I agree with Albert's approach.  

Steve Weber
Sr. Manager Data Security

 -----Original Message-----
From:   Oriol, Albert [mailto:[EMAIL PROTECTED]] 
Sent:   Thursday, February 28, 2002 1:19 PM
To:     '[EMAIL PROTECTED]'; [EMAIL PROTECTED]
Subject:        RE: Contingency Planning Procedures Requirements

I would say that provided the tone of the regs emphasizing the need to put
in feasible countermeasures that balance risks versus costs, you would be
fine as long as:
1) you document the risk analysis supporting a manual approach given the
risks your particular enterprise faces
2) and you test your procedures (whether manual or not) at acceptable
intervals to make sure they would work

a.
Albert Oriol, CHE, CISSP
Privacy & Data Security Officer
The Children's Hospital
[EMAIL PROTECTED]
(303) 861 6094


"All things should be as simple as possible, but no simpler"
-- Albert Einstein


-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Thursday, February 28, 2002 12:10 PM
To: [EMAIL PROTECTED]
Subject: Contingency Planning Procedures Requirements


I work for a small MGU (Managing General Underwriter) in the Self-Insured
market.   Since we are small we generally are limited to operating costs of
an avg of 10% of the premium that we underwrite.  This 10% has to cover all
company expenses, purchases, etc.   Due to this the monthly expenditures of
having an IT "hot site" and  "30 day offsite work area" are somewhat
prohibitive.

If in our Contingency Plan  we plan only for manual processes in case of
Systems failure, until system recovery.  Would there be a problem during
auditing that we do not take into account an offsite business Continuation
of Operations Plan?

43252, c. Contingency Plan states "The organization would be required to
perform .... have available critical facilities for continuing operations
in the event of an emergency and have disaster recovery procedures in
place."

Thanks for any input anyone has in regards to this matter.


Sincerely,

Steve Sklar
IT Manager
Majestic Underwriters, Inc.
(p) 248.583.4488  x246




**********************************************************************
To be removed from this list, send a message to: [EMAIL PROTECTED]
Please note that it may take up to 72 hours to process your request.


CONFIDENTIALITY NOTICE: The information contained in this message is legally
privileged and confidential information intended only for the use of the
individual or entity named above.  If the reader of this message is not the
intended recipient, or the employee or agent responsible to deliver it to
the intended recipient, you are hereby notified that any release,
dissemination, distribution, or copying of this communication is strictly
prohibited.  If you have received this communication in error, please notify
the author immediately by replying to this message and delete the original
message. 
Thank you.



**********************************************************************
To be removed from this list, send a message to: [EMAIL PROTECTED]
Please note that it may take up to 72 hours to process your request.

**********************************************************************
To be removed from this list, send a message to: [EMAIL PROTECTED]
Please note that it may take up to 72 hours to process your request.

Reply via email to