High Reliability Organisations
  • 17
    Sep

High Reliability Organisations

This report investigates and critically discusses the approaches that High Reliability Organisations (HRO) take in managing information security risks within dynamic and fluidic environments.
Hopkins states that the term “High Reliability Organisation” (HRO) first seems to have originated in the 1980’s (Hopkins, 2007) and at that time HRO was defined as an organisation working in dangerous environments or where other dangerous factors are involved and the organisation has succeeded in avoiding catastrophes when accidents are to be expected due to complexity and/or risk factor. However, Lekka observes that there are now many definitions for the term “High Reliability Organisation” (Lekka, 2017). Lekka determines that a definition for HRO is split within the community between those that class HRO as organisations with good safety records and those that class the eligibility of organsiations to be HRO’s. A third approach, Lekka argues, is that all organisations are capable of achieving HRO status by focusing on their reliability-enhancing processes and characteristics that helps an organisation to improve and sustain their safety performance.

The characteristics of a HRO have some unique attributes in the way they view risks and are built on Weick and Sutcliffe’s five pillars of mindful infrastructure (Weick & Sutcliffe, 2007). Hales and Chakravorty recognize HRO’s as organizations with processes that have extremely low failure rates due to the high costs of failures (Hales & Chakravorty, 2016). They argue that this extremely low failure rate is due to Weick and Sutcliffe’s five key aspects of HRO’s. The first of these is a preoccupation with failure which focuses organization resources on increasing alertness by looking at points of failure, identifying errors, looking for alternatives and developing risk free processes. The second key aspect is that by considering the unique situation of a problem they avoid over-simplification. Thirdly they should be aware that by solving one problem may create another so they should be aware and sensitive to the overall operations of the business, Fourthly, the organization should make use of the most experienced persons knowledge rather than the highest-ranking persons knowledge and finally the organisations should show a commitment to resilience, encouraging activities to prevent, counter or absorb failures. HRO’s class failure as a failure to detect or predict that failure whilst it is small allowing them to learn lessons before the failure grows into a catastrophe (Hales & Chakravorty, 2016).

Although a full discussion is beyond the scope of this essay it is also worth mentioning another influential research tradition in the area of safety, that of Resilience Engineering (RE). RE is concerned with the movement of engineering, efficiency and the process of knowing, HRO is more about social and organisational psychology, sociology and political science (Coze, 2016). It is interesting that Psychology plays an important part in HRO, Weick, a world renowned psychologist, determines that organisations seeking to become a HRO should move towards a mindful infrastructure that continually tracks small failures, resists oversimplification, remains sensitive to operations, maintains capabilities for resilience and takes advantage of shifting locations of expertise (Weick & Sutcliffe, 2007). He warns that failure to move towards this mindful infrastructure can only magnify the damage which is produced by unexpected events and can seriously affect performance. Adhering to this infrastructure can reduce the severity and frequency of unexpected events, accelerate recovery and help with learning from the experiences. HRO’s operate under trying conditions which stem from complex technologies, contentious events and incomplete knowledge of what may be faced and yet HRO’s manage to have fewer accidents than the average organisation. Weick & Sutcliffe suggest that this is due in part to mindful organisation and note that it is a mindful infrastructure where people are allowed to notice the unexpected, report it, halt it or contain it. However, Lekka’s research raises concerns regarding the impact of HRO environments upon individuals within the organisation (Lekka, 2017). This research suggests individuals find these environments to be stressful because they have to work with precision at all times, follow strict rules and procedures and are not allowed to use their own judgement or creativity. This could well have implications of utilizing HRO methodologies within Information security where IT employees utilize their own judgement, decision making, fault finding and creativity on a daily basis. In this kind of environment Lekka suggests that HRO methodologies can lead to counter productivity (Lekka, 2017) where for example the well-used technology of redundancy in IT, and also used as an element in HRO, can lead to complacency and arguments about responsibility.

