This issue of Communication Command contains an interview about governance risk and compliance, as well as an article about tabletop crisis exercises. We hope you will enjoy our e-Newsletter.

April 2016
Interview on Data Breaches
C4CS® Managing Partner Oliver S. Schmidt gives an interview to Continuity eGuide / Disaster Resource Guide on Data Breaches: How to Protect Corporate Reputation and the Bottom Line. Please click here to access the interview.


Leadership Institute
C4CS® Senior Partner Dianne Chase, International Vice Chair of the International Association of Business Communicators (IABC), helped lead IABC's 2016 Leadership Institute in Los Angeles. The photograph above shows Dianne as she addresses conference attendees.

Continuity Insights Conference
C4CS® Consulting Director Alan Sawchak and C4CS® Senior Consultant Doug Kavanagh attended the Continuity Insights Managment Conference in Nashville. The photograph above shows Alan (center) at the International Consortium for Organizational Resilience (ICOR) booth with ICOR President Lynnda Nelson and Jim Nelson, ICOR board chair. Alan is currently serving on ICOR's board of directors.

Risk Communication Presentation
C4CS® Managing Partner Oliver S. Schmidt made a presentation on Risk Communication at the March meeting of the Three Rivers Contingency Planning Association (TRCPA). C4CS® has been a TRCPA member for a number of years.

Our next e-Learning course on 'Harnessing the Power of Social Media in Crisis Management' will be conducted July 11 through July 22, 2016. Congratulations to those who completed the course work and obtained a Certificate in Social Media Crisis Management Planning accredited by ICOR. The course brochure can be downloaded via this link.
If you have questions concerning this e-Learning course, please contact us at
Communication Command e-Newsletter
Please click here if you would like to access past issues of our e-Newsletter.

Five Questions about Governance Risk and Compliance

Jyotin Gambhir is Managing Director at SecureFLO, LLC, a consulting firm that specializes in Governance, Risk and Compliance, Managed Security, Cloud Security, and Secure Operations.

Jyotin Gambhir

Do members of corporate boards in your experience understand the IT security risks their companies face?

Based on my experience, members of corporate boards of directors are largely aware of the risks that cybersecurity presents. However, security is still regarded as a cost center, and not as one that increases revenue or has a clear return on investment.

Unfortunately, many C-level executives view security as a hindrance to commerce. According to a recent CISCO survey, 71% of C-level executives interviewed listed security as the primary cause for blocking their ability to increase commerce on the internet and expanding markets. They understand the risk primarily due to related regulatory compliance and enforcement - especially in financial services and health care. But due to misinformation, a full understanding of security risk to data and to business life cycles does not exist.

Which current regulations are impacting the majority of corporations and what new regulations do you see on the horizon?

Each industry has specific regulations that have recently been more relevant than others. In the case of financial services, the Sarbanes-Oxley Act, the DoddFrank Act, and the Bank Security Act and its Anti-Money Laundering rules have to be considered. For health care it is the Health Information Portability and Accountability Act as well as state regulations, Meaningful Use, and ICD 10, which stands for the 10th revision of the International Statistical Classification of Diseases and Related Health Problems. As for the energy sector, there are for instance the reliability standards set forth by NERC, which stands for North American Energy Reliability Corporation. For any industry that sells to the U.S. government, the Federal Risk and Authorization Management Program, or FedRAMP, is a factor. For retail, the Payment Card Industry Data Security Standard plays an important role.

You also asked about regulations on the horizon. There are a number of state specific regulations in the U.S., and new ones are likely in the works. Additionally, the European data privacy / Basel III regulations will become more stringent, and the encryption laws in the Asia Pacific region will become more standardized. Ongoing change is the common denominator around the globe.

How does this affect IT security and day-to-day IT operations?

Today, IT security is focused on data lifecycle and thus overall business. Any time sensitive data is present, the company has a security component. Security is focused on confidentiality, integrity, and the availability of information. In order to meet the existing regulations IT needs to:

·         Inventory applications with sensitive data

·         Apply access controls to applications

·         Deploy secure communication protocols

·         Develop encryptions protocols for data in motion and at rest

·         Understand how the environment will be patched

·         Develop and deploy change control

·         Grow strong disaster recovery processes

·         Understand overall disposal

·         Review physical security.

·         Review code for vulnerabilities

·         Manage and remediate vulnerabilities

·         Conduct scans

·         Develop incident management and response programs

This extensive list of tasks certainly keeps IT personnel busy.

Does outsourcing the IT function generally increase or decrease a company’s efforts in the area of governance risk and compliance?

Outsourcing IT will increase the efforts in the area of governance risk and compliance. This increase typically causes companies to do the following:

·         Understand and review the SSAE-16 SOC2 report

·         Manage the controls for regulatory requirements with the outsourcing entity

·         Review IT processes to meet internal policies

·         Review SLA and make sure that it meets all compliance and reporting metrics

·         Manage notification in the event of breach and coordinate with government requirements

·         Review and manage business continuity and coordinate with outsourcing entity

·         Conduct penetration tests and manage remediation of vulnerabilities that requires approval a contractual reviews

·         Manage and coordinate external audits

·         Review and take action on logs and threats

·         Document all approvals for changes taking place in the environment

·         Input regulatory changes with the Outsourcing entity

·         Manage internal training and awareness requirements as documented in regulations with external entity

What should companies do in the area of training when it comes to governance risk and compliance?

