

The recent and ongoing pandemic also allowed us to pivot the training and provide it in the virtual world in the varying platforms of virtual meeting spaces. Virtual training offers benefits also in that, we can bring together staff from geographically challenging locals where costs to bring them together is prohibitive making an even larger training group more feasible.

Benefits

The benefits of Situation Awareness training are many for al individuals. Increased personal safety and security, increased security culture in the workplace and increasing the individual’s knowledge of the environment around them. Whether it is a high or low risk environment, situation awareness belongs there.

The value of the training, the value of the results shouldn’t be overlooked or underestimated.


Should your Municipality need assistance, contact Michael White Group International today, and we will be happy to answer your questions. Visit michaelwhitegroup.com/contact/

Share

Considerations for Employees who are Working Remotely – Part 2

cartoon of people on a zoom call

Part 2 – Clearly outline when the employee is considered to be in the physical work environment and when they are not.

In our last article we noted that Covid-19 changed the way many organizations do business and organizations have had to learn how to navigate the many challenges of remote work: lack of face-to-face supervision, keeping employees engaged and motivated and managing the work environment are just some of the challenges with remote work. During the pandemic, many employers shifted to a full or hybrid remote work arrangement, but with COVID restrictions being lifted and life slowly returning to the pre-pandemic norm, what was just a temporary measure necessitated by the COVID pandemic is becoming a more permanent arrangement by choice.

Whether you choose to adapt to a fully remote workforce or a hybrid remote work arrangement, employee’s activities while working remotely should be subject to the same standards that are applied at the organization’s offices regarding confidentiality, security, quality, and access to business documents just to name a few. In addition, an employer must continue to comply with applicable employment legislation and continue to ensure the health and safety of employees to minimize the risks of workplace injuries while working remotely. To help minimize liabilities, employers who are considering implementing a permanent remote work arrangement should ensure that they establish and implement a clear remote work policy along with a well drafted remote work agreement between the employer and the employees.

In Part 1 we talked about these key areas to consider when creating a remote work policy; Availability and Hours of Work, Physical Environment & Security.  Here are some additional areas to consider when creating a remote work policy. 

Client Confidentiality

Some employer’s client information may be particularly sensitive. Customers have a right (both legal and moral) to expect their confidential information to be protected. Employees who are working remotely should be reminded of their obligation to take appropriate precautions to ensure that confidential information not be exposed to third parties, including family members, visitors or any other persons residing, working or simply present at the remote work location.

Health and Safety

The remote work location is an extension of the physical office. While the Ontario Health and Safety Act appears explicitly to not apply to work performed by the owner or occupant in or about a private residence, the employer should practice due diligence and it would still be considered best practice to direct employees to observe all applicable health and safety policies when working remotely.

Remote work may also be conducted in locations other than the employee’s home. This could be highlighted in the policy and employees reminded that they could consult with their health and safety representative (if applicable) in respect of best practices in setting up a remote-work location. Employers continue to be responsible to take every reasonable precaution to protect the well-being of their employees. And in the context of a “distributed workplace” employers should be clear about the employer’s and employee’s shared responsibility to ensure a safe workplace.

Injuries sustained at the employees’ homes would be treated as a workplace-related injury, so it is imperative that organizations continue to manage health and safety for employees who are working from home. To minimize the health and safety risks associated with working from home employers should ensure that the remote-work policy covers the following:

  • Define the workplace. Where does the workplace extend to and how does the workplace extend into the employee’s home?
  • Clearly outline when the employee is considered to be in the physical work environment and when they are not.
  • Be clear about break times and ensure that employees understand that breaks are time away from work.
  • Employees should be made aware that just as they are expected to maintain a safe work area free of safety hazards while in the office environment, they are required to do the same in their home workspace.

Confusion of expectations and disconnections between employees and employers from not having a clear remote work policy can result in undue risk to both parties. An effective remote work policy should establish the guidelines and expectations for performance while working remotely, along with providing a framework for monitoring and addressing situations of non-compliance. By doing so the employer may enjoy a competitive edge, even during trying and difficult times, as they provide employees the opportunity to continue to contribute to the organization’s ongoing success in an evolving understanding of how work gets done.

By Adrian Johnson, ASSOCIUM Consultants

Through our collaborative approaches, innovative HR products and customized advisory solutions we impact four leadership priorities: managing risk, driving productivity, strengthening talent capabilities and supporting your bottom line.

Let’s connect to find out how ASSOCIUM Consultants can help your organization.

