Infogov’s CEO, Stephen Hall said “With 15 years experience in governance, risk and compliance technology development, together with SCC’s 35 year history enhancing services through ICT provision, together we are an ideal match to present ourselves to the UK Office of Government Commerce (OGC) Catalist catalogue and UK Ministry of Defence information assurance catalogue.

These allow you to place an order direct for the Proteus Enterprise complete governance, risk and compliance framework.

“Each of these specific frameworks may be good at what they focus on – but they fail to link GRC together and put everything in context with each other. Risk management, security, corporate governance, control, security, compliance, audit, quality, EH&S, sustainability – all have their respective islands of standards. This makes putting a GRC strategy in place that bridges these silos difficult as the language, implementations, and approaches are quite different. In fact – organizations trying to get an enterprise view of risk and compliance desperately search for a GRC “Rosetta Stone.”

“Not so” said Stephen Hall of Infogov. “We set out to build Proteus Enterprise as a multi-standard GRC platform…operating on common data. Proteus Enterprise™ software recognises and adopts a ’standard’ approach to the convergence of Corporate Governance, Compliance with multiple standards and Risk Management. Proteus is the one that succeeds in linking GRC together and putting everything in context with each other.”

Proteus® software http://www.infogov.co.uk/downloads/index.php has a history dating back to 1995 when the BSI (British Standards Institution) first adopted the original software as the preferred tool to automate the BS7799 Code of Practice for Information Security Management.”
“In one web based multi user, multi site, multi standard GRC knowledge environment:

- Controls, policy, roles and assets mapping
- Policy distribution
- Training attestation
- Control self-assessment and measurement
- GRCM asset repository
- Remediation and exception management
- Compliance and risk management with reporting and dashboards
- Worldwide view with drill down to line items on site for all GRC activity augmented by traffic lights

Proteus automates compliance and risk management of any Law, Regulation, Standard, Policy, Contract, SLA or management plan.”

“Just look at the library of standards we have for Proteus”, Stephen said: “BS ISO 27002 Full and Lite, ISO 27002 (also available in Spanish, Italian, and French), Call Centre Security, BS 25999, Physical Risk Audit, Gambling Commission (Online Gaming), CobiT 4.1, Data Protection Act (UK), EU Data Privacy (Italian and Spanish), ITIL V3Civil Contingencies Act, Freedom of Information Act, SOX (CobiT controls and full), SAS70, PCI DSS, ISF Health check and SoGP, ISO 38500:2008 ‘Corporate governance of information technology’ and OHSAS 18001. Others on request.”

“And we have another 140 planned!”

“The product strategy has led the way for the market, and is founded on the principle of automating best practice as documented in many British (BSI), International (ISO), and Industry Standards e.g. PCI DSS and CobiT, or indeed client specific control frameworks. It is built in such a way as to fully integrate Compliance, Risk Assessment, Impact Analysis, Incident Management, Document Control and Dissemination, but in a very flexible model that allows implementation to suit the client’s priorities and preferences.”

Stephen added “Michael is quite right to say that there is only one framework that I see that brings this universe of GRC into a common language, process, and architecture – that is the OCEG Red Book (v2) and its GRC Capability Model™. Although various standards and guidance frameworks exist to address discrete portions of governance, risk management and compliance issues, the OCEG GRC Capability Model™ is the only one that provides comprehensive and detailed practices for an integrated and collaborative approach to GRC.”

“Proteus supports the GRC Capability Model and is a complete GRC business architecture. Applying the elements of the GRC Capability Model™ and the practices within them, augmented by Proteus as the underpinning enable technology will allow an organization to:

· Achieve business objectives
· Enhance organizational culture
· Increase stakeholder confidence
· Prepare and protect the organization
· Prevent, detect and reduce adversity
· Motivate and inspire desired conduct
· Improve responsiveness and efficiency
· Optimize economic and social value“

Stephen concluded “Yes, the GRC Capability Model™ describes key elements of an effective GRC architecture that integrate the principles of good corporate governance, risk management, compliance, ethics and internal control….and it provides a comprehensive guide for anyone implementing and managing a GRC system or some aspect of that system. But the following 8 components of the OCEG GRC Capability Model™ is more efficiently and effectively implemented when done so through a truly universal GRC platform in Proteus:

1. CULTURE & CONTEXT. Understand the current culture and the internal and external business contexts in which the organization operates, so that the GRC system can address current realities – and identify opportunities to affect the context to be more congruent with desired organizational outcomes.
2. ORGANIZE & OVERSEE. Organize and oversee the GRC system so that it is integrated with and when appropriate modifies, the existing operating model of the business and assign to management specific responsibility, decision-making authority, and accountability to achieve system goals.
3. ASSESS & ALIGN. Asses risks and optimize the organizational risk profile with a portfolio of initiatives, tactics, and activities.
4. PREVENT & PROMOTE. Promote and motivate desirable conduct, and prevent undesirable events and activities, using a mix of controls and incentives.
5. DETECT & DISCERN. Detect actual and potential undesirable conduct, events, GRC system weaknesses, and stakeholder concerns using a broad network of information gathering and analysis techniques.
6. RESPOND & RESOLVE. Respond to and recover from non-compliance and unethical conduct events, or GRC system failures, so that the organization resolves each immediate issue and prevent or resolve similar issues more effectively and efficiently in the future.
7. MONITOR & MEASURE. Monitor, measure and modify the GRC system on a periodic and ongoing basis to ensure it contributes to business objectives while being effective, efficient and responsive to the changing environment.
8. INFORM & INTEGRATE. Capture, document and manage GRC information so that it efficiently and accurately flows up, down and across the extended enterprise, and to external stakeholders.”

