Archive for category Management

Requirements for Business Contingency and Continuity Plans

Requirements for Business Contingency and Continuity Plans

By: Amy Wees

CSEC650, 9045

April 21, 2013


Abstract: Technology plays a vital role in business and threats to technology are constantly evolving.  Businesses must be ready to react to a multitude of situations from a computer virus to a hurricane.  The only way to react successfully is to have a well-written, well-tested contingency and continuity plan.  The steps to planning include identifying threats through Business Impact Analysis (BIA), planning for mitigation of risks or reduction of impact to the business through contingency plan development, and setting up recovery options such as backup sites.  Finally, the plan must remain actionable and up-to-date, and the best way to ensure this is through training personnel and testing the plan on a regular basis.

Requirements for Business Contingency and Continuity Plans

On 17 April, 2013 a giant explosion ripped through the small town of West, Texas after the West Fertilizer Company plant caught fire.  The cause of the fire is still unknown, but many people were killed in an attempt to extinguish the massive blaze, air traffic over the area was halted due to the dangerous chemicals released, and miles of structures surrounding the plant were damaged and evacuated (Eilperin & Fears, 2013).  Many are probably wondering how this happened and if the explosion could have been prevented.  The Environmental Protection Agency (EPA) reported that the fertilizer plant was fined in 2006 for a lacking risk management plan that failed to address safety hazards, employee training, and maintenance procedures.  Furthermore, the owner does not know how he will recover from this disaster (Eilperin & Fears, 2013).  Even if West Fertilizer has insurance to cover the damage of the building and company assets, the costs during the disaster recovery could be far more than West can afford.  Insurance may not cover the medical expenses and deaths of the citizens harmed from the explosion.  How will displaced employees be paid?  Will there be law suits?  Did pertinent company data needed to continue operations or file damage claims get lost in the fire?

Although the fire may not have been preventable, a contingency and continuity plan would help West Fertilizer Company pick up the pieces and continue operations.  West Fertilizer is not alone in their lack of business continuity and disaster recovery planning.  A survey conducted by OpenSky Research in 2006 showed that almost half the businesses in America had no business continuity plan in place.  Of the companies that did have plans, the survey reported that the greatest motivation was the reputation of the business and customer satisfaction, followed by compliance with regulations and past experiences with operational hiccups.  Businesses reported that network operations, malware and data corruption were considered highly threatening along with natural disasters such as fires and blackouts.  Businesses without a plan reported budgetary and resource constraints as primary factors (On Windows, 2006).

It is obvious businesses should be concerned with contingency and continuity planning as it is only a matter of when, not if, something happens that can shut the business down.  Today more than ever, businesses are dependent on technology such as computers, networks, mobile devices and the Internet to run their businesses.  Protecting these assets from cyber security threats and service disruptions is paramount to the bottom line and customer satisfaction.  However, in order to convince management that business continuity planning is a worthwhile investment management must understand the return on their investment and design a plan that weighs the benefits of implementing cyber security, maintenance, and safety protocols against the costs of installing these protocols.  The argument for a plan must help management see a Return on Investment (ROI) so that forecasted returns on money spent can be estimated.  In calculating a ROI, the purchase of the proposed solutions, the cost of employee training, and the cost of paying the staff who will manage the solutions should be included.  This calculation will account for the Total Cost of Ownership (TCO) for the investment.  If costs are not projected accurately, management may reject the proposal or restrict the budget (UMUC, 2011).

This paper will cover the steps to identifying threats and risks to a business, creating and maintaining business contingency and continuity plans, options for recovery of data and business operations, and recommendations to put the plan into practice by conducting business continuity testing for a twenty-four month testing cycle.

Developing Business Contingency Plans

According to the National Institute of Standards and Technology’s (NIST) contingency planning guide for federal information systems, there are seven key steps to developing a plan: 1) Construct the contingency planning policy; 2) Complete a business impact analysis (BIA); 3) Pinpoint preventive measures; 4) Produce contingency approaches; 5) Create an information system contingency plan; 6) Conduct testing, training, and exercises; and 7) Ensure the plan is maintained (Swanson, Bowen, Phillips, Gallup & Lynes, 2010).   Although these steps are written specifically for federal systems, they can be used by any businesses as an overall framework to develop a contingency and continuity plan.  For the purpose of this paper, the seven steps are simplified to three broader areas: 1) Identify threats to the business; 2) Create a plan to alleviate or lessen the impact of the threats; 3) Train personnel and test the plan to ensure accuracy (Cerullo, V., & Cerullo, M. J., 2004).  Authors should keep in mind during plan development that all steps should be documented, actionable, and most importantly, kept up to date (Balaouras, 2009).

Identify Threats to the Business

The first aspects a company must consider when creating contingency and continuity plans are the potential threats to the business.  Some threats will be different depending on the type of business.  For example, an Internet based company may be more concerned with cyber threats such as malware and viruses than a small retail store with little to no web presence.  The retail store, on the other hand, may be more concerned with protecting databases containing customer credit card information.  A defense contractor may see a competitor accessing their intellectual property as the largest threat to the business.  There are also threats that impact every business such as natural disasters, electrical outages, and fires which must be taken into consideration.

Business Impact Analysis

No business is exempt from harm or disruption, however, threats may not always be easy to quantify or identify.  For this reason, a Business Impact Analysis (BIA) can assist in identifying the primary areas affected by a disaster or contingency.  A BIA will distinguish the services and functions most critical to the business’ bottom line, and classify those services and functions according to their effect on the business, level of risk, and likelihood of occurrence.  A recommendation is made on whether to avoid, mitigate, or absorb the risk and methods in which to do so.  Management may also choose to delve further into the identified risks by conducting risk assessments (Cerullo, V., & Cerullo, M. J., 2004).

The first step when conducting a BIA is to identify the primary business processes and supporting systems and the criticality of recovering the associated processes/systems.  The impacts of a system outage are determined to include projected downtime, indicating the maximum downtime that can be tolerated whilst allowing the business to maintain operations.  Possible work-around options should also be listed.  Management and process owners should work together to create a comprehensive list of processes, process descriptions, and systems directly related to these processes (Swanson, Bowen, Phillips, Gallup & Lynes, 2010).

The next step in the BIA is to identify resources required to continue primary processes and any interrelated or dependent systems/assets. Considerations for a thorough resource listing are facilities, staff, hardware, software, electronic files, system elements, and critical records (Swanson, Bowen, Phillips, Gallup & Lynes, 2010).  Some companies may have a configuration manager or other information systems manager that maintains this information.  The constant changes and updates in technology make updating this list on a regular basis relevant.  An example table of a listing of assets follows:

Table 1: Company ABC Critical Resources

System Platform/Version Primary User Critical Process Dependencies
Exchange Server Windows Server 2008 All users internal and external Ensures mail  sent/received Domain Controllers, Active Directory Servers


The final step in BIA is to set priorities for recovery of various systems linked to critical processes identified in step one.  Systems should be recovered in the order of criticality to the business and alternate available options (Swanson, Bowen, Phillips, Gallup & Lynes, 2010).    For example, if the previously mentioned small retail business loses its point of sale (POS) system, cashiers may be able to add up the cost of various items and collect cash from customers for a short period of time, but there will be a maximum amount of time before the business starts to lose customers.  Therefore, the POS may be the most critical asset to recover on their list.  Secondary to the POS may be the inventory system.  Many retailers depend on an automated inventory system to track incoming deliveries, sales, and order new supplies as well as pay suppliers for items received.  These systems are immensely complex and keeping track of inventory on paper and later having to update the recovered system could be costly in man-hours and mistakes.  Third for the retailer may be the store security system.  Although employees could be posted at the door to check receipts against purchases, the amount of theft may increase, and the store could lose valuable evidence related to a crime or incident that occurs.

Create a plan to alleviate or lessen the impact of the threats

Now that the BIA is complete, the business can work on a plan to mitigate the identified risks.  According to Swanson, Bowen, Phillips, Gallup and Lynes (2010), there are three phases to a contingency plan to include supporting documentation such as the BIA, personnel contact information, write-ups of procedures.  The three phases are: Activation and Notification; Recovery; and Reconstitution.

Activation and Notification Phase

When a contingency or event occurs that affects a crucial business process the first step is to put the plan into action and notify personnel responsible for and affected by actions.  This means the plan must identify primary and alternate team members’ roles and responsibilities.  Procedures should include instructions for notifying staff and customers to include contact information and primary duties of personnel internal and external to the organization, locations of alternate work sites, and checklists to follow in order to complete alternate processes while primary means are restored (Cerullo, V., & Cerullo, M. J., 2004).  Procedures should be easy to follow and not overly complicated.

Recovery Phase

After personnel are deployed and active in alternate processes to keep the business afloat, it is time to start recovery of assets affected by the contingency, in the order of priority previously identified during the BIA.  The recovery phase will take up the greatest portion of the contingency plan as there are many options to consider, and the costs are high.  At a minimum, system back-ups should be created and stored at an off-site location or in a cloud environment on a regular basis to minimize system recovery time and allow for reconstitution from another location.  Procedures for system back-up and recovery should be included in the business continuity plan (UMUC, 2011).  The entire environment should be in the backup, to include software, executables, databases, training information, and all systems needed to run the operation as the ability to get back to business is dependent on the quality of the backups (Barry, 2012).

According to a 2002 report by the Disaster Recovery Institute International, costs of downtime were from three to seven percent of the information systems budget.  Some examples of costs of downtime for company website cited by Cerullo and Cerullo (2004) were $8,000 an hour for leading Internet players, $1,400 per minute on average, and a medium-sized business downtime cost of $78,000 per hour on average with an annual cost of over $1 million due to downtime.  Although these costs were estimated for businesses which depend heavily on the Internet, it is pertinent for any business to consider the cost of downtime when looking at options for timely recovery of assets.

Recovery Options

There are three options for recovery sites: hot, cold, or warm.  Businesses should consult with service providers and software vendors when making a decision about what type of site to use, or whether to outsource this service.  A hot site allows for immediate recovery as it should contain all hardware and necessary for operations and can be loaded with current operational and back-up data (Barry, 2012).  The hot site can also serve as the location to store off-site back-ups.  The greatest consideration for a hot site is the considerable cost of creating and maintaining such a site.  A business should consider a hot site when the cost of the loss of systems is greater than the cost of the site (i.e. there is a ROI) and other site options such as cold or warm do not meet the need.

A cold site provides only a facility to operate from without the hardware infrastructure of a hot site.  While the cost of a cold site is lower, hardware will need to be acquired along with backups to return to regular operations.  Even with robust planning and well trained personnel, a cold site could take weeks or longer for recovery.

A warm site is the happy medium between hot and cold.  Warm sites contain some hardware and can contain backup and recovery data, depending on the setup.  Unlike a hot site, warm sites do not have the latest configurations loaded and will require a shorter workload for recovery compared to a cold site.  Outsourcing is also an option as there are multiple companies that offer a wide range of services (Barry, 2012).  Anytime outsourcing is considered, Service Level Agreements (SLA) should be made, adhered to, and updated on a regular basis to cover the changing requirements of the business and the responsibilities of the service provider.  As previously mentioned, the quantity and type of systems needing backups, the location of backups, and the steps to recovery depending on the contingency should be thoroughly documented in the contingency plan.

Reconstitution Phase

During the reconstitution phase, the system should be validated to determine necessary capability and functionality so the business can return to normal operations.  If the original facility is beyond repair, the reconstitution activities can also be helpful in testing and prepping a new location for future use.  At this point, deactivation of the plan can occur, and lessons learned can be documented as well as updates to the plan.

Contingency Testing

The final step in contingency planning is to train personnel to carry out the plan and test the plan for accuracy.  Perhaps the toughest part of contingency planning is not only creating an actionable plan, but finding time during normal operations to test it.  This is where the buy in of management is so critical.  If management does not push the importance of testing, employees will not feel they are stakeholders in the plan or that it is worth their time to test or train for.       There are several options for training personnel and testing the plan from hosting plan reviews or table top exercises all the way to complete backup and recovery testing cycles, or a combination thereof.  Individual checklists included in the contingency plan could also be given out to key personnel or individual work centers to run through during duty hours and check for accuracy and updates.  It can be difficult for system administrators to test system checklists as live systems are critical to operations and cannot be taken down for such purposes.  This is where virtual machines can be helpful in that copies of servers can be created from virtual templates using very little system resources allowing for testing and training on systems and having no effect on current operations.

Costs for training personnel and testing the plan should be considered and included in the contingency planning and continuity of operations budget.  Potential costs include training and testing man-hours not billable to direct operating costs, purchases of additional technology (such as virtual machines and servers) utilized for testing, and cost of other additional resources necessary for testing and training such as office supplies, use of external facilities, or outsourced vendor training.

24-Month Cycle Business Continuity Testing Plan

Below is a sample testing plan based on a 24 month cycle.

Months 1-2: Plan Accuracy 

Plan appendixes are distributed to key personnel in work centers where they will run through their checklists and action items and check for accuracy.  Key personnel will train alternates on procedures.  Alternates will run checklists to ensure they are repeatable.

Months 3-4: Notification Procedures

Management will choose a table top scenario based on the probability of various threats identified in the BIA.  Work centers will practice notification procedures by running through call lists based on the scenario.  On duty and off duty emergency contact information will be tested and updated as necessary.      