 

Share

Considerations for Employees who are Working Remotely – Part 1

Office items on a desk

Part 1 – Your remote work policy should outline the importance of protecting confidential information in remote work settings.

Covid-19 changed the way many organizations do business and organizations have had to learn how to navigate the many challenges of remote work: lack of face-to-face supervision, keeping employees engaged and motivated and managing the work environment are just some of the challenges with remote work. During the pandemic, many employers shifted to a full or hybrid remote work arrangement, but with COVID restrictions being lifted and life slowly returning to the pre-pandemic norm, what was just a temporary measure necessitated by the COVID pandemic is becoming a more permanent arrangement by choice.

Whether you choose to adapt to a fully remote workforce or a hybrid remote work arrangement, employee’s activities while working remotely should be subject to the same standards that are applied at the organization’s offices regarding confidentiality, security, quality, and access to business documents just to name a few. In addition, an employer must continue to comply with applicable employment legislation and continue to ensure the health and safety of employees to minimize the risks of workplace injuries while working remotely. To help minimize liabilities, employers who are considering implementing a permanent remote work arrangement should ensure that they establish and implement a clear remote work policy along with a well drafted remote work agreement between the employer and the employees.

Below are some key areas to consider when creating a remote work policy:

Availability and Hours of Work

A remote work policy should clearly outline availability expectations. One of the disadvantages of working remotely is that employees are in various locations. This sometimes makes it difficult to have spontaneous meetings or pop by someone’s desk for a quick meeting or chat about business. A solution for this may be to incorporate schedule requirements including structured, periodic check-in times with employees. While there has been much written recently about the value of flexibility for employees who can have greater control over their schedules while working remotely, it may still be necessary to set parameters for hours of work and set rules for overtime. So, regardless of the flexibility of work schedules, the employer may want to set expectations for employees to be accessible during particular hours and to be available to respond promptly to any time-sensitive calls, emails, or other communications from the organization’s clients or other third parties critical to the organization’s purposes.

Physical Environment

If there is a preference for a physical working environment for your employees, outline these expectations in your policy. Ensure your employees know what the requirements are for a physical working environment whether it be in the employee’s home or alternative location. If necessary, the employer may require employees to provide addresses and locations from which they are working remotely and update these when necessary. Employers may wish to establish expectations for dependent care arrangements and personal responsibilities to ensure that employees are able to meet their job responsibilities without interruption or distraction.

Security

Security is a big concern with remote work. Your remote work policy should outline the importance of protecting confidential information in remote work settings. Your policy should set guidelines for working remotely to secure records and prevent unauthorized disclosure of confidential business information.

Employers should consider the processes for storing business documents, especially sensitive and/or highly confidential files, on the organization’s secure servers and not on the employee’s remote hard drives.

Your organization might consider specific policies mandating secure internet connections or virtual private networks with a strict exclusion of public wi-fi. And there should be a policy and process for reporting a security breach if the employee has any reason to believe that business information has been accessed by any unauthorized person(s).

And, of course, if budgets permit, it may be prudent to provide remote-work employees with secure computers and other hardware, owned by the organization. Related policies could then restrict the processing or storage of any of the organization’s information on the employee’s personal equipment.

This is a two-part conversation, so watch next week for Part 2 of our article, where we’ll cover, Client Confidentiality and Health & Safety considerations. 

————-

Through our collaborative approaches, innovative HR products and customized advisory solutions we impact four leadership priorities: managing risk, driving productivity, strengthening talent capabilities and supporting your bottom line.

By Adrian Johnson, ASSOCIUM Consultants

Let’s connect to find out how ASSOCIUM Consultants can help your organization.

 

Share

2022 Security Risk Budget Outlook

Moving on up

At the onset of the pandemic, Security Risk budgets decreased as organizations shuttered their doors and employees left the office, and organizations under duress looked for places to cut costs. Many found their savings in the Security budget. But now, the potential to double or triple budgets in 2022 maybe a reality.

Our research shows approximately two-thirds of security budgets increased in 2021 from 2020, but still have yet to reach or return to 2019 levels. 2022 has the potential to change that.

As organizations are set to come back to life in 2022 security risk events have not gone away. In fact, the COVID-19 pandemic created new security challenges. The new challenges have yet to be solved, and as schools and businesses reopen / remain open during potential future surges, the security risks of the past return as well. In order to protect themselves from past, current, and future threats, organizations need to reinvest in physical security.

Really watch

Real camera surveillance and real-time monitoring integrated with a uniformed security guard force that is properly trained may be for some organizations the order of the day. High-caliber uniforms security guards and training necessary to protect against threats to an organization cost more than $15-20 an hour. Challenges will emerge to protect your organization, your information, your IP, your personnel. All of this may lead to an explosion of security requirements, and the budget.