Hopkins also has some concerns over Weick’s mindful infrastructure addressing each of the pillars of mindful infrastructure with the following concerns. Firstly, warning signs can be ambiguous and when a culture of reporting everything has been adopted who decides on whether each report is a sign of impending catastrophe or simply an insignificant glitch (Hopkins, 2007). Another question that should be asked is, could the possibility of an impending catastrophe be being buried under mountains of insignificant reports. Hopkins second concern is that many organisations must simplify the data presented to them in order to make decisions and move forward. This is obviously not within keeping of Weick’s HRO methodology of avoiding oversimplification in which he states that simplifications increase the likelihood of eventual surprise. Thirdly, Hopkins recognises that many organisations work within cultures of “silos” where employees work within their own small groups without thought for the impact of their decisions and actions on other parts of the organisation. Additionally, many organisations work within a “blame” culture and many employees will not report a failure due to fear of repercussions. However, Hopkins determines that HRO’s need front line operators who maintain situational awareness and strive to stay aware of the current state of operations which will prove impossible in these organisational environments. Fourthly, the commitment to resilience means that the organisation will be able to continue functioning in the event of a failure, HRO doesn’t mean failure-free it simply means that failures will not bring it to a stop. Hopkins ties this in with his concerns regarding the size of the task of investigating all insignificant and significant reports of failure. Finally, Hopkins recognises that many researchers have criticized Weick’s final characteristic of HRO’s, that of deference to expertise, especially when it comes to time critical situations such as in Air Traffic Control towers where controllers routinely abort landings and there is no time to refer the decision up the chain of command or even to a more experienced person.

In many industries such as the power industry the focus of HRO has been on ensuring the reliability of the equipment that supports the primary purpose of the organisation, in the power industry, this would be the equipment that supplies power to the national grid. Communications and information flows have been seen as peripheral to the primary purpose. However, Cleveland points to the US power failures in 2003 where ongoing and cascading problems were caused by a failure to provide the right information to the right place at the right time (Cleveland, 2007). Cleveland reports that the power industry is relying more and more on communication protocols which rarely include any security against inadvertent errors, malfunctions, failures or sabotage preferring to use the approach of “Security by Obscurity”. As automation replaces manual operation the power Industry is finally waking up to the realization that they have two infrastructures that must be managed, the Power System Infrastructure and the Information Infrastructure. To this end the International Electrotechnical Commission (IEC) have developed international standards for communications protocols security within power systems control equipment These standards are known as IEC 62351 and address the security and protocols of automation systems in the electricity distribution domain (International Electrotechnical Commission , 2010). Schlegel evaluates the security improvements that IEC 62351 recommends finding that overall the standard can significantly improve security of communications in the power industry but finds various incongruities and puts these down to backwards compatibility limiting the design choices (Schlegel, 2017). Various other standards have been written such as ISA/IEG 62443 which is a broader standard dealing with procedures and management of security in industrial control systems and less with the technical implementation details than what IEC 62351 focuses on (The International Society of Automation (ISA)/International Electrotechnical Commission (IEC), 2014). Additionally there is NIST SP 800-82 targeting automation systems in general (National Institute of Standards and Technology, 2015) whilst NERC CIP focuses on the operators of power systems instead of the engineering (North American Electric Reliability Corporation, 2015). Besides these technical security standards all US companies whether large or small have certain corporate laws that they must follow such as the Sarbanes-Oxley Act of 2002 which introduced major changes to the regulations on financial practices and corporate governance. This Act introduced 11 sections on regulatory requirements. The most important of which for the purposes of Information Security is the addition of regulations concerning which company records need to be stored on file and for how long. The Act puts the responsibility for data storage on the shoulders of the IT department (US Government, 2002). However, it should be noted that this has now been superseded by the NIST guidance reported later in this essay which moves all risk management responsibilities to the board.

All of these standards just for one industry serves to show the complexities that each organisation has to cope with and probably highlights the reasons why so little has been written on HRO within Information Security for general use amongst organisations as each industry has its own set of security issues. In 2013 the President of the United States issued Executive Order (EO) 13636 which is intended to enhance the security and resilience of the US critical infrastructure. In response to this the US National Institute of Standards and Technology (NIST) have released a framework, NIST SP 800-53, targeted at improving the cyber security within the critical infrastructure of the United States but this framework can also equally apply to any single organisations critical Infrastructure (National Institute of Standards and Technology, 2014). This enables organisations regardless of size, risk or sophistication to apply best practice and principles of risk management to improving their security and resilience. NIST observes that, In the complex world of HRO and cybersecurity, it provides organization and structure by assembling standards, guidelines and practices that are being used throughout organisations today. Although it admits it may not be suitable for all sizes, types and industries it expresses the view that, because of its usefulness and referrals to international standards, it can also serve as a model to organisations outside of the United States. This framework also recognises the role that privacy and civil liberties plays in creating trust and provides guidance to help facilitate privacy risk management. According to NIST the core framework is a set of activities which will allow an organisation to achieve a cybersecurity goal, the main functions of this framework are to identify the resources that support critical functions, protect those resources by implementing safeguards and mitigation techniques, develop monitoring capabilities to ensure any breaches are identified and finally respond to any breaches that do occur (See Figure 1).