Please reply back with your feedback and thoughts. How do you see organizations bringing together an enterprise view of governance, risk, and compliance? In today’s complex business environment a failure to get an enterprise perspective on this is a recipe for disaster.

In this issue, reference is made to a journal article of interest entitled: “Games and terrorism: Recent developments” and a recent book chapter that provides “An explanation of how case study research and simulation can be used to teach the subject of negotiation exercises relating to international security”.

This is followed by reference to a report that looks at a number of issues relating to “the behaviours of survivors and witnesses during the explosions and immediate aftermath” vis-à-vis the 7/7/2005 London bombings. A new report relating to Public Sector Information Security is given coverage and this is followed by information relating to a briefing paper relating to the vulnerability of energy infrastructure to environmental change; information relating to the Centre on Global Health Security; and the European Security and Defence Forum (ESDF).

Next, attention is paid to Critical National Infrastructure (CNI) and US Cyber Security strategy. Virtual worlds and second life receive attention and so does the topic of possible cyber attacks during the London Olympics. The Whitehall Paper on climate change is featured; reference is made to the safer schools working group; and the MSc in Security and Risk Management at Leicester University.

Information relating to the Competitive Intelligence - Marketing Interface Teaching and Research Initiative (CIMITRI) is provided and updated information relating to the forthcoming CAMIS Security Management conference is included together with a conference booking form.

A Journal Article of Interest
Sandler, T., and Siqueira, K. (2009). “Games and Terrorism: Recent Developments”, Simulation & Gaming, Volume 40, Number 2, pp.164-192.

The authors state in the abstract on page p.164.
“This article provides an updated survey of recent advances in game-theoretic analyses of terrorism. In particular, it investigates the government’s allocation of a fixed budget to counter attacks against potential targets. The choice between proactive and defensive countermeasures is addressed, along with the impact that domestic politics has on this choice. Other topics include the interaction between political and militant factions within terrorist groups, the role of asymmetric information, and game-theoretic analysis of suicide terrorism. Throughout, the article highlights surprising results from the application of game theory. Unanswered questions are also indicated”.

Key Words: asymmetric information, backlash terrorism, defensive countermeasures, game theory, militant factions, proactive countermeasures, suicide attacks, terrorism

A Book Chapter Of Interest
Trim, P.R.J., and Lee, Y-I. (2009). “An explanation of how case study research and simulation can be used to teach the subject of negotiation exercises relating to international security”. In: The International Simulation and Gaming Research Yearbook: Teaching and Learning Through Gaming and Simulation, Volume 17. Tan, K., Muyldermans, L., and Johal, P. (Eds). Edinburgh: SAGSET, pp.49-62.

The authors state in the abstract (page 49):

“Case study research is often incorporated into a broad based research strategy and has been used effectively to produce insights and unique solutions to complex business problems. Simulation exercises are often viewed as training oriented and at times acknowledged as valuable evaluation vehicles for assessing how well certain people do in laboratory type learning environments. It is also important to note that simulation exercises can be used to focus attention on developing bodies of management knowledge and are often a fair representation of real world situations, events and working practices. Negotiation exercises can be viewed as a form of simulation and can be used in order to teach aspects of international security”.

Social-psychological Study Relating To The 7/7 2005 London Bombings.

“Although a number of previous studies have looked at Post Traumatic Stress Disorder and preparedness among Londoners following the bombings, this is the first to look at the behaviours of survivors and witnesses during the explosions and immediate aftermath. Sussex University’s Dr Drury and his co-authors, Dr Chris Cocking (formerly at Sussex, now at London Metropolitan) and Professor Steve Reicher, gathered accounts from over 90 survivors. Survivors were asked whether people panicked. One witness said: “In our carriage no, or if they did they panicked inwardly, they didn’t express their panic. I mean there was no screaming in our carriage, I mean people were trying to get out the door but they weren’t trying to get out of the door stupidly.” The key findings were:• There was no ‘mass panic’ and little selfishness, despite the fact that people felt in danger of death, saw little hope of escape and were mostly among strangers.• Instead, there was widespread mutual concern, co-operation and helping in the crowd.• Given the time taken for the emergency services to arrive on the scene, it was the survivors themselves who were the ‘first responders’, they tied tourniquets, constructed makeshift bandages for each other, tried to save each others’ lives and gave emotional support.• The people interviewed made clear that they felt a strong sense of camaraderie, unity, and togetherness with the rest of the crowd; indeed, their ‘common fate’ had brought them together and motivated mutual aid………………….

Based on this study and on other studies of emergencies like the Hillsborough disaster, Dr Drury and the team have drawn the following conclusions:• Crowd in emergencies need to be viewed as a social psychological resource instead of a psychological problem.• The ‘collective resilience’ that can arise in crowds in emergencies can enhance the chances of survival.• The emergency services need to harness this phenomenon rather than inhibit it through excluding the crowd from its own self-protection and safety.

The report’s findings and implications have already been included in the recent NATO guidelines on psychosocial care for people affected by disasters and major incidents”.
Please consult: http://www.sussex.ac.uk

Source: Professional Security Magazine, May, 2009

A New Report Relating To Public Sector Information Security

“The Public Sector Information Security report clearly sets out the areas of risk within your organisation and, in the context of the relevant security standards, examines best practice for avoiding these potential security issues.
Throughout the report real-world examples are identified, cross referenced to the specific security issue and then the ISO27001 control that would have reduced the risk and/or the impact of the incident is explained.

A complete overview of ISO27001 is provided, as well as an examination of Principle 7 (the “security principle”) of the Data Protection Act, the Payment Card Industry Data Security Standard and the Government Code of Connection.
The Information Governance toolkit and the subject of ethics and professionalism are also discussed and the environmental issues that are now so prevalent both in the public and private sector are taken into account.
Public Sector Information Security is written by Andrea Simmons (CISSP, CISM, MBCS CITP, M.Inst.ISP, BS7799 LA) whose extensive experience of local government and other public sector bodies ensures this report provides you with a unique level of expertise when approaching this critical issue.
From IT Security to Information Governance, this comprehensive new report helps you to implement best practice, defines roles and responsibilities and even explores the worst case scenario with advice on incident management and business continuity”.