Months 5-6: Activation Procedures

Management will choose another scenario based on the BIA and make note of systems affected.  Key personnel will be notified to test their activation procedures based on that scenario.  Operations personnel will conduct business processes using alternate procedures, systems administrators will recover backups to alternate hardware (or virtual machines) and operations personnel will attempt processes on recovered systems.  This practice will identify lacking procedures in the checklists and data that may not have been backed up or recoverable as well as necessary system configurations after recovery.  Checklists and procedures will be updated based on this exercise.

Months 7-8: Reconstitution Testing

Reconstitution is the process of ensuring that a system is fully operational and configured for use.  In order to validate a system, users must identify the data needed on the system and procedures for working with that data.  This is not covered in the BIA but should be covered in a continuity book for the duty position.  Continuity books are created to ensure that someone with limited knowledge of a position can perform basic tasks when key personnel are not available.  During this testing phase, personnel will be given an alternate duty position for a specified period of time and attempt to perform routine tasks using the continuity book as their guide.  Often in an emergency situation, the person who knows an essential business process best may not be available and it will be paramount for other personnel to be able to fill-in where necessary.

Months 9-10: Updating Continuity Procedures

Based on the last test of continuity books, personnel will utilize months 9-10 to update their continuity documentation and prepare for a disaster preparedness drill in months 11-12.

Months 11-12: Contingency Recovery Drill

In this test, all phases will be tested.  Management will choose a scenario from the BIA that would require a move to an alternate facility which is a hot site and ultimately, employees will reconstitute operations at the new site.  First, notification procedures will be tested; employees will be prepared for this ahead of time to let them know this is a test of the system.  External agencies and customers will also be notified ahead of time that the agency is running this test so as not to affect operations.  Employees will start their checklists using alternate procedures for regular operations depending on the scenario until information technology (IT) personnel notify them to move to the hot site.  Employees will then move to the hot site and continue operations, identify shortfalls, and update the plan based on the lessons learned during this testing.  This type of drill is not recommended for businesses without a hot site as there would be too much risk to operations.  However, a table top contingency drill could be similar to this to test employees’ awareness of what to do in various scenarios would be helpful.

Months 13-24: Repeat months 1-12

During the second year, the business will repeat the testing done in the first year and adjust timelines and procedures as necessary to fine-tune the process.  Different scenarios can be given, or the same scenarios if management feels employees need more practice.  Repetition allows employees to gain confidence in plan execution and creates a mindset of contingency planning as part of day-to-day operations.


Technology plays a vital role in business and threats to technology are constantly evolving.  Businesses must be ready to react to a multitude of situations from a computer virus to a hurricane.  The only way to react successfully is to have a well-written, well-tested contingency and continuity plan.  The steps to planning include identifying threats through BIA, planning for mitigation of risks or reduction of impact to the business through contingency plan development, and setting up recovery options such as backup sites.  Finally, the plan must remain actionable and up-to-date, and the best way to ensure this is through training personnel and testing the plan on a regular basis.





Baker, N. (2012). Enterprisewide Business Continuity. (Cover story). Internal Auditor, 69(3), 36-40.

Barry, C. (2012). Backup plans. Multichannel Merchant8(5), 36-38.

Balaouras, S. (2009). Businesses take BC planning more seriously. (2009). For Security & Risk Professionals.

Cerullo, V., & Cerullo, M. J. (2004). Business continuity planning: a comprehensive approach. Information Systems Management21(3), 70-78.

Eilperin, J., & Fears, D. (2013, April 18). Fertilizer facility explosion injures at least 160 in central Texas; 5 to 15 feared dead. The Washington Post. Retrieved from

Geer, D. (2012). Are You Really Ready for Disaster? Three exercises for testing your business continuity plans. CSO Magazine11(8), 16-18.

Karim, A. (2011). Business Disaster Preparedness: An Empirical Study for measuring the Factors of Business Continuity to face Business Disaster. International Journal of Business & Social Science2(18), 183-192.

Kirvan, P. (2009, July). Using a business impact analysis (BIA) template: A free BIA template and guide. TechTarget: SearchDisasterRecovery. Retrieved November 4, 2011, from

Lam, W. (2002). Ensuring business continuity. IT professional4(3), 19-25.

On Windows. (2006, March 23). Half of us businesses lack continuity plan. On Windows Magazine, Retrieved from

Rawlings, P. (2013). SEC’s Aguilar Pushes Continuity Plan Testing. Compliance Reporter, 25.

Rucks, A., Ginter, P., Duncan, W., & Lesinger, C. (2011). A Continuity of Operations Planning Template: Translating Public Policy into an Effective Plan. Journal of Homeland Security and Emergency Management8(1).

Slater, D. (2012, December 13). Business continuity and disaster recovery planning: The basics. Retrieved from

Swanson, M., Bowen, P., Phillips, A., Gallup, D., & Lynes, D. (2010, November 11). Retrieved from website:

Totty, P. (2009). Business Continuity: Test and Verify. Credit Union Magazine75(12), 46.

UMUC. (2011). Module 11: Service Restoration and Business Continuity.  Retrieved from

Whitworth, P. M. (2006). Continuity of Operations Plans: Maintaining Essential Agency Functions When Disaster Strikes. Journal of Park & Recreation Administration24(4), 40-63.

Wold, G. H. (2006). Disaster recovery planning process. Disaster Recovery Journal5(1).


, ,


Protection of Network Operating Systems






Protection of Network Operating Systems

Amy Wees


15 July 2012




Operating systems are essential to business operations, system security and software applications. Users count on operating systems to provide easy to use graphical user interfaces (GUI), operate multiple applications at one time, and store and access data and information needed for everyday operations (UMUC, 2011).  Businesses count on operating systems to address and provide for the four basic security concerns of confidentiality, integrity, availability and authenticity (Stallings, 2011).  Although many operating systems have incorporated controls to address these security concerns, there are additional measures that need to be taken to ensure the necessary level of security is achieved. Identification and Authentication protection measures are the most significant measures to implement.  Before a user or administrator is allowed to access the system, security measures must be implemented to identify and authenticate the need for and level of access.  After personnel are identified and authenticated, access control policies must be implemented to ensure limited access to applications, information, computers and servers on the network.  Internal to external and external to internal communications must also be protected and restricted.  Drafting and enforcing effective security policies and conducting annual audits allows for vulnerability assessment and correction of weaknesses in configuration, training, or procedures.  The protection measures noted in this paper are rated in severity based a case study on auditing UNIX systems by author Lenny Zeltzer (2005).




Keywords: firewalls, security training, operating systems, security policies, password, access control, security management

Protection of Network Operating Systems

Operating systems are essential to business operations, system security and software applications.  Operating systems allow administrators to control access to the system, install and configure third party commercial-off-the-shelf (COTS) software and monitor activity with built in auditing tools.  Users count on operating systems to provide easy to use graphical user interfaces (GUI), operate multiple applications at one time, and store and access data and information needed for daily operations (UMUC, 2011).  Businesses count on operating systems to address and provide for the four basic security concerns of confidentiality, integrity, availability and authenticity (Stallings, 2011).  Although many operating systems include built in controls to address these security concerns, additional measures should be taken to ensure the required level of security is achieved.  This paper will address the implementation, advantages and disadvantages, and security management issues of three protection measures: Identification and Authentication, Access Control, and Security Policies and Auditing (Information Assurance Directorate, 2010).


Security Ratings and Prioritization

            The protection measures noted in this paper are rated in severity based a case study on auditing UNIX systems by author Lenny Zeltzer (2005).  A high severity rating is one in which could result in an attacker or intruder gaining root level access to a system leading to potential loss of critical data.  A medium severity rating is given to vulnerabilities that could result in remote nonprivileged access to the system.  A low security rating is that related to events which are improbable and may result in a local attacker gaining nonprivileged access to the system (Zeltzer, 2005).  The measures listed in this paper are rated as follows:

Measure Rating
Identification and Authentication protection measures High
  1. Badge Access Control System
Access Control High
  1. Host Based Firewall
  1. Network Firewall
  1. Use of a DMZ
  1. Limiting Access to Data using Least Privilege & Separation of Duty Principles
  1. Enforcing strong password policies
Security Policy Medium
  1. Drafting Effective Security Policies
  1. Security Awareness Program
  1. Security Auditing



Identification and Authentication

            Identification and Authentication protection measures are the most significant measures to implement.  Before a user or administrator allowed access to the system, security measures must be implemented to identify and authenticate the need for and level of access.  Pre-employment background checks can prevent organizations from hiring individuals with criminal records and verify qualifying information on a candidate’s resume (Mallery, 2009).  A popular method for controlling identification and authentication is by utilizing access badges.  Access badges can be linked to security systems and control and monitor physical access to the facility, to rooms within the facility and most importantly logical access to the systems that contain proprietary sensitive information.  Access badges also provide employees a visual tool for monitoring levels of access, job titles, and recognition of visitors.

Today many different types of access badge systems are available.  An organization must weigh the cost of the system with the benefit to security.  Smart card systems are relatively easy to implement offering a multitude of vendors and interoperability with legacy systems.  After the user has verified his or her identity using a passport or drivers license and a representative of the company has verified the users’ required level of access, the user can be issued a smart card where he or she sets a pin number to be used from that point forward to verify his or her identity and authentication for physical and logical access into the facility (Smart Card Alliance, 2003).

Management of the system will require information assurance professionals who can conduct background checks and verify identities as well as control and administer the computer applications associated with the system.  The organization will also need to prepare for possible outages of the system and develop procedures for training employees to identify badges, escort unauthorized individuals and properly wear, use and store badges.

Utilizing smart card technologies removes the need to verify identify on a daily basis and also allows for ease of monitoring of a person’s whereabouts.  Access changes can also be made remotely from the management software application if an employee switches jobs, loses their badge, or leaves the company.  Smart cards can be used for physical and logical access and such access can be limited throughout the facility.  Smart cards can also limit the number of passwords an employee has to remember, decreasing man hours spent on password resets and locked out systems.  Although the advantages are many, access badge systems can be costly, and a strong social engineer may be able to outsmart the system by replicating a badge or fooling an employee in to granting them access they should not have.


Access Control

            The second most critical security measure is access control.  After personnel are identified and authenticated, access control policies must be implemented to ensure limited access to applications, information, computers and servers on the network.  Internal to external and external to internal communications must also be protected and restricted.

A firewall is one of the best mechanisms to protect the network from internal and external threats and control as well as monitor communications.  The Windows operating system offers an integrated firewall for use on clients, which drops incoming solicited traffic that is not in response to a request made by the computer, and allows specified unsolicited traffic. Host based firewalls such as the Windows Firewall safeguard against threatening applications that utilize unsolicited traffic as an attack mechanism (Microsoft , 2012).  The network firewall should be attached directly to the internet connection, to block malicious traffic from entering the network.  Network firewall software can be installed on a dedicated server located between the internet and the protected network (Goldman, 2006).  Firewalls can filter and monitor incoming traffic and also protect against insider threats such as users clicking on phishing e-mail links or navigating to dangerous websites.  Goldman (2006) notes research shows that seventy to eighty percent of malicious activity comes from insiders who already have network access.  Although firewalls are an advantageous method of protection, they can cause more damage if not configured properly or if maintained by administrators that do not understand the complex rules or monitoring procedures.  Firewalls must also be combined with other protection strategies such as vulnerability assessment tools, intrusion detection and prevention systems and antivirus tools (Goldman, 2006).

The physical location and configuration of assets on the network is also vital to access control on the network.  For example, a demilitarized zone or DMZ is a controlled area for the most vulnerable systems on the network.  If a user is hacked or a system is infected the DMZ prevents interruption of essential functions such as e-mail and databases (Turner, 2010).

Password, user and administrative access policies are equally essential to protecting the network and clients from outside and inside threats.  The level of access a user requires must first be determined using the principle of least privilege.  Files and information should be separated by roles or departments within an organization and access given only to those assigned in those roles or associated with that department.  Limiting data access also decreases the possibility of an intruder gaining access to critical files.  Administrative access should also be limited to the roles and responsibilities of the administrator.  Full administrative access to the network should be given on an extremely limited basis following a separation of duty policy.  Password policies should be understood by all users and administrators, and Windows active directory configured to enforce policy.  Studies have shown the most secure password policies are those that require a 14 character password comprised of at least two uppercase and lowercase letters, two numbers, and two unique characters.  Passwords should be changed every 60 days and screen saver passwords enforced to prevent intruders from accessing open systems (Turner, 2010).  An excellent prevention and education measure to enforce the use of strong passwords is to run a password cracking application such as L0phtcrack against the password database using a keyboard progression dictionary often used by crackers.  If passwords are cracked, users should be notified and forced to change their passwords.  Training in this way helps users and administrators learn to create and maintain strong passwords, and understand how easily weak passwords can be exploited for malicious purposes.


Security Policies and Auditing

The likelihood of a business falling victim to cyber-attack becomes more prevalent as more and more businesses utilize technology to conduct operations and store critical information.  Attacks can cause severe financial losses to businesses and customers and destroy reputations.  Research has shown that most security breaches are not due to misconfiguration of firewalls or poor password policies, but caused by inadequate security planning (Hamdi, Doudriga, & Obaidat, 2006).  Drafting and enforcing effective security policies and conducting annual audits allows for vulnerability assessment and correction of weaknesses in configuration, training, or procedures.  The security policy should be based on business objectives and detail security measures for information systems, operating systems, and key management in the business environment and document procedures for handling security incidents.  Security policies can also be multifaceted and separated by audience (such as technical versus end-user policies), or separated by issues (such as information classification and access control policies).  At a minimum, the security policy should address access privileges, user accountability and responsibility, authentication procedures, availability and maintenance of resources, and procedures for reporting violations (Hamdi, Doudriga, & Obaidat, 2006).