 

Risk Categories and Functions

Risk Categories and Functions

A useful part of the framework is the description on the coordination of the framework implementation (See Figure 2) which explains the decision flows within an organisation. This voluntary framework uses business drivers to guide cybersecurity activities and considers cybersecurity as part of the organizations overall risk management process. The NIST core framework should resolve one of the main barriers with Information Security, that of information security being seen as a technical issue instead of a management issue. Confidentiality, integrity and availability (CIA) are, and always have been, the focus for the technical community but this framework expands Information Security into assurance of the quality of the information and dependability of the systems.

risk management

Risk management

Another Industry looking at High Reliability Organisation is the Health Care Industry where patient safety has been the main focus of concern. Similar to the Power Industry they are now also realizing that their Information Security Infrastructure is just as vital to their operations as is their primary role, the physical care of their patients. In the US, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule ensures an individual has full rights over their health records. HIPAA’s Security Rule requires specific protections such as Access control, for example; passwords and PINS to limit access to authorised individuals, encryption of data and audit trails to track who accessed the record and when it was accessed. Also, HIPAA requires Health Care Providers to always notify the individuals concerned and, where the breaches are serious, to inform the Secretary of State and the media. A security standards rule added to HIPAA in 2003 introduced confidentiality, Integrity and availability of all electronic protected health information (US Government, 2003) and required the adoption of security standards that take into account the technical capabilities of record storage systems including the transmission of that data. In 1997 Following a review of how patient information was handled the Caldicott principles were first developed and further revised in 2013. Caldicott’s 6 principles identified how a patient’s records should be secured and used. In 2015 the UK Health and Social Care Information Centre (HSCIC) published additional guidance on the security of technology and data in the UK health care industry however Stone believes that the US health sector has much more robust defences against cyber-attack (Stone, 2017). This includes a Cyber Threat Exchange (CTX) where a collaboration of different industries shares indicators of compromise (IOC) amongst each other which according to Stone significantly accelerates the detection and response to cyber threats and, he believes, the UK would benefit from a similar system.

In the UK, corporate governance has now become a big driver for Information Security management in HRO. Principle 7 of the UK Data Protection Act (DPA) states that “Appropriate technical measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data” (UK Government, 1998). This forces organisations to design and organise information security so that it is sufficient and appropriate for the data that the organisation holds, taking into account the harm that will result in the event of a security breach. This security should be backed up by robust policies, procedures and well-trained staff who are able to respond swiftly and effectively to any breaches that do occur. Also, it should be clear who has responsibility for the security of information within the organisation. All of this sits well with the guidance given by NIST with regard to their 5 principles of Identify, Protect, Detect, Respond, and Recover. The Turnbull Report, another big driver for Information Security in HRO, set out best practices on internal control of UK listed companies in 1999 and has now been updated by the Financial Reporting Council (FRC) in 2005, titled Internal Control: Guidance for Directors on the Combined Code, and this has also now been superseded by the FRC’s Risk Guidance in 2014 (Financial Reporting Council, 2014). Whilst this guidance does not mention Information Security directly it does however put the overall responsibility of risk management and internal controls directly at the feet of the organisations board. It advises the board that that they should focus on those risks that could threaten the company’s business model, performance, or solvency irrespective of where they arise. With the onset of GDPR and the hefty fines that can be imposed Information Security can be easily considered as one of these risks and therefore Information security should be included within HRO practices. Furthermore, the FRC’s guidance uses some of the NIST’s 5 core framework functions to establish how this should be done, for example Identify the risks, Protect the resources, detect by monitoring and respond by reviewing the effectiveness of the systems put in place. The only omission from NISTS guidance in the FRC’s guidance seems to be that of how to recover from a serious breech.