Source: Ark Publishing Ltd.

The Vulnerability of Energy Infrastructure to Environmental Change
A briefing paper from Chatham House, Cleo Paskal:

· “Much energy infrastructure lies in areas that are predicted to become increasingly physically unstable owing to changes in the environment.

· Already there have been environment-related disruptions to hydroelectric installations, offshore oil and gas production, pipelines, electrical transmission and nuclear power generation.

· As a result of scheduled decommissioning, revised environmental standards, stimulus spending and new development, there is likely to be substantial investment in new energy infrastructure.

· It is critical that new and existing infrastructure be designed or retrofitted for changing environmental conditions.

· It is no longer sufficient only to assess our impact on the environment; now we must also assess the impact of a changing environment on us”.
Source: Chatham House Newsletter - May 2009

Chatham House Centre on Global Health Security

“In March 2009, Chatham House formally launched its Centre on Global Health Security with the announcement that Dr David Heymann will head the Centre. Dr Heymann was formerly Assistant Director-General, Health Security and Environment, at the World Health Organization.
The Centre on Global Health Security will draw on Chatham House’s expertise and international networks in foreign policy and international affairs to broaden the debate over global health.

Its key aims will be to conduct research, host events and develop new policy initiatives and best practices. These activities reflect the growing need for close cooperation on global health goals across government departments, international institutions, civil society and the private sector”.

Source: Chatham House Newsletter - May 2009
European Security And Defence

“The European Security and Defence Forum (ESDF) has been set-up to analyze the shifts and developments in national and European security and defence policies. It will also work to promote a better understanding of Europe’s strategic relationship with the United States.
Working in conjunction with the Istituto Affari Internazionali in Rome, for the next three years the Forum will bring business, NGOs and young academics together with the defence policy community to reinvigorate the public debate about the meaning and purpose of security and defence policies in the early 21st century.

It will investigate the issues relating to international cooperation in these fields, as well as the response to new and emerging threats and challenges.

The Forum will convene a series of workshops and other events, as well as an annual conference. A series of occasional briefing papers will be published, together with an annual compendium of essays and commentaries known as The Carrington Papers.

A Steering Committee initially chaired by Sir David Omand GCB, formerly Security and Intelligence Co-ordinator/Permanent Secretary, Cabinet Office, will provide guidance and advice on focus and substance of the meetings and will review the progress of the Forum. …………………….
The Steering Committee will work with Dr Paul Cornish, Head, International Security Programme and Carrington Chair in International Security at Chatham House”.
Source: Chatham House Newsletter, June 2009

Critical National Infrastructure (CNI)
“The UK’s complex networks of Critical National Infrastructure (CNI) are the veins and arteries upon which its political, social and economic well being depend. In our increasingly just-in-time society, the UK’s reliance on its CNI has continued to grow and our dependence is now such that even fleeting disruption is potentially disastrous.

In the coming years, the protection of critical infrastructure will be shaped by a growing understanding and practical experience of the threat posed by climate change and growing energy insecurity. These new drivers run in parallel with the global financial crisis. The economic downtown has the potential to constrict security spending and further reduce levels of redundancy within critical networks and services. As a result, the challenges for those protecting infrastructure seem destined to multiply.

In Europe, in the midst of these changing contexts, the new European Directive on Critical Infrastructure Protection has been created. Meanwhile, in the US the incoming administration has committed itself to massive investment in infrastructure”.

Source: RUSI Website, 7th May, 2009

US Cyber Security Strategy: As Reported By Computing.co.uk

“US President Barack Obama has announced a new cyber security strategy and the creation of a White House post to personally advise him on protecting the nation’s digital infrastructure.
“This new approach starts from the top with this commitment from me,” said Obama.
“Our digital infrastructure, the networks and computers we depend on every day, will be treated as they should be, as a strategic national asset. Protecting this infrastructure will be a national security priority.”

The appointment of the White House Cyber Security Co-ordinator is yet to be made, but Melissa Hathaway, cyber security chief at the National Security Council, wrote in a blog post on the White House web site that the challenges of delivering the new strategy affects everyone.
“Protecting cyberspace requires strong vision and leadership and will require changes in policy, technology, education, and perhaps law,” she said.

“There are opportunities for everyone - individuals, academia, industry, and governments - to contribute toward this vision.”

The threat of cyber warfare has grown dramatically in recent years, and fears over terrorists attacking electronic infrastructure have raised the issue to the highest political level around the world”.

Source: The Cyber Security Knowledge Transfer Network Website, 1st June, 2009

Virtual Worlds And Second Life: As Reported by vnunet.com
“Virtual worlds could be the next target for online criminals, raising new challenges for UK organisations, according to government-backed security body the Cyber Security Knowledge Transfer Network (KTN).

Tony Dyhouse, the newly appointed director of the organisation, argued that, as companies increasingly use online virtual environments to cut costs and gain competitive advantage, they could expose themselves to greater risks.

“An interface like Second Life could be the browser of tomorrow and it will bring a lot of challenges, so we need to start thinking of the problems that might be facing firms,” he said. “We are looking to focus on the problems facing the captains of industry in 10 years’ time.”

The Cyber Security KTN aims to engage with industry, academia and government to identify the challenges, and respond in a more cohesive way to help boost the UK’s cyber security.

Dyhouse explained that part of his mission as incoming director is to ensure a more co-ordinated response to current threats.