Enforcing securing policies requires awareness programs and employee training.  Employees should feel they are stakeholders in the security of the organization.  Policies should be widely disseminated, easy to understand and follow, and retrained on a regular basis.  Employees should know how to recognize and respond to security incidents.  The effectiveness of a security policy can be assessed using simple tests such as a contingency plan or emergency response practice drill (Hamdi, Doudriga, & Obaidat, 2006).

Conducting regular vulnerability assessments and audits of an organization’s security posture will help to ensure weaknesses in operating systems, third party applications, and security policies are identified.  This is best accomplished by hiring a third party to conduct an audit.  Security professionals are trained on many different systems and can educate staff on vulnerability management.  Audits can include penetration tests, which can assess the external security of the network, or a less invasive vulnerability assessment to scan the system for threats and provide fix actions (Mallery, 2009).  If the organization decides not to outsource the audit, there are other options for scanning the network using tools such as the Nessus vulnerability assessment tool as well as employing intrusion detection and prevention systems and antivirus.  The benefits of utilizing in-house tools are that they are always available and can often automatically assess and mitigate vulnerabilities.  The drawbacks are that employee training to maintain such systems can be extensive, and systems can be costly (Kakareka, 2009).  After audits are conducted it is paramount to set a time frame in which to accept risks, remedy vulnerabilities, and update security policies and other relevant documents.



            Businesses rely on network operating systems as an effective way to control, manage and secure their operations with ease.  Effective security of operating systems requires a defense in depth strategy that goes beyond what is inherent to the operating system.  Businesses must identify and authenticate employees using background checks, physical security procedures such as badging systems.

After identification and authentication, access to assets is best controlled using the principles of least privilege and separation of duties.  User and administrator access to shared electronic data folders and applications should be separated and limited by function or role.  Firewalls, DMZs and physical separation of assets can be utilized to protect the network from unwanted incoming and outgoing traffic and malicious actors.  Strong password policies and practices can also assist in protecting the network and preventing unauthorized access.

Finally, drafting a strong security policy based on risk analysis and business objectives and confirming employees have a clear understanding of policies and procedures will go a long way in developing a security culture in the organization.  Conducting periodic audits will ensure policies are updated and put into practice.














Goldman, J. (2006). Firewall Basics. In H. Bidgoli, Handbook of Information Security (pp. 2-14). Hoboken: John Wiley & Sons, Inc.

Hamdi, M., Doudriga, N., & Obaidat, M. (2006). Security Policy Guidelines. In H. Bidgoli, Handbook of Information Security (pp. 227-241). Hoboken: John Wiley & Sons, Inc.

Information Assurance Directorate. (2010). US Government Protection Profile for General-Purpose Operating Systems in a Networked Environment. Information Assurance Directorate. Retrieved from

Kakareka, A. (2009). What is Vulnerability Assessment? In J. Vacca, Computer and Information Security Handbook (pp. 383-393). Boston: Morgan Kaufmann Inc.

Mallery, J. (2009). Building a Secure Organization. In J. Vacca, Computer and Information Security (pp. 3-21). Boston: Morgan Kaufmann Inc.

Microsoft . (2012). Windows Firewall. Retrieved from Microsoft Technet:

Smart Card Alliance. (2003). Using Smart Cards for Secure Physical Access. Princeton Junction: Smart Card Alliance. Retrieved from

Stallings, W. (2011). Operating Systems Security. Handbook of Information Security, 154-163.

Sensei Enterprises, I. (Director). (2010). How do I secure my computer network? [Educational Video]. Retrieved from

UMUC. (2011). Prevention and Protection Strategies in Cybersecurity. Adelphi, MD, USA.

Zeltzer, L. (2005). Auditing UNIX Systems: A Case Study. Retrieved from Lenny Zeltzer:

, ,

Leave a comment

Company Cybersecurity Policy

Firion Corporation Cyber Security Policy

Amy Wees, Gary Coulter, Kyree Clarke, and Leonard Gentile

University of Maryland University College

Author Note

Amy Wees, Gary Coulter, Kyree Clarke, and Leonard Gentile, Department of Information and Technology Systems, University of Maryland University College.

This research was not supported by any grants.

Correspondence concerning this research paper should be sent to Amy Wees, Gary Coulter, Kyree Clarke, Leonard Gentile, Department of Information and Technology Systems, University of Maryland University College, 3501 University Blvd. East, Adelphi, MD 20783. E-mail:,,, and


The Firion Corporation is a leader in the development of specialized safety outerwear and has a niche market in the waste disposal, chemical, and biological industries. Firion employees use technology in every aspect of the business.  Databases contain private customer information, unique software assists in development and testing of proprietary designs, and marketing, financial, and sales data are accessed and stored on our private network.  Protection of information is mandated by Firion policy and federal and state legislation.  Unauthorized access to the network by cyber criminals or malicious insiders can result in loss of customer information, compromised proprietary business information, severe financial damage, and work outages.  Cyber security threats and vulnerabilities can have a detrimental impact on the future of our business and every employee is considered a stakeholder in the protection of the network.  Firion will continue to strive to ensure cyber security remains a priority at every level of the company. The goals of Firion’s cyber security policy include increasing awareness by providing employees with applicable illustrations of common threats and vulnerabilities in the industry, identifying data classification procedures and rationalize access control rules, and characterizing sensitive and critical systems and outlining their appropriate safeguards and utilization.

Firion Corporation Cyber Security Policy

Firion Organizational Business Mission

Welcome to Firion!  The Firion Corporation is a leader in the development of specialized safety outerwear and has a niche market in the waste disposal, chemical, and biological industries.  Our customers count on us to deliver quality products that are safe and reliable.  Firion laboratories are constantly at work developing innovative coatings and unique designs to ensure our customers can be confident in the level of protection our products deliver (UMUC, 2010).

Firion’s employees use technology in every aspect of our business.  Databases contain private customer information, unique software assists in the development and testing of proprietary designs, and marketing, financial, and sales data are accessed and stored on our private network.  Protection of information is mandated by Firion policy and federal and state legislation.  Unauthorized access to the network by cyber criminals or malicious insiders can result in loss of customer information, compromised proprietary business information, severe financial damage, and work outages.  Cyber security threats and vulnerabilities can have a detrimental impact on the future of our business and every employee is considered a stakeholder in the protection of the network.  Firion will continue to strive to ensure cyber security remains a priority at every level of the company.

Cyber Security Goals

Firion’s cyber security policy will be kept relevant and up-to-date to the technology in use.  The policy will be communicated to employees on an annual basis to ensure compliance, comprehension, and clarity.  The goals of the cyber security policy are as follows:

·         Increase awareness by providing employees with applicable illustrations of common threats and vulnerabilities in the industry

·         Identify data classification procedures and rationalize access control rules

·         Characterize sensitive and critical systems and outline their appropriate safeguards and utilization

  • Address physical security as the first line of defense in a defense-in-depth security strategy to include use of personal computing devices on corporate networks and business devices on the road
  • Ensure all employees understand their role in business continuity and disaster recovery
  • Explain acceptable use of technologies as well as applicable federal and state legislations
  • Corporate privacy policies will disclose what information is collected and how information is utilized and stored
  • All e-mails sent over Firion networks are subject to monitoring.  Employees are expected to conduct business communications in a professional manner, limiting e-mail sent for personal use
  • Employees will not present themselves as representatives of Firion outside of corporate  functions nor use their professional title in public online forums
  • Internet usage is monitored, and employees are expected to use corporate Internet for business and limited personal use purposes.  Certain Internet Web sites are blocked if considered a threat to the network or not necessary for business practices
  • Employees must use software issued and approved by Firion.  Unlicensed software or freeware is not authorized for use on corporate assets.  Exceptions to this policy can be granted by Firion’s Information Assurance manager
  • Personal computing devices and mobile telephones are not authorized on corporate property.  Employees will be provided with lockboxes for securing their valuable items
  • All company issued mobile computing devices are subject to auditing and virus scanning prior to being connected to corporate networks
  • Employee passwords will not be shared with anyone or recorded.  Passwords must meet minimum complexity requirements and change every 90 days
  • Ethical computing concerns can be brought to Firion’s Information Assurance manager for consideration or evaluation at any time

Computing Ethics

Ethical practices are about doing the right thing when no one is looking.  Firion is committed to preserving a reputation for sound ethical computing practices.  Though Firion will take every precaution to protect employee and customer private data located on its systems, it is important to understand that no system is 100 percent secure.  Employees and network users can contribute to network security and information privacy by following ethical guidelines:


Cyber Security Policy Introduction

Cyber security is essential for just about any organization, including Firion.  One of the reasons why it is so vital to ensure that computer networks and systems within an organization are secure is that cyber criminals both inside and outside the organization pose a serious security threat to businesses.  In order to protect against the threat of cyber attackers, whether they are inside or outside the organization, Firion has developed a policy that describes how it intends to secure its computer networks and systems.

It is not enough for Firion to simply develop a cyber security policy and sit back, thinking that its network and systems will suddenly be secure.  Firion must also ensure that employees understand and comply with the cyber security policy.  This is necessary because Firion’s employees, or employees of any organization for that matter, are the weakest part of the network.  Even the most state-of-the-art cyber security technologies will not be able to protect Firion’s networks and systems from cyber security threats if its employees are engaging in behavior that jeopardizes the security of those networks and systems. Sharing passwords, leaving passwords on Post-It notes for display on their computer monitors, or clicking on links in e-mails that are sent by people that they do not know are all examples of how easily a network can be jeopardized.  In order to prevent these and other behaviors that may open Firion’s network and systems up to cyber security threats, the company must be sure that its employees understand and are complying with the company’s cyber security policy.

By implementing a strong cyber security policy and ensuring that employees understand and comply with that policy, Firion is taking a crucial step in securing the network and its systems from cyber security threats.  In addition, a strong cyber security policy coupled with employee understanding and buy-in will help prevent Firion from experiencing the negative effects of cyber security breaches.  For instance, by protecting its systems from cyber security threats, Firion will also be working to prevent the unauthorized access of information that is stored on its systems, including trade secrets, customer payment information, and any confidential personnel information, such as Social Security numbers.  The loss of such information could have serious consequences for Firion.  The consequences of a competitor obtaining the company’s trade secrets could be very serious, since these secrets form the basis of our business.  In addition, the loss of sensitive information such as employees’ Social Security numbers could result in Firion absorbing the expense of credit monitoring for affected employees, while the confiscation of customer payment information could result in a loss of trust among Firion’s customers.  Customer dissatisfaction can also result in financial ramifications for the company and could cause potential legal liability (Feigelson & Calman, 2010).

Achieving Employee Buy-In for Firion’s Cyber Security Policy

Now that the importance of employee understanding and compliance with Firion’s cyber security policy has been demonstrated, it is pertinent to spell out how Firion plans to achieve the level of employee support and buy-in that is necessary for this cyber security policy to be effective.  Firion will practice a three-pronged approach: education, rewards for compliance, and penalties for non-compliance.

Firion will seek to educate employees about cyber security by requiring them to participate in a Web-based training program when they are hired.  An annual refresher course will also be required for all employees.  Web-based training has proven to be one of the most effective ways to educate employees about cyber security issues (Rudolph, 2009, p. 28).  Web-based courses are an optimal method for training because courses can be taken at any time and are self-paced (Rudolph, 2009, p. 29).  In addition, Web-based courses can be tailored to the needs of employees based in their levels of experience and various interests (Rudolph, 2009, p. 29).

Rewarding or Punishing Employees for Complying or Not Complying with Firion’s Cyber Security Policy

Additional steps will need to be taken to ensure that employees understand and comply with Firion’s cyber security policy.  For example, employees will be required to sign an agreement stating that they understand the policy and that they intend to comply with it. Requiring employees to sign compliance statements is an effective way of making them more security aware and committing them to comply with policies that are put in place to protect Firion’s network and computer systems (Rudolph, 2009, p. 30).

Rewards and punishments are another necessary component of Firion’s efforts to ensure that employees understand and comply with the cyber security policy.  Firion should not take the approach of considering compliance with its cyber security policy a core requirement for employees as this approach has proven to be unsuccessful in the past.  Government agencies, for example, once treated cyber security as a core requirement and did not make an attempt to give it special emphasis (Rudolph, 2009, p. 8). These agencies eventually began to suffer from a growing number of security breaches (Rudolph, 2009, p. 8).  Firion should not and cannot make the same mistake that these government agencies did.  We at Firion recognize that security needs to be an area of special concern that is emphasized frequently so that our network and systems can be properly protected from cyber security threats (Rudolph, 2009).  In order to emphasize security as a special area of focus, employees will be given rewards for complying with Firion’s cyber security policy.  These rewards will be given out partly on the basis of informal security audits performed by members of Firion’s information technology (IT) security department.  Once a month, a member of Firion’s IT security department will walk around the company’s office and observe employee behavior, such as whether or not passwords are written on Post-It notes and visible in the work area as well as whether or not computers are powered on and logged in while employees are away from their desks.  Employees who are found not to be engaging in these and other behaviors will be given a small reward, such as a gift card to a local retailer or restaurant or a small cash bonus.  Rewards will also be given out to the company as a whole based on company-wide compliance with the cyber security policy.  For example, all employees can be rewarded with some type of perk if the number of cyber security incidents declines on a quarterly or yearly basis since this would likely be an indication that employees understand and are complying with Firion’s cyber security policy.  Such perks could include breakfast for the employees, paid for by Firion.  Conversely, employees who are found to be violating Firion’s cyber security will be punished.  This punishment will be based on the severity of the violation, with the most serious violations resulting in termination and potential legal implications.  The severity of a violation will be determined by Firion’s Chief Information Officer (CIO).