In May 2017, after massive data breaches at the Inland Revenue Service and Office of Personnel Management, President Trump made the cybersecurity framework compulsory for all federal agencies by issuing a second executive order (EO) (US Whitehouse, 2017). Tracy reports that whilst Federal Agency leaders are in agreement that they should embrace the framework, they are having difficulties with how to implement it due to the differences between the NIST Cybersecurity Framework and the NIST Risk Management Framework (Tracy, 2017). In response to this NIST have released a guide on the implementation of the Cybersecurity framework in which it describes 8 use cases where federal agencies can use the cybersecurity framework to address their responsibilities (National Institute of Standards and Technology , 2017). Tracy sees use case No 7 “Report Cybersecurity Risks” as particularly important suggesting that it can utilize the framework core (see Figure 1) to allow objectives, outcomes priorities and status to be effectively and efficiently communicated. Tracy believes it is of pivotal importance to allow cyber risk management to take place at all levels within an organization to ensure successful outcomes.

The International Organization for Standardization (ISO) has released a series of Information Security Standards, namely ISO 27000, ISO 27001 and ISO 27002 although ISO 27000 is just the technical definitions used throughout the other two specifications (Disterer, 2013). Disterer continues to explain that ISO 27001 specifies an Information Security Management System (ISMS) which is actually just a relabelling of British Standard (BS) 7799 Part 2 and evaluates the processes of an organisation rather than the content (Disterer, 2013). ISO 27002 is a relabelling of BS 7799 Part 1 and contains a Code of Practice which consists of a comprehensive set of information security control objectives. ISO 27001 describes a six-stage certification process which requires the definition of a security policy, scope of the ISMS, security risk assessment, management of identified risks, implementation of controls and the preparation of a statement of applicability. ISO 27001 also describes a lifecycle management approach which consists of establishing the ISMS, operating the ISMS, monitoring and reviewing the ISMS and maintaining and improving the ISMS. This approach is known as PDCA, Plan, DO, Check and Act and to achieve certification the ISMS must be audited by an assessor who works for the certification body. ISO 27002 on the other hand does not need certification, only compliance. Gossels and Mackay suggest that organisations may feel that compliance with ISO 27002 rather than certification with ISO 270001 may be the preferred approach for some organisations (Gossels & Mackey, 2007). Gossels and Mackay determine that achieving ISO 27002 compliance puts an organisation well on its way to meeting the requirements set out by Sarbanes Oxley, HIPAA and other pertinent regulations. In 2014 The UK National Cyber Security Centre (NCSC) released guidance on Cyber Security for organisations, named “Cyber Essentials, 10 Steps to Cyber Security”, voluntary compliance or even certification with this guidance is a good step forwards for many organisations (NCSC, 2014). Cyber Essentials provides the solutions to defends against many of the publicly available tools being used by attackers such as Nessus, Nmap, and MetaSploit. According to Hackerone, in the US, the Department of Defence (DOD) are actively inviting hackers to try to breach their security and report their findings for the possibility of monetary prizes (Hackerone, 2017). Starting with the Pentagon they have now extended this invitation to hacking the Army and Air force and due to its success will be expanding across federal government departments. The DOD is recommending a similar process to private industry such as the automotive and medical device manufacturers. Other tools useful for defending against Cyber Security include automated tools such as CRAMM which the SANS Institute describes as an Automated Tool based on qualitative risk assessment methodology, prioritizing countermeasures at a managerial level (Sans Institute, 2002). However, Jones & Ashenden report that CRAMM has a poor reputation in some sectors (Jones & Ashenden, 2005) taking some expertise to skilfully use the software. Jones and Ashenden mention other tools such as FIRM, COBRA, OCTAVE, SARA and SPRINT and they observe that organsiations will find that some of these tools are more useful than others dependent on the industry and application.

With the onset of the General Data Protection Regulation (GDPR), Information Security in many organisations needs to be seriously looked at from a high reliability perspective. The reason for this is that the impact of a serious security breach could mean the release of, in some cases, millions of records of personal data into the public domain with the obvious loss of confidence and large fines imposed which could end up with the winding up of the organisation. A recent report shows that 64% of UK and US organisations are still not getting Information Security right and are ill-prepared to meet GDPR compliance with many stating that privacy and data protection are increasingly important but increasingly complex (TrustArc, 2017). Dr. Lekka’s review on the then current (2010), literature discussing high reliability organisations concludes with the concern that HRO research has been carried out on only a small range of organisations (Lekka, 2017). Lekka’s arguments explain why studies of HRO, which originally focused on high risk environments, are now being applied to situations such as Information Security which is now operating under the rules and regulations of the GDPR forcing organisations to view information security as a grave risk that requires highly reliable performance. Many HRO papers now being released by the IT community focus on reliability in the development of systems applications as being the target of High Reliability reviews and this may be due to the continuing failure of many well reported information system programs. It is estimated that a recent breach by Equifax would have landed them with a fine of $69 million under GDPR due to their inadequate security and incident response (Scott, 2017). This breach led to the release of personal information of 143 million Americans and nearly half a million British citizens due to a vulnerability that had been recognised by the company months before. Worse still, they failed to notify their clients for six weeks. This one breach teaches lessons regarding fundamental cyber security best practices, organisations should create and enforce a coherent patching policy using automated tools and ensure clear and effective incident response is put in place. Denyer et al. seeks to explain these failures on the lack of effective management of coping with uncertainty and believe that it is possible to avoid, trap and mitigate the risks associated with the development of complex socio-technical information systems (Denyer, et al., 2011) by using a HRO methodology.