Another factor contributing to budget increases in 2022 is executive protection. According to the Ontic 2021 Mid-Year Outlook: State of Protective Intelligence Report, 58% of CEOs and senior leaders who expressed a stance on political issues received physical threats. Senior Public Officials and local health department leadership who encouraged health measures like vaccination or mask-wearing have also become targets of physical threats. Against the backdrop of this increased threat landscape, executive protection has grown in importance among physical security professionals.

An inner look

These aforementioned types of threats could also come from inside an organization. Leadership will either take a stand, or not take a stand. The personnel of an organization expect their leaders to take a stand, whatever that might be, for or against a particular issue or concern. Unfortunately, pent up frustration surrounding decisions may not even be pandemic related, and at times still result in leaders being threatened. In many areas of the country, threats against “leadership” is foreign territory for many organizations.

Integration

The threat landscape has always been uncertain and rapidly changing. With many advancements in approach, strategy, and technology, organizations can protect themselves with integrated security risk strategies.

As both physical and cyber threats compound, organizations are tasked with protecting themselves on all sides. With increased and realized threats there is one unfortunate downside. Higher security costs as risks to supply chains, cyber and physical security risks increase. During this pandemic many organizations have unfortunately learned that their security profile may not be or has been at a level they had hoped it to be. New gaps have been found, existing weaknesses have become even weaker and due to other impacts of the pandemic, organizations may have struggled to get the necessary supplies, purchases and even personnel in a manner to which they were once accustomed.

Plug it

Identify your shortfalls, your gaps and plug the holes. A comprehensive risk assessment will assist in that process. If organizations fail to plug those holes, and as they begin to re-open even more, they unfortunately will remain or fall back into a vulnerable position.

Proactive hard work

Technology enhancements, uniformed security, executive protection, education, and plain old attentiveness and proactive behaviour towards security risks to quickly address existing and newfound challenges brought forth because of the pandemic will require increases in security budgets in 2022.

Now more than ever we need to move beyond reactive, and proactively secure our organizations.

It all simply starts with a plan.

We can Help.

Plan the Work. Work the Plan.

 

Should your Municipality need assistance, contact Michael White Group International today, and we will be happy to answer your questions. Visit michaelwhitegroup.com/contact/

 

Share

Vaccination Policies for Municipal Employees and Consultants

While there is currently no federal or provincial legislation in Canada requiring mandatory COVID-19 vaccination for all employees, we are seeing more and more municipalities implementing requirements for their employees, consultants and contractors.

This is a controversial issue and muniSERV is not speaking out for or against these policies. We believe that municipalities have an obligation to protect the health and safety of their employees, as well as their residents and the community as a whole. Although implementing a mandatory vaccination policy poses potential legal risks, such as human rights and privacy claims, most municipalities are moving forward. This blog is meant to help clear up some misconceptions and to help municipalities make informed choices when developing, implementing and enforcing their vaccination policies.

Human Rights

Human rights legislation, pertaining to employment, prohibits discrimination on certain grounds, including disability, sex and religion. If an employee refuses to comply with mandatory vaccination policies with a justifiable exemption, the employer must make accommodations. These can include working remotely or more specific measures like increased PPE or modified work hours. Many municipalities are requiring staff who have are not fully vaccinated to attend vaccination education training and undergo routine COVID testingPrivacy Concerns

In most Canadian provinces, an employer may collect, use or disclose personal employee information only with their consent and for reasonable purposes. In order to enforce a mandatory vaccination policy, employers would be required to ask employees if they are vaccinated. This qualifies as the collection of personal information, which means that the employee would have to consent but also that the employer must demonstrate that they are collecting the information for a reasonable purpose.

In this case, the employer could reasonably request vaccination information but only to be used for the implementation of vaccination policies, health and safety protocols and infection control measures. This information should, ideally, be kept separate from regular personnel files and only accessed with required.

Termination

An employee who refuses to be vaccinated because of a medical condition or religious belief cannot have their employment terminated as that would be considered discrimination under the human rights code. But, the reality is that employers can invoke a “without cause” termination as long as the proper severance is paid.

Non-compliance with vaccination policies could leave employers in a delicate situation, forcing them to discipline their employees and even possibly terminate their employment.

Unionized Employees

Since many municipal employees are also union members, municipalities must work closely with the unions before finalizing and implementing their vaccination policies. Workplace safety is a founding principle for most unions but the pandemic has produced new obstacles for everyone.