“A lot of innovation is going on in this country, and only occasionally do we talk to each other. This silo mentality is not good enough,” he said. “The threats are worldwide and those seeking to undermine us operate worldwide, so we have to decide how best to deal with that.”

Dyhouse added that the designing and engineering of IT networks and software is still being done without adequate provision for security, a problem made worse when budgets are cut.

“We also need more rigorous testing,” he argued. “We need to make software with flaws unacceptable. If you come back from the supermarket with products gone bad it is unacceptable, but with software it seems it’s OK.””

Source: The Cyber Security Knowledge Transfer Network Website, 1st June, 2009

Possible Cyber Attacks During The London Olympics
“Former UK home secretary David Blunkett will warm up the Infosecurity Europe event in London this week with a warning about cyber attacks during the London Olympics.
At the event, which starts on 28 April, Blunkett will advise delegates that computer and communications systems will suffer a “complete meltdown” unless channels that can respond to and mitigate attacks are used properly. He is also expected to criticise the way the UK responds to threats.

Blunkett will warn of advanced infiltration techniques and sophisticated criminals who are looking to disrupt the Olympics and the UK economy as a whole.

“The threat by organised criminals engaging in sophisticated fraud is just as great as the danger from those seeking to damage the economic, commercial and political life of the country,” he will say, according to a copy of the speech seen by vnunet.com.

“Such criminals could target a whole range of Olympics visitor requirements, from ticketing, transportation and the crucial area of hotel and other bookings, which would severely disrupt, or even wipe out, accommodation reservations.

“A sophisticated attack of this sort would be economically and commercially devastating, but the ability to block it exists and could demonstrate that Britain is the best and safest place for e-commerce in the world.”
Blunkett will continue his speech with the warning that the UK appears to be ill-equipped to handle such attacks.
“There still appears to be a woeful level of awareness of the threat of cyber attack, organised crime and the level of fraud, covering government, business and individual consumers and users of the internet. Awareness of the processes and technology to protect from this - and worse - is very low,” he will say.
Blunkett will recommend a co-ordinated approach to cyber crime prevention and detection, and a partnership approach that takes in organisations of all kinds.
“Compare this with what is happening in the US, where $100m [£68m] in the last six months was spent on combating attacks not just on military centres, but water supply, electricity installations and other major utilities,” he will explain.
“The level of complacency from our own utilities is breathtaking. That is why urgent and decisive leadership from government in partnership with business and those with security expertise is urgently needed.””
Report by David Neal vnunet.com, 27th April, 2009
Source: The Cyber Security Knowledge Transfer Network Website, accessed on 1st June, 2009

Climate Security
Mabey, N. (23rd April, 2008). “Delivering Climate Security: International Security Responses to a Climate Changed World”.
“This Whitehall Paper argues that the international response to climate security threats has been ‘slow and inadequate’ and nations need to integrate climate change into their security policy to prepare for worst case scenarios.
In the next decades, climate change will drive as significant a change in the strategic security environment as the end of the Cold War. If uncontrolled, climate change will have security implications of similar magnitude to the World Wars, but which will last for centuries.
The past will provide no guide to this coming future; a robust response will require clear assessments based on the best scientific projections.
Security sector actors must not just prepare to respond to the security challenges of climate change; they must also be part of the solution. This Whitehall Paper outlines a framework for climate security analysis and some of its implications for security policy, practice and institutional change”.
Source: RUSI Website, 7th May, 2009

Safer Schools Working Group
“It is well established that much crime is opportunistic. Offenders often take advantage of the way the environment is planned, products designed or services are managed. Therefore the way places and products are designed or a service managed can have a significant effect on crime levels.

Kate Broadhurst, Head of Research has been invited to join the steering group of a new joint DCSF and Home Office project aimed at identifying the kinds of safety and security issues that can arise in and around schools and other children’s settings and drawing together design principles and examples of good practice that architects and others can use to help reduce vulnerability.

The project will result in updated design guidance to be published next year, and will contribute to an international security conference under the auspices of the OECD Programme for Educational Buildings in January 2010”.
Source: Perpetuity Group Newsletter, Issue 28, 28th May, 2009.

Postgraduate Degree Programme: The Department of Criminology, University of Leicester
“The MSc in Security and Risk Management allows you to develop a detailed knowledge of aspects of crime, risk and managing security in organisations……..a range of theoretical models that explains why and how people commit crime, how to analyse and assess risk, and how to manage security…….learn how to design, conduct and critically appraise research within these areas….value to those working within a security context, either in the private or public sector…..The MSc in Security and Risk Management offers students the opportunity to study a subject of great importance and relevance to them, whilst still being able to work at the same time”.
Source: Professional Security Magazine, 9th June, 2009
Competitive Intelligence - Marketing Interface Teaching and Research Initiative (CIMITRI)
“The exciting concept of a Competitive Intelligence-Marketing Interface delivers an enviable competitive advantage. Simply knowing about competitors is not enough. It is what the firm does with that information and how it weaves into its decision making process which makes the difference. The CIMITRI team at Leicester Business School is dedicated to encouraging the use of CI in business, strategic and marketing development. Research results and conceptual paradigms have been presented not only at academic venues, but through the professional media.