There is now a great deal of focus and ongoing research about the concept of high reliability organisations or reliability seeking organisations. In the US, conferences about HRO are now an annual event and government departments are sharing lessons learned by setting up networking sites and learning collaboratives. In healthcare studies are underway regarding practical ways to enhance characteristics of high reliability organisations such as mindfulness development, crew resource management, team training, safety briefings and human factors concepts. Research and development programmes in the UK, such as those at the UK’s NCSC, are testing some of these concepts although rarely using the term ‘high reliability organisations’. Much has also now been written on HRO’s within other industries such as Nuclear Power and Air Traffic control and even Software Systems Development, however there is still little written about high reliability within the confines of Information Security. Smaller companies should consider becoming Cyber Essentials Security Certified whilst the NCSC’s Cyber Essentials program and ISO 2700x security standards go a long way towards supporting HRO’s in the areas of Information Security and compliance. ISO 27002 compliance would be highly recommended to larger organisations if not certification under ISO 27001. UK industry needs to be more organised in the way it protects its data, and as Tracy observes it starts with deeper security information sharing between industries (Tracy, 2017).

 

References

Cleveland, F., 2007. Enhancing the Reliability and Security of the Information Infrastructure Used to Manage the Power System,. Power Engineering Society General Meeting, 2007. IEEE, 24th June, pp. 1-8.

Coze, J. C. L., 2016. Vive la diversité! High Reliability Organisation (HRO) and Resilience Engineering (RE). [Online] Available at: https://www-sciencedirect-com.ezproxy.lancs.ac.uk/science/article/pii/S0925753516300479
[Accessed 8th Feb 2018].

Denyer, D., Kutsch, E., Lee-Kelley, E. & Hall, M., 2011. Exploring reliability in information systems programmes. International Journal of Project Management, 29(4), pp. 442-454.

Disterer, G., 2013. ISO/IEC 27000, 27001 and 27002 for Information Security Management. [Online] Available at: http://file.scirp.org/Html/4-7800154_30059.htm
[Accessed 11th Feb 2018].

Financial Reporting Council, 2014. Guidance on Risk Management, Internal Control and Related Financial and Business Reporting. [Online] Available at: https://www.frc.org.uk/getattachment/d672c107-b1fb-4051-84b0-f5b83a1b93f6/Guidance-on-Risk-Management-Internal-Control-and-Related-Reporting.pdf
[Accessed 8th Feb 2018].

Gossels, J. & Mackey, R., 2007. ISO 2700X: A cornerstone of true Security. [Online] Available at: https://systemexperts.com/wp-content/uploads/ISO-2700X.pdf
[Accessed 11th Feb 2018].

Hackerone, 2017. Defending the Federal Government from Cyber Attacks. [Online] Available at: https://ma.hacker.one/rs/168-NAU-732/images/DoD-Challenge-Ebook.pdf
[Accessed 21 Feb 2018].

Hales, D. N. & Chakravorty, S. S., 2016. Creating high reliability organizations using mindfulness. [Online] Available at: https://www-sciencedirect-com.ezproxy.lancs.ac.uk/science/article/pii/S0148296315006979
[Accessed 11th Feb 2018].

Hopkins, A., 2007. The Problem of Defining High Reliability Organisations. [Online] Available at: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.461.7777&rep=rep1&type=pdf
[Accessed 1st Feb 2018].

International Electrotechnical Commission , 2010. IEC 62351: security. [Online] Available at: http://www.iec.ch/smartgrid/standards/.
[Accessed 5th Feb 2018].

Jones, A. & Ashenden, D., 2005. Risk Management For Computer Security. Burlington, Mass: Elsevier Butterworh-Heinemann.