Of course, it is always best that municipalities explore all of their options and obligations when developing, implementing and enforcing their vaccination policies.

Share

Being aware – situationally aware

Our world has always been in a state of perpetual change. Now more than ever, it is perceived to be doing that at an ever-rapid pace.

Positive changes such as economic growth, and technology advancements to note a couple. Unfortunately, with the positive, comes the negative. A continuous cycle of persons who wish to do harm.

Safety and Security experts inform us that violent events will continue to happen. The violent extremist motivated and driven by an ideology, to the targeting of individuals, place of business, worship, acts of violence that permeate into every vertical, sector of business and government.

Active safety and security programs are continuous reviewed, modified to face existing and the new challenges of tomorrow.

To make your safety and security programs more effective, the program needs ambassadors, staff.

Ambassadors need to be aware. Situationally aware.

Situational awareness training provides your staff with valuable intelligence & time when facing safety and security situations of potential harm or danger.

Being situation aware is truly a change in mindset.

It is a way of thinking that will focus a person’s behaviour, their outlook, and their mental attitude. People that are aware are no longer vulnerable but capable.

Capable individuals are always prepared. Capable individuals are not complacent, they use technology to enhance their preparedness and response and their planning always includes a contingency plan.

Situationally aware staff improve the effectiveness of your safety and security program.

Situationally aware individuals enhance the workplace and enhance their personal safety and security.

We can Help.

Plan the Work. Work the Plan.

Should your Municipality need assistance in Situation Awareness training, contact Michael White Group International today, and we will be happy to answer your questions.

Michael White Group International is Arcuri Group LLC approved Situation Awareness Specialist Certification Training provider.

 

Share

Negotiating Like a Lawyer

I don’t like going to the doctor’s office. Part of the reason is because my doctor also happens to be a good friend of mine and I already see him enough on the golf course, squash courts and playing pick-up hockey

 

But I mostly avoid doctors visits because I hate being poked and prodded. So to make my doctor’s visits as quick and painless as possible, when I do have to go see him I give him as much context as I can about the reason for my visit. This gets him to focus on my problem and limits the amount poking and prodding 

 

I also don’t like getting poked and prodded in a lawyer’s office

 

Most of us that work for organizations that have a legal department which reviews the contracts we’re negotiating and the amount of changes to a contract, especially if the edits are to our standard agreement, usually determines the extent of the legal review

 

So just like the doctor’s visit, I make sure to provide our lawyers with as much context as I can so they can focus on the issues and not have to go through the entire agreement with a fine toothed comb

 

Now there are some lawyers that, no matter how much context you give them, they’re going to read the whole contract and that’s ok, it’s their prerogative. However, most lawyers I’ve worked with actually appreciate the extra effort I’ve put in to make their lives a little easier

 

But there’s another thing you can do before you even send the contract to legal for review and unfortunately, I don’t see enough negotiators doing this so spoiler alert… it’s actually ok for you to negotiate the legal terms in a contract on behalf of your organization, as long as you remember 3 things:

 

  1. Make sure you actually understand the legal terms before arbitrarily rejecting the other sides edits
  2. Make it clear that all changes will still require final legal review and sign-off…and the trick here is to only negotiate in the areas where you have a really good sense of your lawyers threshold of acceptability
  3. If you’re working off your paper, try to eliminate as many changes as you can from the other side

 

I was helping a client not too long ago who wanted to start discussions with a new supplier so they sent them an NDA to sign and the supplier came back with some edits. But before my client sent it off to his legal department for review, I asked if I could take a look at the changes first

 

The supplier had made five changes to the NDA. Four of the changes were to de-risk any liability they’d have if they breached confidentiality and one was a legitimate concern about their IP

 

So we went back to the supplier and said we understood the IP concerns but the other four changes would make it impossible for us to do business with them. Within 10 minutes the sales executive responded that he’d had a “quick chat” with his lawyers and we could disregard those 4 changes but they would like to see some compromise on the IP

 

When my client sent the changes to legal, he provided all of this context and legal approved the change in a few hours, which is nothing short of a miracle in most organizations

 

So the big takeaway here is that if you fancy yourself as a negotiator, then be a negotiator. Don’t just throw your contracts over to legal to sort out…and if you don’t know something, learn.

 

I recently developed and launched a training course with my colleague, Mark Morrissey, which covers this and other topics that are essential for Strategic Sourcing Professionals.