In addition, compliance with Firion’s cyber security policy will be one of the areas that managers will consider when conducting annual performance reviews. Employees who are found not to have violated Firion’s cyber security policy over the past year will be given a monetary bonus.  Those who are found to have violated Firion’s cyber security policy over the past 12 months will be punished.  This punishment could include the loss of vacation time or other perks. The type of punishment that is given will be decided on a case-by-case basis, though more severe violations will warrant a more severe punishment.  Once again, the severity of a violation of Firion’s cyber security policy will be determined by the CIO.

Procedures for Reporting Security Breaches, Violations of Cyber Security Policy, and Security Vulnerabilities

All employees are required to report security breaches, violations of Firion’s cyber security policy, and security vulnerabilities that they are aware of.  As soon as employees become aware of any security breach, cyber security policy violations, and/or security vulnerabilities, they should immediately notify an IT systems administrator and provide any information that they may have.  This information can include the name of the person who is involved in the cyber security breach or policy violation, the system that contains the security vulnerability, or the system that has been breached, among other things.  Immediate notification will allow Firion’s IT security department to take action on any urgent issues that arise.  By urging employees to report any information that they have about the nature of a security breach, policy violation, or security vulnerability, the IT security department will be able to determine whether or not the issue requires immediate attention.  Any reports that are deemed to be legitimate will be investigated by the IT security department.  The time frame of such an investigation will depend on the seriousness of the security breach, policy violation, or security vulnerability.  After the conclusion of the investigation, the IT security department will address the issue in an appropriate manner.  This includes correcting the security vulnerability, reporting the employee who was found to have violated Firion’s cyber security policy, and taking steps to end the security breach.

Awareness and Information Security

Employees of Firion pride themselves on the quality of the jackets the company produces, the safety these products provide, and the science that goes into making Firion a cutting edge company.   That pride can have negative effects on the company and its future business.  Because Firion is a cutting edge company, special attention must be applied to the security of its physical and intellectual assets.  This intellectual property is not just what might be considered a secret formula, or an important release date, but can include small pieces of information that could easily be incorporated into a much larger piece.  At Firion we call this desire to be cognizant of information, its use, and how it is protected “Information Security” (Information Security, n.d.).

Many individuals may desire to gain access to information that Firion owns for a variety of reasons.  These actors may desire to access to the company’s systems for personal profit or to gain additional information about Firion’s scientific developments in order to further their own research or to sell the information to competitors.  It is also possible that an actor may be disgruntled with Firion and seek to cause harm to the company as a whole (Campbell & Kennedy, 2009).

These actors can be blunt and seek to gain information directly from an employee.  More likely the actor will lie, cheat, steal or apply subterfuge in order to obtain the information they desire.  It is essential that employees are aware that these actors are present, as knowing a threat exists is the first step in being able to create a defense (Voiskounsky & Smyslova, 2003).

In order to protect the employees of Firion, there are a number of procedures in place to prevent the deliberate or inadvertent sharing of company information.  It is preferred that employees of Firion do not act as representatives of the company on either public or private forums unless their job duties entitle them to be public relations representatives.  This protects not only Firion by assuring that company data is shared in a controlled fashion, but also protects the employee so they do not become a target for any derogatory information that may be reported against the company.

Employees at Firion, depending on duties, are asked to sign non-disclosure agreements.  These agreements are written to protect especially sensitive information.  They are legally binding and allow for Firion to maintain control of its company-based intellectual property and are enforced under U.S. federal law.  The Economic Espionage Act of 1996 is designed not only to protect company’s secrets from being sold to a foreign power, but to protect the sale of corporate secrets in total.  Under this law, any individual who discloses a trade secret to the economic benefit to anyone other than the owner of that secret can be imprisoned for not more than 10 years, or face up to $5 million in fines (44 USC § 3542, 2002).

Data Classification and Access Control

Data is a critical asset at Firion.  Beyond the day-to-day production of protection equipment, the company has thousands of employees who have provided private, economic, and health based information to the company.  This data is just as critical to protect as any company secret.   All employees are responsible for information security.   As such the company has instituted a series of data classifications to help guide employees as to how data should be treated both inside and outside of Firion.

This classification of data is designed to be a tool to help employees protect critical information from being disclosed to illicit actors.  These actors could utilize this data to further their own economic or personal goals (Woodbury, 2007).  Firion classifies data into four separate categories: public, official use only, confidential, and secret.

Public data is that which is made publically available from the company.  This type of data can include company produced brochures, pamphlets, or catalogs.  It may also include publically available press releases as approved or issued from Firion’s public affairs branch.  Finally, it includes any and all interactive, publically-available data that may reside on the company Web site.

Official use only data is content that must be guarded due to ethical or privacy concerns.  It must be protected from access, modification, transmission, storage or any other use other than what has been authorized by Firion.  This data type is restricted to employees of Firion and should not be shared outside of the company.  This information can include employment data, company phone books, internal e-mails, or internal memos and should be stored in protected forms of physical and electronic storage.  Official use only information should not be posted or shared in public forums to include both physical and electronic mediums.  When it is no longer needed it should be destroyed, shredded, or sanitized.

Confidential data is contractual or protected by statutes or regulations.  This type of data is only disclosed to individuals on a need-to-know basis.  The disclosure of this data can only be authorized by the company president, vice president, or board of governors.  Examples of this type of data may include medical records, Social Security numbers, personnel and payroll records, bank account numbers, personal financial information, and any data that is identified by government regulation to be treated as protected data.  This data should only be stored in a physically locked container or in a password-protected electronic format.  It should not be disclosed without explicit management authorization and must not be published in any public forum.  Finally, confidential data can only be destroyed by shredding or if in electronic format, sanitized and degaussed prior to disposal.

Secret data is information that if released could potentially damage Firion or lead to substantial loss of economic standing.  This data shall never be disclosed outside of the company.  Individuals who may have access to this data shall be under the non-disclosure agreement, which will legally bind them not to disclose this information.  Examples of this data may include current internal economic statistics, protected manufacturing techniques, or on-going negotiation information.  This data should only be stored in authorized systems that are separate and protected from day-to-day systems.  All data on this system should be protected by a strong password at a minimum.  This information should never be shared, printed, or created into a physical form.  Destruction of this data must be through an authorized electronic format that includes sanitization and degaussing of magnetic materials.

Data classification is designed to ensure Firion is in compliance with a number of federally mandated laws.  All health related information is required to be protected by the Health Insurance Information Portability and Accountability Act (HIPPA) (HHS, 2003).  The Privacy Act of 1974 guarantees the protection of personal information (5 USC § 552A, 1974).  Financial data is regulated, protected, and managed based upon the Sarbanes-Oxley Act of 2002 (Public Law 107-204, 2002).  Finally, company secrets are protected under the Economic Espionage Act of 1996 (44 USC § 3542, 2002).

Sensitive and Critical Systems

Because of the importance of data at Firion there are many different types of authorized systems utilized inside the company.  These systems can include the computers that individuals use on a day-to-day basis, the laptop that a team uses when it travels to create a presentation for a potential customer, the Blackberry that an executive receives e-mail on, or the closed network computer that individuals utilize while working on proprietary data.

These systems are increasingly vulnerable to potential attack or intrusion by an ever-growing community of qualified people with the intent to steal data.  These actors may seek access to these systems for monetary gain for themselves or the company they work for, they may have personal reasons for seeking out data in Firion’s systems, or they may desire to destroy Firion’s capabilities from the inside (Verduyn, 2005).  These actors can use a number of vectors to access Firion’s systems, including direct attacks from an external network source such as the Internet, a virus spread from a Universal Serial Bus (USB) drive, or utilization of pirated or unauthorized software as a cover to gain access.  These actors are smart and will utilize any and all potential avenues to gain access to Firion’s systems.

Because of these vulnerabilities, Firion has instituted a strict policy concerning utilization of systems.  Personal systems, capabilities, or software are never to be used on or with company owned networks, systems, or software.  It is unacceptable for employees to have USB drive, wireless devices, or personal electronics in the work place.  No item is to be put in contact (wired or wireless) with a company owned system until such time as it is scanned and authorized by a qualified company network systems administrator.  Also no company system will be allowed to connect to an unauthorized system outside of the company network architecture without the authorization of a system administrator and information assurance manager.  Finally, any and all systems that are utilized outside of the company network will be audited as soon as they are returned to a company workspace and before they can be utilized on a company owned network architecture.

This regulation enables Firion to continue to be in compliance with the Sarbanes-Oxley Act of 2002.  This act mandates that companies continue to maintain internal controls, specifically for financial information (Public Law 107-204, 2002).  By assuring control of all systems within Firion and protecting those systems the company is able to assure that all financial data is secure.


Physical Security

Firion can prevent or counter some security mishaps by simply being proactive when it comes to the company’s physical security.  Physical security relates to any device that is used to protect or prevent inside or outside threats from damaging an organization’s proprietary information, networks, or assets.  If properly mandated, hackers and employees alike have less of a chance to infiltrate a system with malicious intent.  Performing regular surveys to access exactly what Firions’ needs are regarding security allows management to see the threats and vulnerabilities faced by the company aside from human factors as well as the positive enforcement that is already in place.

With the amount of activity and people involved with the day to day operations on-site, it is mandatory for a company that deals with so many outside sources to have a strict entry and exit policy.  Starting from the outside of the building, the physical security program includes guards that approve the entry of vehicles, specific identification badges that show each employee, contractor, or vendor access privileges and expiration dates, parking passes that correspond to specific cars as well as posts and patrols that are actively involved with patrolling their assigned area (U.S. Department of Education, 2008).

Firion will be proactive in securing its buildings so that the chances of unwanted guests or cybercriminals gaining access to the property are lessoned.  A gate that is occupied by a guard will keep track of who is entering and exiting the facility and the company will also record these interactions on surveillance cameras.  Once a person has been approved to enter the facility, access badges with proper identification will categorize exactly what access the person has and where he/she can go throughout the building.  It is pertinent that Firion keep up to date with security compliance so that all individuals holding a badge are documented, recorded as they scan through turnstiles and are promptly revoked access after their badge has expired or after they have been terminated.  Employees are also required to register their vehicles once they are given access to enter the facility as a way to keep track of vehicles that enter the premises without being overly burdensome.  Marked parking passes eliminate extra work for the security guards and patrols as their attention can be focused more on visitors and other vehicles that are new to the building or making drop-offs.

With these procedures in place, threats and vulnerabilities associated with physical security are lessened.  Employees will not have access to areas that do not relate to their job functions nor will they be able to enter certain parts of the facility during the day or after hours without their badge being scanned.  Once scanned, a log is kept to track exactly where they are located in the building and how long they remain before entering a new section.  Employees will also utilize access badges when logging into computers as level of computing privileges and information access is stored on each individual badge.  A simple user will not have the same access privileges as an administrator and will ultimately not able to modify any settings on their computer or be able to download any unlicensed software that may unknowingly harm the system or network they are connecting to.  By utilizing this mechanism, separation of duties will be clear for employees and they will never have to question if they have certain rights to perform certain actions.

Outside threats and vulnerabilities for employees working while on travel or from home can be a problem if employees do not take necessary precautions.  Employees that have portable laptops should always be cautious when on travel and connecting to other networks or unsecured Wi-Fi.  The Information Technology (IT) department will ensure proper security settings are in place before distributing laptops as well as require users to attend a mandatory training session on what is and what is not acceptable when it comes to downloading software, or using USB and other external devices.

Employees, contractors, and vendors alike must be aware of the acceptable use policy in place at Firion.  Ongoing security awareness training and mandatory continuing education are areas that will help reduce human errors that could contribute to possible security violations and other mishaps.  When the whole company follows proper standards and procedures, it is easier to see where the problem areas rest.  With employees being identified before reaching the building, wearing access badges and locking computers when in not in use, physical security becomes less of a risk to the organization.  Once employees are made aware of how important their role is in making the company more secure and have shown positive reinforcement of some sort, compliance naturally increases.

Data Back-up and Disaster Recovery

In order to recover from a disaster or data-loss incident, Firion will securely back up data on a regular basis depending on the system, and store back-ups at an off-site location.  Firion will have data access control in which archived data can be retrieved without much effort and is readily available when needed.  Storing information (servers, hard drives, or copyrights) at the off-site location is a good way to mitigate threats to security.  Not only is the off-site facility secure, it has a better chance of surviving a natural disaster and is unknown to virtually anyone that works for the company except the specifically identified members of the disaster recovery team.  As such, each team member with access to the off-site facility is recorded and is required to sign in and out when entering and exiting the building; which keeps a running log of who is accessing what and when.

