From the desk of: Sam C. Chan

Bravo Protocol for Interaction & Authorization
with Client Staff, DIFA and Management

First Published: Jun 3, 2009   Rev. 2.0: May 1, 2012   Last Updated: Nov 22, 2016

  1. Unauthorized staff member initiating support call, will
    1. be reminded of requirements: DIFA pre-screening & approval + tracking
    2. self-declaration when prompted, is summarily accepted, unless
    3. Management stipulated otherwise in-advance
  2. The DIFA (defined in my 2000 memo) is authorized by Management, and
    1. serves as the default central point of contact & coordination, with
    2. certain level of decision power, incl. funds appropriation, and
    3. option picking, according to operational needs, priority, resource constrain
    4. multiple co-DIFAs can be accommodated
  3. Incidents beyond a certain severity threshold,
    1. albeit well within DIFA's jurisdiction,
    2. will trigger cc to Management by default
  4. The exact point of threshold is at BTC's discretion, which
    1. takes into consideration all pertinent factors, 
    2. in conjunction with industry conventions & best practices, including
    3. a div of DHS CISA: NIST SP 800-61 Rev. 2, while
    4. complying with general regulatory requirements, plus
    5. applicable local ordinances, OVERRIDDEN BY
    6. Management's prior explicit instructions and/or contractual clauses
  5. Such cc will be limited to Final Report, thus avoid inundating Management, unless
    1. situation is deemed urgent enough, that 
    2. timely play-by-play might be required/desired by Management,
    3. so as to participate and steer direction, or
    4. otherwise intervene (abort/escalate/reassign)
  1. "Management" is de facto designation (typ. over the decades?)
    1. May include (but not limited to) a particular owner, manager, plus
    2. authorized key contacts on file (for alerts, but not for $ power)
  2. Once established, cannot be altered without BTC acceptance, which entails
    1. formal transfer/approval by existing Management, with
      1. written notice to BTC + acknowledgment from BTC
      2. for any removals/change-of-rights/additions
    2. assertions of override by new entities (even previously a partner/family member), requires
      1. formal declaration notice from firm's legal representation, or
      2. produce legal proof of assumption of ownership upon request, or
      3. via receivership notice from court
  3. In the event Management never completed formal designation of DIFA, but
    1. only offered tacit acquiescence, then
    2. DIFA status remains murky, resulting in frequent cc to Management...
    3. in consideration of the weak/informal delegation power
  1. BTC can & will provide guidance on compliance-related specifics, conduct requisite structured briefings, implement techniques, furnish apparatuses, critique existing infrastructure & policies, or otherwise advise on:
  2. NIST SP 800, SOX, HIPAA, GDPR, PCI DSS 3.2.1, 23 NYCRR 500, etc. topics...
  3. HOWEVER, such services are ONLY the starting point, subject to:
  4. review, amendment, approval by your legal & accounting dept./external adviser(s), with
  5. ultimate responsibility & liability resting upon your organization

NOTE: I use the term "your firm" or other variants throughout this document, and in many others... fully realizing that not all of you are accounting firms or law firms. The word can be substituted with company / organization / farm / plant, as appropriate.

Copyright @2009-2016   Bravo Technology Center  *  Bravo:GO  *  Contact Us