The whole concept of how intelligence impacts on strategic and/or tactical decision making combined with understanding the interface that this activity has with other vital marketing and R&D functions is a highly attractive, yet practically orientated area of study, investigation, training and skills development. Many projects have been completed and the body of research knowledge now residing within the CIMITRI team at Leicester Business School in unmatched in the UK.”.
Source: www.dmu.ac.uk/cimitri

The Fourth CAMIS Security Management Conference

The Fourth CAMIS Security Management Conference: Implementing Robust Security Strategies in Uncertain Times, will be held at Birkbeck, University of London, from Monday 7th to Wednesday 9th September, 2009. The organizer, Dr. Peter R.J. Trim can be contacted via the following e-mail address: p.trim@bbk.ac.uk

The theme of the conference, which should appeal to those employed in both the public and private sectors, can be viewed as timely and highly relevant. The conference will embrace various issues of security and provide a forum for those in the public and private sectors to discuss topics of common interest and exchange information relating to various security initiatives. Those attending the conference will be able to engage in discussion and explore new approaches to solving existing and recurring problems. It is expected that participants will be managers from the private and public sectors, government policy makers and advisors, specialist consultants, academics and researchers.

A number of subject areas have been identified including: risk and uncertainty in both developed countries and emerging markets; government-industry partnerships; business continuity planning; the need for anti-counterfeiting measures; the education, training and recruitment of security specialists; information security; communicating security threats to the general public; the need for governance; and various others. Indeed, those that wish to challenge existing practices in security management and/or intelligence studies, are encouraged to attend and present a paper at the conference. Paper presentations may well fall under the following set of subject headings/areas:

Business Continuity Planning and Succession Planning
Corporate Governance
Corporate Intelligence
Corporate Security
Corporate Social Responsibility
Counteracting Organized Crime
Counteracting the Actions of Terrorist Networks
Crisis Management
Cross-Cultural Negotiation and Policy Making
Disaster Management and Planning
Education, Training and Simulation Exercises
Executive and Expatriate Kidnappings and/or Protecting Overseas Employees
Food Security
Global Competition for Natural Resources
Global Risk Management
Homeland Security
Information Security
International Relations
IT Security and Computer Forensics
Leadership and Ethical Behaviour in Uncertain Times
Major Sporting Events and Security
Management Theory and the Subject of Resilience
Modelling and Scenario Analysis
National Security
Protecting Critical National Infrastructure
Public and Private Sector Partnerships
Strategic Management of Health Policies
Supply Chain Management, Outsourcing and Offshoring Security Issues
Transportation and Security

The conference will provide an opportunity for networking and will be highly interactive. The key note addresses and presentations will contribute to security initiatives and facilitate the development of theory. The conference will be spread over three days and a fee of £140.00 per day will be levied. Those presenting a paper/giving a talk will be charged a daily rate of £100.00. The fee will include lunch and refreshments throughout the day, and all conference material will be provided. Evening meals and accommodation are not included in the conference fee, and information about accommodation will be circulated in the near future.

Areas of attention (others may be included) are:

(1) insights into how management practices can be developed to enhance resilience and reduce organizational and institutional vulnerability;

(2) insights into how global interventionist frameworks can be introduced and developed to eradicate or mitigate threats and disruptive actions;

(3) insights into how trust based relationships can be formed that result in sustainable partnership arrangements being achieved;

(4) insights into how formal and informal networks can be developed that foster innovations in security technology, programmes and procedures;

(5) insights into how the concept of trust can underpin information sharing and information exchange;

(6) insights into how existing security programmes and polices can be translated into marketable products and services;

(7) insights into current initiatives that focus attention on recurring security problems; and

(8) insights into training, educational development and knowledge transfer, which results in expert decision-making.

Those wishing to contact Dr. Peter Trim, the director of CAMIS and editor of the CAMIS newsletter, can do so at the address below.

Centre for Advanced Management and Interdisciplinary Studies (CAMIS),
Department of Management,
School of Management & Organizational Psychology,
Birkbeck,
University of London,
Malet Street,
London. WC1E 7HX.
United Kingdom.
Alternatively, he can be contacted via the following e-mail address: p.trim@bbk.ac.uk
2009 CAMIS Security Management Conference: Implementing Robust Security Strategies in Uncertain Times Booking/Registration Form. Please return this form, to Dr. Peter Trim by e-mail: p.trim@bbk.ac.uk
Title and Name
Institution/Organization
Contact Address
Telephone Number
Fax Number
E-mail Address
Title of Paper/Presentation(If not applicable state N/A)
Abstract (250 to 300 words) (If not applicable state N/A)
Co-author(s) (If applicable)
Appropriate Fee (£)(Please specify by placing a tick against the date(s) you will be attending and state the total appropriate fee.Please note: Those presenting a paper are entitled to a speaker (reduced) rate.The fees include lunch and refreshments, and conference material. NOTE: After 17th August, 2009 the daily fee increases to £160, however, the daily speaker’s rate remains at £100. Day 1: 7th September, 2009: £140______ Or Speaker rate: £100 ______ Day 2: 8th September, 2009: £140______ Or Speaker rate: £100 ______Day 3: 9th September, 2009: £140_______ Or Speaker rate: £100 ______ TOTAL FEE £ _______ Continued overleaf
Method of Payment(Please indicate: delete as appropriate and provide the information requested) Credit Card YES/NOOrCheque in Sterling Pounds YES/NOOrRequest that an invoice is sent to:Name:Address:

The objective of this British Standard is to enable organizations to put in place, as part of the overall information governance infrastructure, a personal information management system (PIMS) which provides a framework for maintaining and improving compliance with data protection legislation and good practice.

The key piece of legislation in this area is The Data Protection Act 1998. This implements a European Directive (95/46/EC) and applies to “personal data” which is defined in the DPA as information relating to identifiable living individuals.

This British Standard uses the term “personal information” in place of the term “personal data”.

The DPA is regulated and enforced by the Information Commissioner, who is responsible for promoting the protection of personal information. The Information Commissioner promotes good practice by the issue of guidance, rules on eligible complaints, provides information to individuals and organizations and takes appropriate action when the law is broken.

Automate your international and corporate Standards through Proteus Enterprise™, the fully developed online product to manage governance, risk and compliance with public, industry and corporate standards and policies

Created by Infogov
read more on the Infogov website
Download the data sheet

Do you need to comply with several Standards? Then obtain them from Infogov together with the latest, leading and fully developed automation tool, Proteus Enterprise™.