 

Most of you have a training budget this year and you could do a lot worse than seeing what we have to offer, so check out the training section on our website and let me know if you would like more information about our corporate group pricing

 

Mohammed Faridy

Chief Executive Officer

OneView 1450 Meyerside Drive Suite 603 Mississauga, ON L5T 2N5

E-mail: [email protected] I Cell: 416-917-2410

 

 

 

Share

What type of testing is right for your website – Understanding the difference in website testing

In the last few weeks there has been a rise in reported malware and malicious attacks on small municipalities. Testing of three small municipality websites in recent weeks by our team has resulted in failures on all sites basic security parameters. We often hear small organizations saying they don’t need to worry about attacks, they aren’t “big enough” but anyone can be a target.

Regular testing your website for known vulnerabilities and emerging threats should become a part of your Cyber Security Road Map. The first step is identifying the type of web testing that is right for your infrastructure. Here are a few key questions to consider;

1) Where is your website hosted – do you host it yourself? Is it hosted by a third-party?
2) Who is responsible for the security of the host system, the operating system?
3) Do you have a web application firewall such as CloudFlare in front of your website?
4) Is your website a static page with content?
5) Do you have a login and if so what type of data is behind the login? Customer, pricing, private personal?
6) Do you have any API interactions with other applications?

When you start down the road of testing your website you want to consider the host operating system and the application. There are two key types of testing available, fully automated scanning and manual testing. Fully automated scanning is used for both host operating systems and web applications. The host operating system scan will scan for all currently known vulnerabilities affecting that operation system. It will report back on the CVE, the risk and usually suggested remediation tips. The same is true for the web application scanning. The fully automated web application scanner will scan your website at a minimum for the OWASP top 10 vulnerabilities and report back on risks and remediation. https://owasp.org/www-project-top-ten/.

Manual testing means that you have an actual person who is using various methods to determine the security of a host or the application and If the rules of the engagement permit, they will attempt to exploit a vulnerability and gain access, modify content or download information. There are varying degrees of manual testing, the simplest is one tester and one day and the more extensive 2 testers and 5 days of testing.

The type of test that is required for your website really depends on two main factors –

 

1. Have the host and application ever been tested before?

2. What is the criticality of the data being processed or stored on this site?

 

For example, if you have a very static page of content that is hosted by a third party, chances are a good OWASP 10 scan of you site will be sufficient to let you know if you have any glaring misconfigurations that could lead to a website defacement or potential attack on your site. If your website has a login and you allow users to sign up for accounts and host dynamic content, you would want to make sure you consider a manual test at least for the first test. Once a thorough baseline has been established for the site, testing can become more routine and automated.

We recommend you develop a plan for testing and make sure to include the above considerations. There might be special notifications you have to give in writing to a third party before you test an application, you might have to have a testing IP whitelisted in a web application firewall, you may need special accounts set up in the application for testing.

If you are unsure what type of test is right for your website, reach out to us and we will be glad to discuss options with you.

http://www.mi613.ca

Share

The Importance of Third Party Vendor Assessments

Lessons learned from Cyber Incident Response

We are finding many companies that have experienced a Cyber Incident are not performing even the most basic Third Party Vendor Risk Assessment.

It is absolutely imperative that if you engage with a vendor you understand the associated risks.

5 simple questions can lead you to be a better understanding of your Vendor risks and a quicker recovery from an Incident:

 

  1. Is there an identifiable Leadership team?
    • Who is accountable?
    • Would you be able to escalate or contact them?
    • Where are they located?
  2. Do they have an Incident Response plan and Reporting Structure?
    • Do they have a response plan?
    • Are there dedicated phone numbers or emails for reporting incidents?
    • Are ticket numbers assigned and tracked?
  3. Who is responsible for security within their Organization?
    • Is there someone who is responsible for security?
    • Is there a defined role or is it an off the side of the desk of another role?
    • Does the company reside in a country that has Breach Reporting responsibilities?
  4. Do you have a Service Level Agreement for responding to incidents?
    • Do you have a defined Incident/Severity matrix with set response times?
    • How do you escalate an Incident?
    • What is your communication cadence?
  5. Can they demonstrate their current level of Cyber Security Compliance?
    • Can they demonstrate the framework they adhere to? (NIST/CIS)
    • Do they disclose if and when they do vulnerability/penetration testing?
    • Do they have any risk reports (SOC 1, SOC 2, PCI or DSS) they can share?
    • Do they have patch management?

It is important to develop a Third Party Cyber Security Screening Assessment before engaging in a new contract. We can walk you through the process and helping you to understand your Cyber Risks.

 

Let’s talk Cyber!

http://www.mi613.ca

Share