Bravo
Protocol for Interaction & Authorization
with Client Staff, DIFA and Management
First
Published: Jun 3, 2009 Rev. 2.0: May 1, 2012
Last Updated: Nov
22, 2016
- Unauthorized staff member
initiating support call, will
- be reminded of requirements: DIFA pre-screening
& approval + tracking
- self-declaration when prompted, is
summarily
accepted, unless
- Management stipulated otherwise in-advance
- The DIFA (defined in my
2000 memo)
is
authorized
by Management, and
- serves as the default central point of contact
& coordination, with
- certain level of decision power, incl.
funds
appropriation, and
- option picking, according to operational
needs, priority, resource constrain
- multiple co-DIFAs can be accommodated
- Incidents beyond a certain severity threshold,
- albeit well within DIFA's jurisdiction,
- will trigger cc to Management by
default
- The exact point of threshold is at
BTC's discretion, which
- takes into consideration all pertinent
factors,
- in conjunction with industry conventions
& best practices, including
- CSRC.gov
a div of DHS
CISA: NIST SP
800-61 Rev. 2, while
- complying with general regulatory
requirements, plus
- applicable local ordinances, OVERRIDDEN BY
- Management's prior explicit instructions
and/or contractual clauses
- Such cc will be limited to Final Report, thus
avoid inundating Management, unless
- situation is deemed urgent enough,
that
- timely play-by-play
might be required/desired by Management,
- so as to participate and steer direction, or
- otherwise intervene (abort/escalate/reassign)
DEFINITIONS & CLARIFICATIONS
- "Management" is de facto
designation
(typ. over the decades?)
- May include (but not limited to) a particular
owner, manager, plus
- authorized key contacts on file (for
alerts,
but not for $ power)
- Once established,
cannot
be altered
without BTC acceptance, which entails
- formal transfer/approval by existing
Management, with
- written notice to BTC + acknowledgment
from
BTC
- for any removals/change-of-rights/additions
- assertions of override by new entities (even
previously a partner/family member), requires
- formal declaration notice from firm's
legal
representation, or
- produce legal proof of assumption of
ownership upon request, or
- via receivership notice from court
- In the event Management never completed formal designation
of DIFA, but
- only offered tacit acquiescence, then
- DIFA status
remains murky, resulting in
frequent cc to Management...
- in consideration of the weak/informal delegation power
DISCLAIMERS
- BTC
can & will provide guidance on compliance-related specifics, conduct requisite structured briefings, implement techniques, furnish apparatuses,
critique
existing infrastructure & policies, or otherwise advise on:
- NIST SP 800, SOX, HIPAA, GDPR, PCI
DSS 3.2.1, 23 NYCRR
500, etc. topics...
- HOWEVER,
such services are ONLY the starting
point, subject to:
- review, amendment, approval by your legal
& accounting dept./external adviser(s), with
- ultimate responsibility & liability
resting upon your organization
|