Today we released the October awareness module on privacy. The awareness materials introduce basic privacy concepts using the OECD privacy principles, emphasizing compliance with privacy laws and regulations, as well as corporate privacy policies and procedures.  Information security controls underpin privacy for personal information and data.  Ethical considerations take privacy beyond mere compliance into the realm of appropriate and inappropriate use and disclosure of private matters, while the business impacts of privacy breaches, and the costs of privacy controls, are also discussed. The awareness quiz is a new idea.  I hope customers will have fun with that.  The quiz format will no doubt continue to evolve over future months, and as always improvement suggestions are very welcome.

Seems free speech is alive and well in the US ... "Most of the social media policies that we've been presented are very, very overbroad," Solomon said in an interview. "They say you can't disparage or criticize the company in any way on social media, and that is not true under the law."  ... Doreen Davis, a management-side labor lawyer based in Philadelphia, said many of her corporate clients are often "surprised and upset" when they learn they can't simply terminate employees for talking about work online. Employers should develop sound, legally-sanctioned policies concerning what employees can and can't say about them on Facebook or whatever, but more importantly they need to provide mechanisms for employees to voice genuine grievances and have them addressed properly by management, without fear of persecution or recrimination.  That's the real issue here, isn't it? And it's a governance matter in my book. So why is it...

Rob Slade and I wrote an article capturing forty business continuity lessons arising from the massive earthquakes in New Zealand and Japan.   It has just been published in EDPACS and, thanks to the generosity of the publishers Taylor and Francis, it is available as a free PDF download . Aside from the specific lessons concerning resilience, crisis management, disaster recovery, and contingency management, our article illustrates a broader point, namely that it is not necessary to experience disasters first-hand in order to learn from them.  If you are fortunate enough not to live and work in an earthquake-prone area, there are still valid lessons here to help you survive other natural and unnatural disasters.

While contemplating the latest PwC security survey report , I was intrigued to read: "At first glance, the nearly six out of every 10 (58%) respondents who report their organization has a contingency plan in place for security incidents is a healthy number. (Figure 15)  But when you factor this number by the percentage who report that their plan is effective (63%), the results are disheartening.  In effect, most organizations (63%) have no plan or the plan they have doesn’t work."  I'm curious about the implication that about a third of organizations have nonfunctional contingency plans for information security incidents. Presumably they know their plans don't work because: They have used the plans but they failed in operation. It's possible some such organizations are too busy trying to recover from the incidents, or conceivably they are too badly damaged, to work on their contingency plans right now. What are the others doing?; They have tested the plans but the...