Lekka, D. C., 2017. High reliability organisations. [Online] Available at: http://www.hse.gov.uk/research/rrpdf/rr899.pdf
[Accessed 1st Feb 2018].

National Institute of Standards and Technology , 2017. The Cybersecurity Framework Implementation Guidance for Federal Agencies. [Online] Available at: https://csrc.nist.gov/csrc/media/publications/nistir/8170/draft/documents/nistir8170-draft.pdf
[Accessed 6th Feb 2018].

National Institute of Standards and Technology, 2014. Framework for Improving Critical Infrastructure Cybersecurity. [Online] Available at: https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf
[Accessed 4th Feb 2018].

National Institute of Standards and Technology, 2015. NIST Special Publication (SP) 800-82 Revision. [Online] Available at: https://csrc.nist.gov/csrc/media/publications/sp/800-82/rev-2/final/documents/sp800_82_r2_second_draft.pdf
[Accessed 4th Feb 2018].

NCSC, 2014. Protect your organisation against cyber attack. [Online] Available at: https://www.cyberessentials.ncsc.gov.uk/
[Accessed 21 Feb 2018].

NIST, 2013. NIST Special Publication 800-53. [Online] Available at: https://nvd.nist.gov/800-53/
[Accessed 11th Feb 2018].

North American Electric Reliability Corporation, 2015. CIP (Critical Infrastructure Protection) Standards. [Online] Available at: http://www.nerc.com/pa/Stand/Pages/CIPStandards.aspx.
[Accessed 4th Feb 2018].

Sans Institute, 2002. A Qualitative Risk Analysis and Management Tool -. [Online] Available at: https://www.sans.org/reading-room/whitepapers/auditing/qualitative-risk-analysis-management-tool-cramm-83
[Accessed 21st Feb 2018].

Schlegel, R., 2017. A security evaluation of IEC 62351. Journal of Information Security and Applications, 34(2), pp. 197-204.

Scott, B., 2017. Equifax Breach Shows Firms Still Aren’t Getting the Basics Right Ahead of GDPR Deadline. [Online] Available at: https://blog.centrify.com/equifax-breach-gdpr/
[Accessed 20th Feb 2018].

Stone, J., 2017. Why the UK needs to adopt US healthcare approaches to information security sharing. [Online] Available at: https://www.scmagazineuk.com/why-the-uk-needs-to-adopt-us-healthcare-approaches-to-information-security-sharing/article/653533/#_ftn3
[Accessed 10th Feb 2018].

The International Society of Automation (ISA)/International Electrotechnical Commission (IEC), 2014. ISA/IEC 62443. [Online] Available at: http://isa99.isa.org/ISA99%20Wiki/Home.aspx.
[Accessed 4th Feb 2018].

Tracy, R. P., 2017. Moving Beyond the Why: How to Implement the NIST Cybersecurity Framework. [Online] Available at: http://m.nextgov.com/ideas/2017/09/moving-beyond-why-how-implement-nist-cybersecurity-framework/140828/
[Accessed 2018 Feb 2018].

TrustArc, 2017. US and UK Companies Lagging in GDPR Compliance Efforts; Brexit Not Derailing UK GDPR Plans. [Online] Available at: http://www.prnewswire.co.uk/news-releases/us-and-uk-companies-lagging-in-gdpr-compliance-efforts-brexit-not-derailing-uk-gdpr-plans-648422013.html
[Accessed 20th Feb 2018].

UK Government, 1998. Data Protection Act 1998. [Online] Available at: https://www.legislation.gov.uk/ukpga/1998/29/contents
[Accessed 10th Feb 2018].

US Government, 2002. The Sarbanes-Oxley Act. [Online] Available at: http://www.soxlaw.com/
[Accessed 8th Feb 2018].

US Government, 2003. Department of Health and Human Services. [Online] Available at: https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/securityrulepdf.pdf?language=es
[Accessed 10th Feb 2018].

US Whitehouse, 2017. Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. [Online] Available at: https://www.whitehouse.gov/presidential-actions/presidential-executive-order-strengthening-cybersecurity-federal-networks-critical-infrastructure/
[Accessed 6th Feb 2018].

Weick, K. & Sutcliffe, K., 2007. Managing the Unexpected : Resilient Performance in an Age of Uncertainty. 2nd ed. s.l.:John Wiley & Sons.

 

Comments are closed.