To be sure Firion is able to maintain business continuity; a disaster recovery plan will be regularly updated.  One cannot automatically assume that having a disaster recovery plan means that it will ever be put to use; however, it should be looked to as preventative maintenance.  A company is more apt to survive a disaster when it is prepared for the worst.  Having systems or networks that have been hacked or attacked by malware and/or viruses, normally results in downtime as well as financial loss.  With a recovery plan in place, data is backed up and easily accessible, risk assessments have been periodically given to ensure security policies are sufficient, and government regulations have been taken into consideration.

The threats and vulnerabilities associated with faulty equipment such as the firewall that was not patched with the most up to date software would have been addressed during the initial creation of the disaster recovery plan.  Outsider threats that could potentially damage the organization would be denied and insider threats would be easily detected.  Each member that participates in the disaster recovery plan will have a clear understanding as to what their roles and responsibilities are and have an active role in updating the user community with policies and procedures.

Overall, if employees of Firion stick to the cyber security policy that has been put in place, the company will have a successful track record when dealing with insider and outsider threats. Positive reinforcement, mandatory training, and simply being knowledgeable about security vulnerabilities are all motivating factors for employees to follow process and procedures. The monthly periodic reviews are also a good way to make sure the security policy is being enforced. Although physical security, inside and outside the organization, are definitely key factors when it comes to protecting a company’s assets, the manner in which Firion deals with human factors is what will determine how successful the company will be in mitigating the threat from cyber criminals or malicious insiders.











Addendum 1


5 USC § 552A.  (1974). Privacy Act of 1974.  Retrieved from

44 USC § 3542.  (2002). Economic Espionage Act of 1996.  Retrieved from

Campbell, Q.  & Kennedy, D.M.  (2009). The Psychology of Computer Criminals.  Computer and Security Handbook Volume 1, 5th Edition (pp.  12.4-12.8).  Hoboken, NJ: John Wiley & Sons, Inc.

Department of Health and Human Services (HHS).  (2003, May).  U.S.  Department of Health and Human Services: Summary of HIPAA Privacy Rules.  Retrieved from

Fiegelson, J., & Calman, C. (2010, April). Liability for the costs of phishing and Internet theft. Journal of Internet Law, 13(10), 1. Retrieved from

Information Security. (n.d.). definition from Encyclopedia. Retrieved from,1233,t=information+security&i=44958,00.asp

Public Law 107-204: Sarbanes-Oxley Act of 2002.  (2002). Retrieved from

Rudolph, K. (2009). Implementing a security awareness program. In S. Bosworth, M.E. Kabay, & E. Whyne (Eds.), Computer security handbook volume 2, 5th edition (pp. 8, 28-30). Hoboken, NJ: John Wiley & Sons, Inc.

Smith J. & Kelley, D.E.   (2010, July).  UFC/ISC security design criteria overview and comparison.  Applied research associates, INC.  Retrieved from

UMUC. (2010). Interactive Case Study. Document posted in University of Maryland University College CSEC 620 9082 online classroom, archived at:

U.S. Department of Education. (2008, January). Administrative communications system, Departmental directive.  Retrieved from

Verduyn, B.  (2005).  2005 FBI Computer Crime Survey.  Retrieved from

Voiskounsky, A.  & Smyslova, O.  (2003).  Flow-Based Model of Computer Hackers’ Motivation.  Cyber Psychology & Behavior vol.  6 (2), 171-180, doi: 10.1089/109493103321640365

Woodbury, C. (2007). The Importance of Data Classification and Ownership. Retrieved from


1 Comment

Vulnerabilities and Threats of Mobile Computing

Vulnerabilities and Threats of Mobile Computing
By: Amy Wees
CSEC620 Section 9082University of Maryland University College




Tech target defines mobile computing or nomadic computing as “the use of portable computing devices (such as laptop and handheld computers) in conjunction with mobile communications technologies to enable users to access the Internet and data on their home or work computers from anywhere in the world (, 2012).”

Mobile computing is a part of everyday life for many people.  Devices that offer the ability to connect to the Internet on-the-go are vast.  Some common examples are smartphones, laptops, tablets, Global Positioning System (GPS) devices, music players, handheld video games, wireless home appliances and e-readers (O’Dell, 2010).  A study conducted by Morgan Stanley in 2010 “predicts that the mobile web will be bigger than the desktop web by 2015 (O’Dell, 2010).”  This is mostly due to the development of smaller, more affordable devices with better data coverage and connection speeds.  Mobile e-commerce is also increasing along with the use of social networks over e-mail use (O’Dell, 2010).

Mobile computing is prevalent for businesses and consumers because of its many advantages.  Businesses can communicate with employees and customers in and out of the office, employees can update their work and human resource requirements in online portals.  People can search for, communicate with, and navigate to businesses on-the-go.  Productivity and leisure time are also increased as people can send and receive e-mails, update their social status, conduct research, or watch a movie all while waiting at the airport or standing in line at the coffee shop (Shukla, 2011).  “We are entering the era when the mobile employee has become the typical employee rather than the exception. One recent survey found that 81% of global executives use a mobile device, and analyst firm IDC estimates that there will be 1 billion mobile workers by 2011, including nearly 75% of the US workforce.”

Although mobile devices offer ways to be productive without an Internet connection such as by tracking appointments and reminders, creating documents and taking notes, capturing photos or videos, and listening to music; an Internet connection offers the ability to access and share information at anytime from almost anywhere.  Many software applications used for productivity and leisure are also limited or unusable without an Internet connection.  Some examples are Microsoft Office’s templates, e-mail applications which require Internet access to download new mail or send mail, music and video streaming software such as Apple’s iTunes which requires online access to download new content and anti-virus programs such as Norton that download important updates from online repositories.

Mobile computing devices connect to the Internet in a variety of ways such as wirelessly using a Wi-Fi card and a wireless internet connection or hotspot, through a mobile broadband connection such as third generation (3G) or fourth generation (4G) wireless connections provided by a cellular network, or by tethering using a cellphone as a modem (Pinola, 2012).

Vulnerabilities and Associated Threats of Mobile Computing

The benefits of mobile computing also come with various cybersecurity threats and vulnerabilities.  The vulnerabilities of mobile computing can be associated with the devices hardware, the Bluetooth or wireless internet connections, or mobile applications, data, and information transfer.  Threats associated with vulnerabilities are rated on a scale of low, medium, and high based on the likelihood of the threat versus the impact to the user (Bosworth, Kabay, & Whyne, 2009).  Threats will be listed from highest to lowest threat rating and strategies to decrease the probability of or mitigate the threat will also be noted.

  1. 1.      High Threats (Likelihood and Impact to User are High)   

Theft or Loss

The chance of loss or theft of a device is high.  Some devices are small and easy to lose and because of their portability even larger laptops can be left behind.  Theft of devices is also a concern as there is a large market willing to buy and “most devices are stolen for their cash value and not their information value (Barcelo, 2011).”  The vulnerability with theft or loss is the loss of proprietary or personal data.  A study done by the Ponemon Institute found that “55 percent of consumers are aware that they may be putting their employers’ confidential business information at risk when using their smartphone for both business and personal use.  The survey also found that 52 percent of those who are aware of the risk say that it has happened (NZ Business, 2011).”

Employers need to consider this risk when drafting security policies to ensure the rules on the use or prohibition of personal devices for company purposes are spelled out.  Hardware and software of the device should be known to the employer and employees should be required to follow minimal secure practices on their devices before accessing company websites or e-mail (NZ Business, 2011).  The Information Systems Control Journal notes “The biggest decision a corporation needs to make with respect to mobile device deployment is the cost of support based on graduated levels of security. If the total cost of the device and the risk it generates does not surpass the business benefit, corporate management should “just say no (Milligan & Hutcheson, 2008).”

It is difficult to prevent theft or loss of devices, but the loss of data can be minimized by encrypting data on the device, requiring a password, biometrics, or an access key to use and configuring the device to erase data after a number of failed logon attempts.  The cost of these mitigations is minimal since most operating systems offer password protection and biometric systems are also relatively inexpensive (Milligan & Hutcheson, 2008).  Another option is to install software that allows remote wipe of the data such as Lojack for laptops and Sophos for smartphones (Barcelo, 2011).  Users may not want to take the extra steps in logging on to their devices but the pay off is rewarding if the device is lost or stolen.

Malware and Phishing Attacks

The threat of malware includes viruses, Trojans, worms, spyware and other types of malicious software that can severely degrade or destroy a computer system’s operations.  Most malware is targeted at laptops but threats against mobile phones have also recently been discovered.  The danger of mobile devices infected with malware is that they can infect other computers when connecting to a network at work or home.  The “mobile blind spot” is a large threat for businesses that allow their employees to use corporate devices and travel for weeks exposed to malware without updating anti-virus software and then returning and connecting to the business’ network (Friedman & Hoffman, 2008).

Phishing attacks are an additional concern for users’ on-the-go. The risk of malware can be reduced by using updated anti-virus and anti-spyware software but phishing tricks users into giving up personal information, log-on information or downloading a file that could be a virus simply by sending an e-mail or displaying a website that appears to be from a reputable company but is really a cybercriminal looking for an easy target.  Phishing attacks have gotten so sophisticated they are often hard for even the experienced computer user to distinguish.  “In May 2011, Trend Micro discovered a vulnerability in Hotmail that could compromise a user’s account just by previewing an e-mail. The malicious messages, specially crafted for individual targets, triggered a script that could steal e-mail messages and contact information and forward new messages to another account (Newman, 2011).  Although some phishing attacks may be hard to recognize, the best prevention strategies are to read e-mail carefully to ensure it is from a reputable source, look for grammatical errors and avoid opening attachments unless their receipt is expected (Newman, 2011).

  1. 2.      Medium Threats (Likelihood and Impact to User are Medium)

Wireless Internet Connections –

Unlike wired devices within the work center which are often behind firewalls and physical security defenses, mobile devices connect to corporate networks and the Internet directly without the protection of firewalls.  Wireless networks controlled by business are much more protected and controlled than the wireless hotspots mobile workers are connecting to which may have little or no security, leaving devices vulnerable to interception or spoofing (Friedman & Hoffman, 2008).

Unsecured WiFi connections such as those at the local Starbucks coffee shop are an open invitation for snoopers and can even allow an attacker to take over a users’ browsing session.  A hotspot attack called sidejacking uses automated tools to take over unsecured websites.  One such tool developed by Mozilla as a Firefox browser plug-in is called “Firesheep.”  “Firesheep automates session hijacking attacks over unsecured Wi-Fi networks by analyzing traffic between a Wi-Fi router and a person’s laptop or smartphone using a packet sniffer (Westervelt, Top 5 mobile phone security threats in 2012, 2011).”

Users can reduce risks of hotspots and wireless networks by deactivating the automated search and connect to wireless feature on their device and connecting to secure wireless connections whenever possible.  “Developers such as Google offer encryption support for browsers using open connections and IBM has created a Secure Open Wireless Standard that uses a digital certificate to secure the hotspot and ensure the Service Set Identifier (SSID) is legitimate (Westervelt, Top 5 mobile phone security threats in 2012, 2011).”


            Bluetooth technology allows laptops, phones and other devices to wirelessly transfer data between devices, connect to technologies such as keyboards and other peripherals, and stream audio and video.  Mobile devices with Bluetooth activated and set to discoverable are vulnerable to bluesnarfing attacks.  Bluesnarfing uses a Bluetooth connection to steal data such as contacts, calendars, e-mails and text messages, often without the user’s knowledge.  “Bluesnarfing requires software such as “SpyBuddy” which is easy to install software can monitor a device’s text messages, phone calls, and GPS and is totally undetectable (Bluejacking Tools, 2012).”

With the amount of uses for Bluetooth technology today, it is important for mobile users realize the security threats to Bluetooth, to pair with known devices only, and turn Bluetooth off when not in use.

  1. 3.      Low Threats (Likelihood and Impact to User are Low)

Mobile Phone Applications

            Although applications submitted to Apple and Android markets are evaluated prior to being added to the marketplace, recent events leave reason to believe the security of applications is not the number one priority (Westervelt, 2011).  In June of 2010, Apple banned a Vietnamese developer from the iTunes store after his electronic books application reportedly charged 400 users for books they did not purchase.  Experts believe the developer launched the attack to boost his ratings in the iTunes store; as he was able to move from position 50 to 21 in a matter of weeks.  In response, Apple implemented a new policy that requires users to enter credit card data more often (Computer Weekly, 2010).  One month later a reported 4.6 million Android users downloaded a wallpaper application that was collecting data such as the users’ phone number and transmitting information to China (Warwick, 2010).   Security firm Lookout studied the application and reported that although the application was suspicious there was no proof that the activity and data transmission was malicious.  Lookout’s Chief Technology Officer Kevin MaHaffrey spoke on mobile application security at a BlackHat conference: “Apps that seem good but are really stealing your personal information are a big risk at a time when mobile apps are exploding on smartphones (Warwick, 2010).”

A study by Veracode Inc. found a hard-coded cryptographic key in 40 percent of Android mobile applications.  Veracode discovered these keys assign the same password to multiple users allowing for anyone, namely an attacker, to easily discover and publish keys in public forums (Westervelt, 2011).  Chris Wysopal, Chief Technology Officer of Vericode stated “If someone loses their phone and an attacker gets access to that application, the attacker could basically get access to all the data that everyone in the organization can access (Westervelt, 2011).”