This web-based application is fully developed and easily deployed. It enables trouble-free management of your Governance, Risk and Compliance (GRC) challenges - online.

Are you a public, industry or corporate body? Proteus Enterprise™ handles any standard, and cross-refers clauses and controls to minimise workloads.

Do you want to create a compelling shared GRC web-based environment? Demonstrably effective and efficient governance, risk and compliance is now essential to your reputation in the international market place. International and corporate standards automated through Proteus Professional will enable and sustain this.

Do you need assurance that your compliance challenges are being managed to the minute but there is too much detail? Or some of your services are outsourced and you have no visibility of compliance?

• £600 per annum for Proteus Solo™ - for single users
• £6,000 per annum for Proteus Professional™ – for consultants
• Please call to discuss your Proteus Enterprise™ requirements – e.g. hosted subscription from £1,500 per month

Proteus Enterprise™ is the entry-level solution for industry specialists and consultants to make it easy to create a compliance program to meet any combination of external or internal standards. Proteus Enterprise™ contains all the core functionality of the on-line enterprise web-server product, but simply installed on a single PC.

Full support and training options are available with backup on any standard or compliance questionnaire, including self-authoring of full or reduced control sets. Of course, the very latest detailed compliance questionnaires are available, including BS ISO 27001/2, BS 25999-1 & BS 25999-2 – and even the emergent Infogov standard on fraud, PAS 8000.

Full support exists for all aspects of ISMS and BCMS, and purchase includes licensed copies of International and corporate Standards. Proteus® has been licensed and distributed by the BSI since 1995.

Find out more through the Infogov about Proteus Enterprise™
For a web demo, email 3 date/time options to sales@infogov.co.uk or call +44 (0)870 991 7213

Automate your international and corporate Standards through Proteus Solo™, the fully developed online product to manage governance, risk and compliance with public, industry and corporate standards and policies

Created by Infogov
read more on the Infogov website
Download the data sheet

Do you need to comply with several Standards? Then obtain them from Infogov together with the latest, leading and fully developed automation tool, Proteus Solo™.

This web-based application is fully developed and easily deployed. It enables trouble-free management of your Governance, Risk and Compliance (GRC) challenges - online.

Are you a public, industry or corporate body? Proteus Solo™ handles any standard, and cross-refers clauses and controls to minimise workloads.

Do you want to create a compelling shared GRC web-based environment? Demonstrably effective and efficient governance, risk and compliance is now essential to your reputation in the international market place. International and corporate standards automated through Proteus Solo will enable and sustain this.

Do you need assurance that your compliance challenges are being managed to the minute but there is too much detail? Or some of your services are outsourced and you have no visibility of compliance?

• £600 per annum for Proteus Solo™ - for single users
• £6,000 per annum for Proteus Professional™ – for consultants
• Please call to discuss your Proteus Enterprise™ requirements – e.g. hosted subscription from £1,500 per month

Proteus Solo™ is the entry-level solution for industry specialists and consultants to make it easy to create a compliance program to meet any combination of external or internal standards. Proteus Solo™ contains all the core functionality of the on-line enterprise web-server product, but simply installed on a single PC.

Full support and training options are available with backup on any standard or compliance questionnaire, including self-authoring of full or reduced control sets. Of course, the very latest detailed compliance questionnaires are available, including BS ISO 27001/2, BS 25999-1 & BS 25999-2 – and even the emergent Infogov standard on fraud, PAS 8000.

Full support exists for all aspects of ISMS and BCMS, and purchase includes licensed copies of International and corporate Standards. Proteus® has been licensed and distributed by the BSI since 1995.

Find out more through the Infogov about Proteus Solo™
For a web demo, email 3 date/time options to sales@infogov.co.uk or call +44 (0)870 991 7213

Automate your international and corporate Standards through Proteus Professional™, the fully developed online product to manage governance, risk and compliance with public, industry and corporate standards and policies

Created by Infogov
read more on the Infogov website
Download the data sheet

Do you need to comply with several Standards? Then obtain them from Infogov together with the latest, leading and fully developed automation tool, Proteus Professional™.

This web-based application is fully developed and easily deployed. It enables trouble-free management of your Governance, Risk and Compliance (GRC) challenges - online.

Are you a public, industry or corporate body? Proteus Professional™ handles any standard, and cross-refers clauses and controls to minimise workloads.

Do you want to create a compelling shared GRC web-based environment? Demonstrably effective and efficient governance, risk and compliance is now essential to your reputation in the international market place. International and corporate standards automated through Proteus Professional will enable and sustain this.

Do you need assurance that your compliance challenges are being managed to the minute but there is too much detail? Or some of your services are outsourced and you have no visibility of compliance?

• £600 per annum for Proteus Solo™ - for single users
• £6,000 per annum for Proteus Professional™ – for consultants
• Please call to discuss your Proteus Enterprise™ requirements – e.g. hosted subscription from £1,500 per month

Proteus Professional™ is the entry-level solution for industry specialists and consultants to make it easy to create a compliance program to meet any combination of external or internal standards. Proteus Professional™ contains all the core functionality of the on-line enterprise web-server product, but simply installed on a single PC.

Full support and training options are available with backup on any standard or compliance questionnaire, including self-authoring of full or reduced control sets. Of course, the very latest detailed compliance questionnaires are available, including BS ISO 27001/2, BS 25999-1 & BS 25999-2 – and even the emergent Infogov standard on fraud, PAS 8000.

Full support exists for all aspects of ISMS and BCMS, and purchase includes licensed copies of International and corporate Standards. Proteus® has been licensed and distributed by the BSI since 1995.