There are a number of trainings that should be conducted as part of regular IT operations and regulatory compliance. The following are at the top of my list:

·         Information security training

·         Policies framework training

·         Business continuity training

·         Incident response training

·         Tabletop exercises for disaster recovery

·         Cyber security training

·         Anti-phishing training and response

·         Health Information Portability and Accountability Act training

·         Sarbanes-Oxley Act training

It is important to help your IT staff with continued industry certification such as CISSP, CISA, CISM, CRISC, CEH, CCFP, and GAIC. Each of these requires annual CPEs to keep up the certification and stay sharp in terms of industry knowledge and experience. In addition, technology training for IT and security staff is crucial.

About the Importance of Effective Tabletop Crisis Exercises
Unlike technology practices or employee habits, in crisis management the best predictor of future performance is not past performance. Instead, an effective way to predict the efficacy of crisis response efforts and combat looming risks is through conducting recurring tabletop crisis exercises.
A tabletop crisis exercise is essentially a role-playing activity that presents a group of participants from one or more organizations with a set of exercise modules. These modules include a written crisis scenario that simulates imminent risk within a specified time frame. The exercise participants are asked to analyze the situation, pose questions, and cultivate problem solving skills that help generate solutions.

External consultants typically function as exercise facilitators who help participants identify gaps in existing crisis response plans and procedures. Once gaps have been identified, solutions that will enable more effective crisis management should be developed following the exercise.
The realistic crisis scenarios utilized in tabletop exercise modules are always customized and vary widely depending on the organization. When creating a tabletop crisis exercise, it is essential to evaluate impacted business areas, determine the corresponding time frame, and triage which risks should be addressed by the exercise participants.

While many vital crisis management lessons may be learned in the course of a tabletop crisis exercise, the goal of the training is not to immediately devise solutions to problems that are identified during the exercise. It is also important to remember that the tabletop crisis exercise is not a test and hence nobody will fail. Rather, it is an exercise designed to systematically identify improvement opportunities for existing crisis management plans and procedures.

Tabletop crisis exercises should assess existing crisis response plans and procedures for accuracy and completeness, build familiarity and consensus among exercise participants, recognize upstream and downstream dependencies, and ascertain existing communication capabilities. The participants will not know the answers to every problem – and that is precisely the point.
C4CS® regularly conducts tabletop crisis exercises that utilize realistic crisis scenarios. Our training exercises are tailored to fit the individual client partner's needs no matter the industry, size, or location. For example, for a company that has a high likelihood of falling victim to a data breach that may significantly impact business continuity, our team will develop a customized IT crisis scenario. A chemical manufacturing client, however, may instead opt for a tabletop exercise scenario centered on an industrial accident which involves raw materials that are stored onsite.
The tabletop crisis exercise begins with an introductory component and a section that introduces the exercise scenario. After that, our facilitators share a list of facts along a specific timeline that are presented in the form of exercise modules. Questions based on actions that should be considered by the exercise participants are discussed at the end of each exercise module. The number of exercise modules depends on client partner needs. Our tabletop crisis exercises conclude with a debrief and a discussion of what the exercise participants learned during the session and how urgently identified gaps should be addressed.
By utilizing our clients' active crisis response plans and lessons learned from any past crises the organization may have experienced, as well as other industry standards and procedures, we develop and conduct tabletop crisis exercises centered on any crisis our client partners may face. This includes physical accidents, active shooters, food borne illness, product recalls, financial fraud, and many more crisis scenarios. Our firm also typically helps client partners with crisis scenario selection.
After the tabletop crisis exercise has been executed, C4CS® provides a follow-up report. The report contains a retrospective analysis of the actions taken during the exercise, identifies whether or not specific exercise objectives were met, and provides expert advice delineating which steps should be taken in order to meet specific crisis management and business continuity planning goals.
Research shows that organizations that are well prepared experience significantly fewer crises. With assets, customers, employee information, reputation, and perhaps organizational survival at stake, it is imperative for any company to invest in recurring tabletop crisis exercises and other crisis preparedness related training. As stated by Confucius: "I hear and I forget. I see and I remember. I do and I understand." At C4CS®, we have learned that these are wise words. We therefore encourage our client partners to embrace recurring training as a critical component of effective business continuity planning and crisis management.

If you have any questions concerning this article, please contact us at We look forward to hearing from you.

Food For Thought

"In the current climate, it is no longer a matter of
if a data breach will strike, but when.
All companies should anticipate being hacked.
What they do once the hack has occurred
could save time, money, frustration,
and their hard-won reputation."

Evan Bloom


Copyright © 2016 C4CS, LLC. All rights reserved.

Leaders in Strategic Communication
and Crisis Management