Mitigation of application vulnerabilities is easier said than done as the resources and infrastructures for creating applications are still very immature.  Some suggestions for improvement in software are code signing which allows users to verify the applications’ source; sandboxing, which separates an application from other processes; and permission notifications to warn users of an application attempting to access their data (Westervelt, 2011).  It will be up to the application police such as Google for Android and Apple for iTunes to raise the standard for security requirements in mobile applications and to users to review the application before downloading.


            People and businesses today have found ways to use mobile technology to their advantage by working and communicating from anywhere at anytime.  Although the advantages of mobile computing come with cybersecurity risks; the right training, information, and policies can reduce these risks and allow for continued productivity in the mobile world.  As devices and technologies improve, cybercrime will also evolve.  Technology professionals and businesses must keep security at the forefront of development and implementation in order to keep customers and proprietary information safe.


Barcelo, Y. (2011, September). Mobile Insecurity. CA Magazine, pp. 36-38.

Bluejacking Tools. (2012). Mobile Phone Spy. Retrieved from Bluejacking Tools:

Bosworth, S., Kabay, M., & Whyne, E. (2009). Physical Threats to the Information Infrastructure. In F. Platt, Computer Security Handbook. New York: John Wiley & Sons Inc.

Computer Weekly. (2010, July 12). iTunes hack could effect thousands, say experts. Retrieved from Computer Weekly:

Friedman, J., & Hoffman, D. (2008). Protecting data on mobile devices: A taxonomy of security threats to mobile computing and review of applicable defenses. Information Knowledge Systems Management, 159-180.

Milligan, P. M., & Hutcheson, D. (2008). Business Risks and Security Assessment for Mobile Devices. Information Systems Control Journal, 1-5.

Newman, J. (2011, June 3). 4 Security Tips Spurred by Recent Phishing Attacks. Retrieved from PC World:

NZ Business. (2011, September). Are mobile devices compromising your business security? NZ Business, p. 60.

O’Dell, J. (2010, April 13). New Study Shows the Mobile Web Will Rule by 2015. Retrieved from Mashable:

Pinola, M. (2012). Mobile Internet Access Comparison. Retrieved from Mobile Office Technology: Pros and cons of different Internet-on-the-Go options:

Shukla, I. (2011, September 21). Advantages of Mobile Computing. Retrieved from (2012). Search Mobile Computing. Retrieved from

Warwick, A. (2010, July 30). Millions downloaded suspicious Android wallpaper. Retrieved from Computer Weekly:

Westervelt, R. (2011, December 8). Android app security: Study finds mobile developers creating flawed Android apps. Retrieved from SearchSecurity:

Westervelt, R. (2011, December 9). Top 5 mobile phone security threats in 2012. Retrieved from Search Security:


How to Start a Business in South Carolina and Beyond

By: Amy Wees

  1. I.                   Choose a Business Model
    1. a.       What type of business will you establish?  Online, brick and mortar, part or full time, home based, franchise, licensed product or marketing.
    2. b.      Ensure you are committed to working the number of hours required to start your business and that you are financially ready or research what financial options are available to you.
  2. II.                Write a Business Plan
    1. a.       Decide what kind of business you would like to establish, how small or large it will be, whether you will have employees, how much it will cost to run, and how you will fund your business.
    2. b.      Ensure you have some experience in the business you are starting, if not ensure you either work for a similar business or do extensive research on the workings of such a business.
    3. c.       Do some market research to find out what other businesses like yours are in the area; find out if the market share is large enough for your business to fit in the area.
    4. d.      What are your goals, who are your customers, how will you make a profit, how will you measure success?
  3. III.             Choose a business structure; evaluate the advantages and disadvantages of each one.
    1. a.       Sole proprietorship
    2. b.      Partnership
    3. c.       Corporation
    4. d.      Limited Liability Corporation
  4. IV.            Get your taxes lined up
    1. a.       Get a tax ID number
    2. b.      Get a federal tax ID number
  5. V.               Register and/or Certify your business
    1. a.       Register or certify your business depending on state requirements ( website)
  6. VI.            Create Key Business Assets
    1. a.       Website Address
    2. b.      Trademarks
    3. c.       Copyrights
    4. d.      Patents
    5. e.       Provisional Applications for Patents
    6. f.       Inventors Logs
    7. g.      Confidentiality Agreements
  7. VII.         Get Funding
    1. a.       Bootstrapping – pulling money from your own credit/assets
    2. b.      Debt Financing
    3. c.       Grants (such as those sometimes offered for Women owned businesses)
    4. d.      Friends and Family
    5. e.       Investors
    6. f.       Factoring
    7. g.      Venture Capitalists
  8. VIII.      Organize Logistics – you must get everything in order before starting your business such as
    1. a.       Have your books in order
    2. b.      Your contracts made up or lined up
    3. c.       Money safely placed and ready
    4. d.      Cover your downside
    5. e.       Accountants, Lawyers, Insurance agents, and Bankers can help
  9. IX.            Hire good people
    1. a.       Have a good mentor
    2. b.      Hire great employees with experience
    3. c.       Have good incentives to keep your great employees on your team!
  10. X.                Establish your brand
    1. a.       Your brand should sell YOUR product
    2. b.      Be strong
    3. c.       Send a message about your business
  11. XI.            Market and Sell
    1. a.       Do market research
    2. b.      Get the word out about your business
    3. c.       Establish customer target audience
    4. d.      Ensure that you have the right resources for your customer to pay for and receive your product such as credit card acceptance and shipping policies.


Below are some South Carolina state specifics and resources I found for Women Owned businesses.

Every state or jurisdiction has a process that you need to follow in order to start a business.  In the state that you are starting your business, where do you go to register the business?  What information is required?  How do you obtain your tax id or determine the regulations for your state?

Obtained from

A General Tax Guide for Starting a Small Business in SC 

If you are starting a new business or just thinking about it, you will want to know more about your tax obligations. This publication is intended to give you some basic information about South Carolina’s tax laws and how you, as a business owner, are affected. The South Carolina Department of Revenue wants to help your business succeed. We have offices in nine cities throughout the state and we invite you to drop in to discuss your business tax requirements.

Forms of Business Organization

There are several forms of business organization from which you may choose for your new business. Before deciding which form is best for your business, you may want to consult a tax adviser. The most common forms for business organizations are:

Sole proprietorship

A sole proprietorship is a business that is owned by an individual who is responsible for all aspects of the business. The owner is personally responsible for all debts of the business, even in excess of the amount invested in the business.


A partnership is a legal entity that is jointly owned by two or more people. As in the sole proprietorship, the partners or owners may be personally responsible for all debts of the business, even those in excess of the amount invested in the business.


A corporation is a business that is formed and authorized by law to act as a single person and is legally endowed with rights and responsibilities.

Limited liability company

A limited liability company (LLC) is an unincorporated business association that provides its owners (members) limited liability and flexible management and financial alternatives. An LLC usually provides the favorable pass-through tax treatment of partnerships and the limited personal liability of corporations.

Registering Your Business

The first thing you’ll need to do before opening your business is to register the business. If your business is a corporation, limited partnership, limited liability company or limited liability partnership you need to register with the Secretary of State.

Most businesses also must register with the South Carolina Department of Revenue. Some small, sole proprietorship businesses that are service-related and not selling goods and products to customers, may not have to be registered with the Department of Revenue. However, if you have any employees, you will be required to register to withhold income tax from employee wages.

You may be required to register with the South Carolina Employment Security Commission to report and pay unemployment insurance for your employees. You also may be required to register with the Workers’ Compensation Commission.

The city or county where you locate your business may require you to obtain a local business license. Certain types of businesses may be required to be registered with other state agencies. A lawyer or small business adviser can be especially helpful in ensuring that you register with all the proper government agencies.
Registering with the Department of Revenue

You can register for the most common state business taxes by completing Form SCTC-111, Business Tax Application, which can be obtained from our website at or by calling our Forms Office at (803) 898-5599. You can use this form to register for a retail license, a purchaser’s certificate of registration, solid waste tax, business personal property tax and income tax withholding. Depending on the type of business you have, you may need to make application for the following licenses or permits:

Admissions Tax License
Alcoholic Beverage License
Bingo License
Tobacco Manufacturers’, Distributors’ and Wholesalers’ Licenses
Coin-Operated Device License
International Fuel Tax Agreement Permit
Gasoline Dealers, Special Fuel Suppliers and Seller Users Licenses
Soft Drinks License

Purchasing the Assets of a Business

If you buy the assets of a retail business, sales tax which may be owed by the previous owner transfers to you. The sales tax owed is a lien against the business inventory and equipment. You cannot obtain a retail license until the tax is paid. Unpaid business personal property tax owed on the assets remains with the assets, therefore the tax debt also transfers to the new owner.

The Retail License

Before you start a retail business in South Carolina, you will need a retail license. Apply for the license on Form SCTC-111. The retail license must be obtained by all retailers, including those making infrequent sales in this state. If you have more than one business outlet, you must obtain a separate retail license for each location. The fee for each permanent retail license is $50. This license is good for as long as you own your business at that location. You do not have to renew the retail license.

If you sell arts and crafts which you make yourself, you can buy a special retail license for $20 to use for sales at arts and crafts shows and festivals. If you have no permanent retail location, you can purchase a transient retail license for $50 which will allow you to make sales throughout the state, but in only one location at a time.

Purchaser’s Certificate of Registration

A purchaser’s certificate of registration is required for someone who does not make retail sales but who purchases goods from outside this state to store, use or consume in South Carolina. Generally, the certificates are issued to construction contractors but is needed by any business which purchases goods from outside South Carolina. If you are licensed as a retailer, you do not need a purchaser’s certificate of registration.

Sales and Use Tax

Sales tax is an excise tax imposed on the sale of goods and certain services in South Carolina. Use tax is imposed on goods purchased out of state and brought into South Carolina for your own use or consumption or on those sales for which no sales or use tax has been paid.

The statewide sales and use tax rate is 5%. The following counties also impose an additional 1% local sales and use tax: Abbeville, Allendale, Bamberg, Barnwell, Berkeley, Charleston,, Chester, Chesterfield, Clarendon, Colleton, Darlington, Dillon, Edgefield, Florence, Hampton, Jasper, Kershaw, Lancaster, Laurens, Lee, Marion, Marlboro, McCormick, Pickens, Saluda, Sumter and Williamsburg.

Cherokee County imposes a 1% special local sales tax for schools. While not the local option sales and use tax, it is collected, reported and paid the same way.

Chester, Jasper, Newberry, Orangeburg and York counties imposes a 1% special local sales tax for capital projects. While not the local option sales and use tax, it is collected, reported and paid the same way.

Beaufort County imposes a 1% special local sales tax for transportation (effective 6/1/99).

Counties and municipalities also may pass local sales taxes on food, beverages and accommodations. Check with the governing body where your business is located.

Unless specifically exempt or excluded, all sales are subject to the sales or use tax. There are numerous exemptions and exclusions from the sales and use tax. Call the Department of Revenue at (803) 898-5788 to determine if any apply to your business.

The rental of transient accommodations, such as in hotels, motels, campgrounds and vacation homes, is subject to a 7% accommodations tax. The local option sales and use tax applies, along with any local accommodations tax imposed by counties and municipalities.

If you operate a retail business, you must report and pay sales tax to the Department of Revenue on all your sales. You may pass the sales tax along to your customers, but reporting and remitting the tax is your responsibility. If you’re buying merchandise for resale later, you do not need to pay the sales tax at the time you make the purchase, but the tax becomes due when the merchandise is sold at retail or withdrawn from inventory for your own use. You must present a resale certificate, Form ST-8A, to the seller in order to make the purchase tax-free. If you’re buying merchandise out of state for use in your business and not for resale, you must pay the use tax.

Report and pay sales and use tax on Form ST-3, Sales, Use and Local Option Return. If you rent accommodations, report the tax on Form ST-388. Depending on the amount of your sales, the Department of Revenue may authorize you to file returns and pay tax monthly, quarterly or annually. You must file monthly returns until you are authorized to do otherwise. You must file a sales tax return even if you had no sales during the reporting period.

A voluntary program to remit sales tax through electronic funds transfer is available. To participate, call the Department of Revenue at (803) 898-5828.

Income Tax

South Carolina’s top individual income tax rate is 7% and the corporate income tax rate is 5%, one of the lowest in the nation.

The way you report income from your business will depend on your business organization. If you create a corporation, you will register your business with both the Secretary of State and the Department of Revenue. As a corporation, in addition to the income tax, you must pay an annual corporate license tax which is based on capital stock and paid-in surplus of the corporation. The minimum annual license tax is $25. This is paid in advance along with the corporate income tax return each year.

You may decide to form a partnership with other individuals. If so, you must file a partnership return (SC1065) and report your share of the business income or loss on your personal income tax return.

If you form an LLC, you file the same type of return (corporate or partnership) with South Carolina as you file with the IRS. Forming a corporation, an LLC or a partnership usually requires the assistance of a lawyer.

If you are a sole proprietor, you report all income from your business on federal Schedule C of your personal income tax return. South Carolina does not have a separate Schedule C. For a South Carolina resident, federal taxable income is your starting point in determining how much state income tax you may owe.

Generally, South Carolina follows federal tax laws regarding your business income. If the Internal Revenue Service allows you to take deductions for business expenses or other costs, those deductions will be allowed for the purpose of determining your South Carolina taxable income. Federal taxable income is your starting point in determining how much state income tax you may owe.