Find out more through the Infogov about Proteus Professional™
For a web demo, email 3 date/time options to sales@infogov.co.uk or call +44 (0)870 991 7213

The Information Technology Infrastructure Library (ITIL) is a customisable framework of good practices designed to promote quality computing services in the information technology sector. As an IT Service Management (ITSM) framework, ITIL provides a systematic approach to the provisioning and management of IT services, from inception through design, implementation, operation and continual improvement. The processes identified and described within ITIL are supplier and platform independent and apply to all aspects of IT infrastructure. Since the mid 1990s, ITIL has been generally considered a de facto international standard for IT Service Management.

ITIL v3’s core volumes are as follows:

- Service Strategy focuses on the identification of market opportunities for which services could be developed in order to meet a requirement on the part of internal or external customers. The output is a strategy for the design, implementation, maintenance and continual improvement of the service as an organizational capability and a strategic asset. Key areas of this volume are Service Portfolio Management and Financial Management.

- Service Design focuses on the activities that take place in order to develop the strategy into a design document which addresses all aspects of the proposed service, as well as the processes intended to support it. Key areas of this volume are Availability Management, Capacity Management, Continuity Management and Security Management.

- Service Transition focuses on the implementation of the output of the service design activities and the creation of a production service or modification of an existing service. There is an area of overlap between Service Transition and Service Operation. Key areas of this volume are Change Management, Release Management, Configuration Management and Service Knowledge Management.

- Service Operation focuses on the activities required to operate the services and maintain their functionality as defined in the Service Level Agreements with the customers. Key areas of this volume are Incident Management, Problem Management and Request Fulfilment. A new process added to this area is Event Management, which is concerned with normal and exception condition events.

- Continual Service Improvement focuses on the ability to deliver continual improvement to the quality of the services that the IT organization delivers to the business. Key areas of this volume are Service Reporting, Service Measurement and Service Level Management.
ITIL v3 uses the word “continual” as opposed to ITIL v2’s references to “continuous” service improvement (CSIP). Continual implies an activity that is undertaken on a phased, regular basis as part of a process. Continuous is more suitable for the definition of activities intended to operate without pause, such as the ultimate goal of availability.

There are a number of other titles available for ITIL version 3 including an Introduction, Study Guides, Key Element Guides details of which can be found within the Official ITIL site. This site also contains details of the examinations available for ITIL Version 3.

Proteus EnterpriseTM provides a convenient and easy mechanism to implement ITIL v3. It also enables large, medium and small enterprises to manage multiple standards such as those in Financial-GRC, IT-GRC and Operational-GRC within the same tool, and is designed to assist in delivering the key benefits of good information security governance:

- Improved trust in customer relationships
- Protecting the organization’s reputation
- Decreasing likelihood of violations of privacy and potential liabilities
- Providing greater confidence when interacting with trading partners
- Enabling new and better ways to process electronic transactions
- Reducing operational costs by providing predictable outcomes
- Mitigating risk factors that may interrupt the process

The Control Objectives in ITIL v3 are fundamental to good Governance, and automation of the initial and ongoing management of this standard is highly recommended. Enterprise-wide visibility of the success of those controls is also vital because stakeholders and Boards want assurance that controls and risks are being managed. This visibility is provided through the Proteus RiskView™ module. This bridges the gap between the technical, regulatory compliance, risk communities and senior management within your organization. RiskViewTM distils, displays and reports on an enormous amount of information gathered from within your organization and displays it within a real time dashboard view. The web-server design makes deployment and access as simple and efficient as possible whilst retaining central coordination.

Proteus enables compliance-based management of risks, enterprise-wide – internationally because of its web-based design features. Large enterprises are experiencing an ever-increasing burden of regulation and legislation against which they have to demonstrate compliance. To make matters worse, this myriad of legislation occurs in different areas, for example financial regulation (Sarbanes Oxley), corporate governance, environmental issues, health & safety and industry sector specific.

This problem is not going away and is further compounded by having to map the standards against the company’s business processes. Proteus EnterpriseTM enables this mapping, therefore exposing the areas of non-compliance, the potential financial consequences, and the need to combine this with other existing risk management practices.

Proteus EnterpriseTM enables any standard to be automated, and in national languages too. We have a growing library of questionnaires so call or email with your particular requirement.
Information Governance Limited has extended its Licence Agreement with the British Standards Institute for its 14th year, enabling the embedding and automation of BSI Standards within the Proteus range of GRC software solutions. The BSI’s top standards for automation are Infogov’s priority.

Proteus EnterpriseTM was developed so that companies and institutions can comprehensively tackle varied and complex governance, risk, compliance and fraud challenges together. It is the world’s most mature single, combined GRC web-based utility. We started the GRC automated convergence revolution and a member of our management team conceived and authored the world’s first fraud management standard, soon to be published as BSI PAS 8000.

Governance, Risk, and Compliance or ‘GRC’ is about organizations focusing on attaining compliance with laws, regulations and standards and sustaining that compliance thereafter whilst identifying, quantifying, preventing or avoiding the identified risks in the market place, business and supply chain. Holistically, enterprise and operational compliance requirements and risks will increasingly be managed together. Corporate governance, IT governance, financial risk, strategic risk, operational risk, IT risk, corporate compliance, business continuity, employment/labour compliance, privacy compliance are all aspects of GRC.
Proteus EnterpriseTM, InfoGov’s software solution, provides such essential capability as compliance, supplier audit, remediation, action planning, incident management, business impact analysis, business continuity, asset management, risk assessment, policy management, management information and reporting in the form of a graphical ‘dashboard’.

ITIL v3 automation can be achieved with Proteus EnterpriseTM by contacting Infogov at contact@infogov.co.uk - more information is available at www.infogov.co.uk.