Income Tax Withholding

If you have at least one employee working for you, you will need to register as a withholding agent for state income tax. If you form a corporation, you are considered an employee and must withhold income tax from your income.

You will withhold the state income tax from each employee’s salary and remit it to the Department of Revenue on a regular basis. The size of your payroll will determine the frequency and method of payment that is required of you. You may be required to pay the withholding taxes by depositing the money directly into a local bank or you may be required to mail your withheld income taxes to the Department of Revenue.

If you withhold $20,000 or more in any calendar quarter, you must pay withholding through electronic funds transfer. Your dates for paying the withholding tax to the Department of Revenue are the same dates required for you to pay the Internal Revenue Service. Complete details for withholding income taxes from your employees along with forms and withholding tables will be given to you when you register with the Department of Revenue.

Estimated Income Tax Payments

If you are a sole proprietor, partner, shareholder of an S corporation or a member of a limited liability company, you will be responsible for reporting and paying estimated tax on your income. These payments are made quarterly. Estimated tax payments for individuals are due on April 15, June 15, September 15 and January 15. Estimated tax payments for C corporations are due on the 15th day of the third, sixth, ninth and 12th months of the tax year.

Property Tax

Property tax is administered and collected by local governments with assistance from the Department of Revenue. Real and personal property are subject to the tax. The tax is paid by individuals, corporations, partnerships, etc. owning property within the state.

Each class of property is assessed at a ratio unique to that type of property. The assessment ratio is applied to the market or use value of the property to determine the assessed value of the property. Each county, municipality, school district and other tax district then applies its millage rate to the assessed value to determine the tax due. The following ratios are applied to each class of property to determine the assessed value: (fmv=fair market value)

Manufacturing – 10.5% of fmv
Utility – 10.5% of fmv
Railroads, Private Carlines, Airlines and Pipelines – 9.5% of fmv
Legal residences – 4% of fmv
Agricultural (owned by individuals, partnerships and LLCs) – 4% of use value
Agricultural (owned by most corporations) – 6% of use value
Other real estate – 6% of fmv
Personal property – 10.5% of income tax depreciated value
Motor vehicles – 10.5% of fmv
Motor carrier vehicles – 9.5% of fmv

When you register your business for a retail license, you will automatically be registered for business personal property tax. Form PT-100 will be mailed annually to you to complete. You are required to report and pay property tax on any furniture, equipment and fixtures you maintain in your business. The tax is levied and collected by your local government.

Business Tax Incentives

You may qualify for tax incentives for your new business. Location of the business, total capital investment and number of employees hired are all factors which determine your eligibility for tax incentives. For more information, see the Department of Revenue’s publication Tax Incentives for Economic Development, on our website at



What certifications are necessary or available for women owned businesses?

Derived from

Certification as a Minority Business Enterprise (MBE)

  1. A South Carolina business seeking certification as a Minority Business Enterprise must submit to OSMBA an application and any supporting documentation as may be required. It is the responsibility of an applicant business and its owner(s) to provide information to OSMBA about its economic situation when it seeks certification.
  2. OSMBA will conduct an interview of the owner(s) at their place of business and a site visit of the business as part of the certification approval process.
  3. The Certification Board within OSMBA will determine if the business is controlled and operated by socially and economically disadvantaged individuals. Upon recommendation of the Certification Board, OSMBA will certify the business as a socially and economically disadvantaged small business and issue a Certification as authorized by Section 11-35-5270 of the Procurement Code.

Certification Board/Procedures:
The certification board, as defined below, is responsible for reviewing files and applications in order to determine whether a business should be recommended for approval or disapproval by the Director of the OSMBA (hereinafter referred to as the Director) as a certified business in compliance with Article 21 of the South Carolina Consolidated Procurement Code.

Applications for certification must be addressed to the Director. Upon receipt, OSMBA shall conduct an investigation of the applicant and provide the results to the Certification Board. Failure to furnish requested information will be grounds for denial or revocation of certification.

Eligibility requirements for certification as a Minority Business Enterprise (MBE) are per 19-445-2160 of the South Carolina Procurement Code Regulations and Title 49, Part 26, of the Code of Federal Regulations (CFR). In order for a firm to be certified, it must be found to be a small independent business owned and controlled by a person or persons who are socially and economically disadvantaged. The following factors will be considered in determining whether the applicant is eligible for certification:

1. Small Business

The applicant firm must be an existing “for profit” business. It must also meet the federal definition of a small business based on its primary SIC/NAICS code, as described by the US Small Business Administration (SBA), and must not exceed the small business size standard established for it’s particular line of work.

2. Independent Business

  • Recognition of the business as a separate entity for tax or corporate purposesis not necessarily sufficient for certification under Article 21. In determining whether an applicant for certification is an independent business, OSMBA shall consider all relevant factors, including the date the business was established, the adequacy of its resources, and relationships with other businesses.
  • A joint venture is eligible if one of the certified business partners of the joint venture meets the standards of a socially and economically disadvantaged small business and this partner’s share in the ownership, control and management responsibilities, risks and profits of the joint venture is at least 51 percent, and this partner is also responsible for a clearly defined portion ofthe work to be performed

3. Ownership and Control

  • The business must be 51 percent owned by socially and economically disadvantaged persons. The OSMBA will examine closely any recent transfers of ownership interests to insure that such transfers are not to be made for the sole purpose of obtaining certification.
  • Ownership shall be real, substantial and continuing and shall go beyond the pro forma structure of the firm as reflected in its ownership documents. The minority owners shall enjoy the customary incidents of ownership and shall share in the risks and profits commensurate with their ownership interests, as demonstrated by an examination of the substance rather than form of ownership arrangements.
  • The contribution of capital or expertise by the minority or women owners to acquire their interest in the business shall be real and substantial. Examples of insufficient contributions include gifts, inheritance, a promise to contribute capital, a note payable to the business or its owners who are not socially disadvantaged and economically disadvantaged, or the participation as an employee, rather than as a manager.

Disadvantaged owners must be US citizens and meet the federal definition of socially and economically disadvantaged as defined by 49 CFR 26.67. Presumptive groups include “women, Black Americans, Hispanic Americans, Native Americans (including American Indians, Eskimos, Aleuts and Native Hawaiians), and Asian Pacific Americans. Personal networth of a disadvantaged owner cannot exceed $750,000.

Definition of terms:
A “Minority Person” means a United States citizen who is economically and socially disadvantaged.

“Socially disadvantaged individuals” means those individuals who are members of the following groups: Black Americans; Hispanic Americans; Native Americans (including individuals recognized as American Indians, Eskimos, Aleuts and Native Hawaiians), Asian Pacific Americans and Women.

“A socially and economically disadvantaged small business” means any small business concern which:

(a) At a minimum is fifty-one (51) percent owned by one or more citizens of the United States who are determined to be socially and economically disadvantaged and who also exercise control over the business.

(b) In the case of a corporation, at a minimum, fifty-one (51) percent of all classes of voting stock of such corporation must be owned by an individual or individuals determined to be socially and economically who also exercise control over the business.

(c) In the case of a partnership, at a minimum, fifty-one (51) percent of the partnership interest must be owned by an individual or individuals determined to be socially and economically disadvantaged who also exercise control over the business.

“Small Business” means a concern, including its affiliates, that is independently owned and operated, not dominant in the field of operation in which it is bidding on government contracts, and qualified as a small business under the criteria and size standards in 13 C.F.R. Section 121 (1989).

Minority Business Enterprise is a business which has been certified as a socially and economically disadvantaged small business.

OSMBA reserves the right to cancel a certification at any time if a business becomes ineligible after certification. OSMBA will take action to ensure that only firms meeting the eligibility requirements stated herein qualify for certification. OSMBA will also review the eligibility of businesses with existing certifications to ensure that they remain eligible. A business organization’s, ownership or control can change over time resulting in a once eligible business becoming ineligible. Certified businesses must notify OSMBA, in writing within 30 days, of changes in organization, ownership or control. When OSMBA determines that an existing business may no longer be eligible, it will file a Complaint with the Certification Board, and send a copy of the Complaint by certified mail to the business. Upon receipt of such a complaint, the Certification Board shall conduct a hearing in accordance with the procedures set forth in the Administrative Procedures Act (Section 1-23-310, et seq., Code of Laws of South Carolina, 1976, as amended).

OSMBA may revoke the certification of any firm which has been found to have engaged in any of the following:

  1. fraud or deceit in obtaining the certification;
  2. furnishing of substantially inaccurate or incomplete information concerning ownership or financial status;
  3. failure to report changes which affect the requirements for certification;
  4. gross negligence, incompetence, financial irresponsibility, or misconduct in the practice of his/her business; or
  5. willful violation of any provision of Article 21.


Certification Forms for New Applicants [PDF]

Forms for Re-Certification as MBE – part I [PDF]

Forms for Re-Certification as MBE – part II [PDF]
Certifications expire 5 years after issuance. MBE’s must re-submit evidence of qualification for certification



What are the steps in certifying your business with the State, Federal Government, and for the private sector?

Obtained from

Certifying Your Business

For many minority- and women-owned companies, acquiring state or national certification opens doors to business opportunities and can mean the difference between winning and losing a contract. Learn how MurTech Consulting has used certification to open doors to new business opportunities.

Key accepts certifications from city, state, local, and federal agencies as well as from certifying organizations such as the Women’s Business Enterprise National Council (WBENC) and the National Minority Supplier Development Council (NMSDC).

What is certification?

  • Minority-owned enterprise (MBE) or woman-owned enterprise (WBE) certifications are granted by public and private agencies to companies that can prove they are at least 51% owned and operated by minorities or women
  • The certifications offer a “seal of approval,” showing that a company’s claim of being a minority or woman-owned enterprise (M/WBE) has been investigated thoroughly by an outside group and found to be true

What are the criteria for certification?

Basic criteria for certification include:

  • 51% ownership by a woman or women
  • Proof of effective management of the business (operating position, by-laws, hire-fire and other decision-making role)
  • Control of the business as evidenced by signature role on loans, leases, and contracts
  • U.S. citizenship

The business owner will be asked for general information about the business, its history, legal and financial structure. Other documents may include, but are not limited to, customer and bank references, loan activity, financial statements, articles of incorporation, tax returns, stock certificates, resumes, drivers’ licenses, and proof of citizenship.

How long does certification take and how much paperwork is involved?

Some certification fees may range as high as $350 and the certification process tends to be stringent, involving significant paperwork and even a site visit. When an organization certifies your business as a women-owned and women-controlled business, it must strictly adhere to national standards to protect the integrity of the certification designation.

Help decrease the time it takes for an organization to certify the business by submitting complete and accurate packages, double-checking every line item, following the checklists provided, and most importantly, by reading the instructions in the certification packet. Certifying agencies generally won’t process an incomplete application.

Who certifies women-owned businesses?

There is not one certificate accepted across-the-board — rather than apply to several different groups and go through a costly process for each, investigate which certification is likely to be accepted by the majority of your potential customers. Certifying agencies and resources:

Connect with Key4Women

Helpful Resources


Why do you need a federal tax id?  How do you obtain one?

Obtained from

To set up a federal tax ID number (also called an Employer Identification Number, or EIN), contact you’re nearest Local IRS Field Office, or call the IRS Business and Specialty Tax Hotline at 800-829-4933.

You can also apply online for an EIN via the IRS web site. The online application asks the questions, you provide the answers and, just like that, you get your EIN immediately. You can then download, save, and print your EIN confirmation notice.

If you want to apply the old-fashioned way, the form you’ll need to fill out is IRS From SS-4 (.pdf).

If your business does not have employees, the IRS recommends you label the top of the form SS-4 “For Identification Purposes Only.”

Does your business even need a federal tax ID?
See: Do I Need a Federal Tax ID (EIN) Number?

Q. Does my business need a federal tax ID number?

A. Any business offering products or services that are taxed in any way must get a federal tax ID number. If your state taxes personal services, or if you are required to collect sales taxes on your sales, you need a federal tax ID number. All the government forms you will be required to file for your business will require either a Social Security number or a tax ID number.

It’s safe to say that any business that has employees and/or pays any kind of taxes will need a federal tax ID.

Best advice is, when in doubt, get one. It’s easy to do.

Where can you find resources and information for doing business with and in your state?  

Derived from

The website has a place just for business owners to go to learn about anything and everything necessary to do business with and in SC, here is a screen shot of the site:





What if you wanted to bid on a state contract?

The website has links to State Government Business Opportunities which walk you through the process of bidding on state contracts and even contracts from other solicitors.  Here is a screen shot of their page:

Is there a support or advocacy organization for women in your state. As an example, in the State of Maryland, there is an office that supports women and minority owned businesses.   Does a similar organization exist in your state? What is it?   There are also non-profit organizations that advocate and provide resources for women entrepreneurs.  Identify a few.

Yes, Greenville, SC has a Women owned business website here is a screen shot:

     There is also a state office of small and minority owned business here is a sample of their website:


·         Small Business Resources for Women in Business

Since 1998, Woman Owned has provided information, tools, networking opportunities and advice to hundreds of thousands of women business owners. Today, we offer even more.

·         WomenBiz.Gov – Welcome

You’ll find useful information and links specifically focused on the woman business owner interested in doing business with the federal government.