It is the standard for Occupational Health and Safety Systems. Many organisations are now looking at implementing the Occupational Health and Safety Management System. Although not a legal requirement, it is a recognised specification that structures the implementation of an effective H & S management system. OHSAS 18001 is the latest certification specification for Occupational Health and Safety Management Systems. It is based on already published criteria such as BS 8800 and the Management Regulations 1992. OHSAS 18001 is an audit/certification specification, not a legislative requirement or a guide to implementation.

Registration to OHSAS 18001 demonstrates a commitment to implement, maintain and improve the way in which you manage your Health and Safety system. Organisations registered to OHSAS 18001 can be more confident about meeting the requirements of H & S legislation. The setting of targets through the Health and Safety policy, together with the ongoing measurement against it ensures a process of continual improvement.

Essentially, it involves evaluating the health and safety needs of your staff and visitors and then identifying the boundaries of your system, documents and procedures. Once fully implemented to the Standard, they are then audited and regularly reviewed. Conformance to legislative requirements must also be borne in mind.

Proteus EnterpriseTM provides a convenient and easy mechanism to implement OHSAS 18001. It also enables large, medium and small enterprises to manage multiple standards such as those in Financial-GRC, IT-GRC and Operational-GRC within the same tool, and is designed to assist in delivering the key benefits of good information security governance:

- Improved trust in customer relationships
- Protecting the organization’s reputation
- Decreasing likelihood of violations of privacy and potential liabilities
- Providing greater confidence when interacting with trading partners
- Enabling new and better ways to process electronic transactions
- Reducing operational costs by providing predictable outcomes
- Mitigating risk factors that may interrupt the process

The Control Objectives in OHSAS 18001 are fundamental to good Governance, and automation of the initial and ongoing management of this standard is highly recommended. Enterprise-wide visibility of the success of those controls is also vital because stakeholders and Boards want assurance that controls and risks are being managed. This visibility is provided through the Proteus RiskView™ module. This bridges the gap between the technical, regulatory compliance, risk communities and senior management within your organization. RiskViewTM distils, displays and reports on an enormous amount of information gathered from within your organization and displays it within a real time dashboard view. The web-server design makes deployment and access as simple and efficient as possible whilst retaining central coordination.

Proteus enables compliance-based management of risks, enterprise-wide – internationally because of its web-based design features. Large enterprises are experiencing an ever-increasing burden of regulation and legislation against which they have to demonstrate compliance. To make matters worse, this myriad of legislation occurs in different areas, for example financial regulation (Sarbanes Oxley), corporate governance, environmental issues, health & safety and industry sector specific.

This problem is not going away and is further compounded by having to map the standards against the company’s business processes. Proteus EnterpriseTM enables this mapping, therefore exposing the areas of non-compliance, the potential financial consequences, and the need to combine this with other existing risk management practices.

Proteus EnterpriseTM enables any standard to be automated, and in national languages too. We have a growing library of questionnaires so call or email with your particular requirement.
Information Governance Limited has extended its Licence Agreement with the British Standards Institute for its 14th year, enabling the embedding and automation of BSI Standards within the Proteus range of GRC software solutions. The BSI’s top standards for automation are Infogov’s priority.

Proteus EnterpriseTM was developed so that companies and institutions can comprehensively tackle varied and complex governance, risk, compliance and fraud challenges together. It is the world’s most mature single, combined GRC web-based utility. We started the GRC automated convergence revolution and a member of our management team conceived and authored the world’s first fraud management standard, soon to be published as BSI PAS 8000.

Governance, Risk, and Compliance or ‘GRC’ is about organizations focusing on attaining compliance with laws, regulations and standards and sustaining that compliance thereafter whilst identifying, quantifying, preventing or avoiding the identified risks in the market place, business and supply chain. Holistically, enterprise and operational compliance requirements and risks will increasingly be managed together. Corporate governance, IT governance, financial risk, strategic risk, operational risk, IT risk, corporate compliance, business continuity, employment/labour compliance, privacy compliance are all aspects of GRC.
Proteus EnterpriseTM, InfoGov’s software solution, provides such essential capability as compliance, supplier audit, remediation, action planning, incident management, business impact analysis, business continuity, asset management, risk assessment, policy management, management information and reporting in the form of a graphical ‘dashboard’.

OHSAS 18001 automation can be achieved with Proteus EnterpriseTM by contacting Infogov at contact@infogov.co.uk - more information is available at www.infogov.co.uk.

The latest edition includes Proteus® Document Dissemination that adds a dynamic dimension to Policy and Procedure management across a diverse organization.   

With document dissemination, you can assign any document, held within the Proteus® document library, to specific functional Roles by individual audit point (e.g. a location or organisation entity), or alternatively, documents can be assigned by job title at a Group organization level. 

Standards and policy documents impact: 

• External reporting (Inspectorate, Customer and Shareholders)
• Marketing, Sales and Commercial
• Finance
• Concept, Prototype and Design
• Manufacture
• Service
• Logistics
• Supply Chain
• Disposal

Proteus® standards, automation, risk and document distribution capabilities, enable whole enterprises to transform their approach to managing the full scope of their operations from a regulator, compliance and risk perspective. 

All BSI, ISO and Defence standards may be automated in Proteus®. 

For more information about automating your regulatory, governance, risk and compliance challenges, contact us at: 

http://www.infogov.co.uk/contact_us/index.php 

ACCESS BSI STANDARDS:

http://www.bsigroup.co.uk/en/Standards-and-Publications/Standards-and-schemes/ 

ACCESS ISO/IEC STANDARDS:

http://www.standardsinfo.net/info/livelink/fetch/2000/148478/6301438/index.html�
 

ACCESS DEFENCE STANDARDS:

http://www.dstan.mod.uk/stanguid.htm