·         Women Owned Businesses |

Federal resources and assistance for women entrepreneurs and business owners  ·

·         Home []

Looking for a way to promote your company to major corporations that are actively seeking to conduct business with womenowned businesses? WBENC-certified Women‘s Business

·         Home []

The Nation’s First WBE Certifier: NWBOC provides a national certification program for womenowned businesses. The certification, called Woman Business Enterprise (WBE …


Minority- and WomanOwned Business Enterprise and Small Business Enterprise Certification Programs What is the Minority- and WomanOwned Business Enterprise Certification Program?

·         SBA 8(a) Minority-Owned and WomanOwned Business Directory

Search by Location

·         WomenBiz.Gov – FAQs

Here are answers to the questions women business owners ask most often. How do I certify my business as womanowned? What are the criteria for classification as a small business?

·         Women Owned Business Network – Home

PO Box 1684 301 W. High Street, Suite 680 Harry S. Truman Office Bldg. Jefferson City, MO 65101 Toll Free: (877) 426-9284 Phone: (573) 751-0810 Fax: (573) 522-5005

·         Small Business Grants and Loans for Women Business Owners

Be aware of the opportunities that exist for women business owners. Grant opportunities can provide you with money to grow and come in the way of loans, scholarships, microloan …

What are some of the resources available to start or grow your business in your state?

Buildings and Site Locator South Carolina has an extensive database of industrial properties for sale or lease. Search by size, infrastructure and surrounding community resources …

Learn the steps to take when starting a business in South Carolina.

Starting a Business; Taxes & Insurance; Workforce; State Employees. Documentation & Forms … Relocate your business to South Carolina, grow an existing business, or improve your community

A General Tax Guide for Starting a Small Business in SC . If you are starting a new business or just thinking about it, you will want to know more about your tax obligations.

Learn the process, legal and regulatory requirements for starting a business in South Carolina. Also get tips on where you can get help as you jump start your small business.

South Carolina State Library website … The Grants Research Collection covers private foundations that give only to nonprofit organizations.

Links to Other Helpful Sites. Small Business Administration (SBA) Offers great tips on starting, expanding and financing your business from the U.S. Government.

Starting a business in South Carolina, as in most other U.S. states, requires that you obtain and annually renew a business license. This ensures that your company is legally …

Explore South Carolina‘s small business resources and get information about paying … Legal steps to starting a business in South Carolina. Operating a Business

, ,


Effective Methods of Employee Recognition

 Effective Methods of Employee Recognition

Amy L. Wees

1 December 2009

There are many ways that employees can be recognized in the work place for doing their job well or exceeding the expectations of their employers.  For example, a manager can give verbal praise, present a certificate of appreciation, hold a sales competition, or utilize a more formal performance feedback and evaluation system.  No matter the method used, effective employee recognition programs have proven to be helpful in improving the workplace environment by motivating employees, increasing productivity, and encouraging improved performance.



Maintaining employee satisfaction and keeping attrition rates low are important to managers and companies alike because of the high cost of training new employees and the affects of low morale on productivity.  Establishing an effective employee recognition program can be the answer to keeping employees motivated, productive, and loyal to the firm.  Training company management to give praise for a job well done or hosting celebrations for goals that are met are good examples of simple everyday recognition practices. However, to really make a difference in the bottom line a formal and structured recognition program is best (Messmer, 2004).

Research Focus


The primary focus of this research project is to identify the most effective methods of employee recognition in today’s business environment and also what it is that makes these methods successful.  Although the mission, goals, and employee culture of each business may vary, the secondary objective of this research is to identify the methods that are most successful across the board and are most common among all workplaces.   The reasons for choosing these particular research focuses are to bring to the forefront what ultimately motivates people to perform at their best in the workplace; no matter what their profession.

Research Results


Refer to Table 1 for research results.

Table 1



Desired Effect on Motivation

(APA citation required for  each)

Desired Effect on Performance

(APA citation required for  each)

Desired Effect on Productivity

(APA citation required for  each)

Frequently Delivered 1.Saying Thank-you publicly


2. Employee-to-employee recognition

1. Publicly thanking staff can encourage others to strive for similar recognition (Lovewell, 2003). 1. Treat your employees as you want them to treat your customers (Hart, 2009). 2. Goodies box stocked by employees.  A co-worker who spots another going above and beyond can award a prize on the spot (Administrative Professional, 2009).
Reflects Organizations Values 1.paid educational conferences

2.rewards for impacting the mission

2. The bottom line in terms of motivating people is that employees understand what they’ve done has had an impact on the organization (Lovewell, 2003). 1. Universities have no control over pay but allow employees to attend educational conferences (Lovewell, 2003). 2. If people receive positive reinforcement for what they’ve done, they’re more likely to do it again (Lovewell, 2003).
Appropriate to the Achievement 1.certificate of achievement


2. gifts


3. celebrate personal milestones

1. Recognize the behaviors that led to achievement… recognize employee enrollment instead of graduation (Hart, 2009). 2. The gift items are just awards, the reasons employees receive them and the way their given are the heart of a good program (Hart, 2009). 3. At our company, when an employee fills out a change of address card, HR automatically sends a housewarming gift (Hart, 2009).
Individually Tailored or awards that appeal to people’s personal interests


2. personalized letter



2. A handwritten note from the CEO may have far greater impact than a large bonus… personalized gestures are likely to be remembered (Lovewell, 2009). 1. One company full of sports fans took top performers to a ball game… creates ongoing enthusiasm (Administrative Professional, 2009). 1. Try to customize the options to suit the personality and interests of each performer to make it more meaningful…a ski pass for an outdoor enthusiast (Messmer, 2004).
Team Recognition rewards


2. certificate or award


3. employee-to-employee recognition

1. the most effective incentives are available to everyone (Messmer, 2004).


1. When your team achieves goals, recognizing their accomplishment is perfectly appropriate… should be done before project ends (Bielaszka-DuVernay, 2007).

3. Recognition can flow from managers to employees… research shows that absence of recognition is the second leading cause of burnout and stress in the workplace (Hart, 2009). 2. Creative options can have a positive impact, one company the most coveted form of recognition is the Koala T, a stuffed koala that is given for quality work (Messmer, 2004).



After researching this topic I realize that having an effective recognition program is perhaps the most important element to any business’ success or failure.  After all, it is the people that keep the wheels turning in the business and when they want to come to work and are motivated to do their best and be their best for the company it can make a huge difference in the bottom line.  It is also important that employees feel they are an important part of the process, and the mission as a whole.

Overall, I have learned that it is important for a business to establish a recognition program and make sure employees know what they are being recognized for and where they fit into the organization. If this is done employees will have something to strive for and be motivated to perform.  Without an actual program in place it is likely management may only take the time during an annual review or after a big project to recognize employees and this is not enough.

After completing this research I realized some ways in which we can improve the recognition program at my workplace.  We currently hold quarterly and annual awards programs for top performers.  We could do better by recognizing people every day for the things they do, recognizing team performance, tailoring awards to individual interests, and ensuring our personnel know how their achievements impact our organization.



(2009). Spur excitement with employee awards. Administrative Professional Today, 35(10), 7. Retrieved December 3, 2009, from Business Source Complete database.

Bielaszka-DuVernay, C. (2007). Are You Using Recognition Effectively?. Harvard Management Update, 12(5), 2-3. Retrieved December 3, 2009, from Business Source Complete database.

Grigg, N., & Mann, R.. (2008). Rewarding Excellence: An International Study into Business Excellence Award Processes. The Quality Management Journal, 15(3), 26-40.  Retrieved December 3, 2009, from ABI/INFORM Global. (Document ID: 1525289771).


Hart, P. (2009). Employee recognition: Have you hugged your employees today?. HR Specialist: Compensation & Benefits, 4(12), 5. Retrieved December 3, 2009, from Business Source Complete database.

Lovewell, D. (2003). Valuing the power and praise of reward. Employee Benefits, 10. Retrieved December 3, 2009, from Business Source Complete database.

Messmer, M. (2004). Creating an Effective Recognition Program. Strategic Finance, 85(7), 13-14. Retrieved December 3, 2009, from Business Source Complete database.

Saunderson, R. (2009). INCENTIVE ONLINE COLUMNIST: Teaching Recognition from the Top Down. Incentive, 183(6), 66. Retrieved December 3, 2009, from Business Source Complete database.

Saunderson, R. (2009). Last Word: Can You Be Specific About Recognition?. Incentive, 183(1), 3. Retrieved December 3, 2009, from Business Source Complete database.










, ,


Business Management Today – A flexible process


Business Management Today – A flexible process

Submitted by: Amy Wees

Table of Contents

  1. Introduction


  1. The business Plan
    1. writing a flexible but successful business plan
    2. making changes to the plan
  2. Executing the business strategy
    1. making sense of a situation
    2. making important choices
    3. making things happen
    4. making revisions
  3. Overcoming Competition in a Global Market
    1. When new segments emerge
    2. When cost structures can converge
    3. When the value chain can be rearranged
  4. Business Partnerships
    1. Formal contracts
    2. Relational governance
    3. Data and Methods of proving the formal contacts vs. relational governance theory
    4. globalization diversity and culture considerations
  5. Conclusion

Problem Statement: It is important for today’s managers to remain flexible when making tough decisions about their business throughout the planning cycle.


New businesses fail at the rate of ninety percent in the first year.  How can an entrepreneur plan a successful business in today’s cut throat market?  The key is flexibility, the ability to see the big picture and to deal with unforeseeable uncertainties when writing a business plan and executing it.  Some areas to consider are: writing the business plan, executing the business’ strategy, finding a place in the competitive market, and considering globalization and business partnerships.  The most important aspect for today’s managers is to remain flexible when making tough decisions about their business throughout this planning cycle.

The Business Plan

The first step to the startup of a business is to create a solid business plan.  This business plan must include strategic plans that include the overall goals of the organization as well as operational plans that outline how the strategic goals will be achieved (Robbins, 189).  The actual goals listed must define the organization’s mission as in “how will the business make a profit?”  A business plan must also include available resources, capital and technology use and how resources will be allocated.  Essentially, a business plan should answer the questions: Who are we?  What do we do?  When will we start up? Where will we be located?  Why are we starting this business (goals)?  And how will we achieve our goals?  After the entrepreneur has all of these items lined up he or she must understand that the business plan is, and always will be, a rough draft.  If one is opening an Italian restaurant, for example, and the day before opening an Olive Garden moves in down the street, one might reconsider some parts of his or her original business plan and must be prepared to make changes as necessary in order for the business to succeed.

Executing the Business Strategy

            During the start-up of an organization, the management must turn the previous strategy sessions of business planning into an executable plan.  This can be difficult.  Managers must ensure they inform the right people involved of their goals and that they give the right direction in the execution of those goals.  Management professor and author Donald Sull has published an article in the Sloan Management Review detailing how managers can best close the gap between business strategy and execution.  Professor Donald Sull (2007) discusses the “strategy loop”; an interactive process that consists of four major objectives, each with its own pitfalls and required management approaches. Professor Sull stresses that in today’s fast-paced industries, it is necessary to have complete flexibility during the strategy planning process, without this flexibility many leaders may commit to a failed course of action. Sull adds that it is the linear thinking approach to strategy planning instead of the interactive loop approach that leads to this failure. To avoid this failure, he created an idea called the “strategy loop” focusing on four steps:

1.  Making Sense of a Situation: the objective here is to “develop a shared mental model of a situation” and requires leadership traits such as curiosity and empathy to see other points of view (Sull, p. 36).

2.  Making Choices: the objective is to “agree on clear priorities to guide action and resource allocation” and requires leadership traits such as decisiveness, enterprise perspective, and the credibility to make the call (Sull, p. 36).

3.  Making things Happen: It is important to “ensure that people make good promises and deliver” and that leaders possess trustworthiness, flexible tenacity, and the ability to inspire others (Sull, p.36).

4. Making Revisions: Leaders should be able to sense anomalies in their strategy and revise key assumptions using traits such as intellectual humility, respect for other viewpoints and sensitivity to anomalies (Sull, p.36).

Making Sense of a Situation:

The first step in the strategy loop is making sense of a situation.  The idea is to gather all of the data available from different sources and organize it in a way that gives everyone a “shared mental model of how events might unfold” (Sull, p.32).  The forum should encourage employees to think openly about the situation and encourage new ideas.  This open forum will allow the goal of the situation to remain a short-term goal vs. a long term goal that may not allow the strategy loop to repeat itself as it needs to.  One example Sull gives to support the open forum instead of a preconceived interpretation is the “Cuban missile crisis; While President John F. Kennedy was trying to assess the situation, his military advisors reflexively advocated invading Cuba, a course of action they had favored for some time, even though the specific situation at hand suggested that a military strike could easily escalate into nuclear war” (Sull, p. 32).  A warning sign for managers to look for that open communication has been closed is when, during a meeting, employees stop talking and just listen, communicating that they think that the boss has already made the decision and is just looking for their approval (Sull, p. 33).  Another important step in the process is to take the necessary time to make sense of a situation by talking about and assessing all of the details.  “The result: The team shortchanges the sense-making discussion and jumps right into a debate about what to do and how to do it” (Sull, p.33).

Making Choices

After having the open discussions and assessing the situation, it is necessary to have more conversations focused on making choices to prioritize goals in order to “focus organizational resources and attention” (Sull, p.33).  For decision making conversations, management should encourage participants to fight, but fight nicely.  Professional arguments are required to make tough decisions.  Sensitive issues may need to be brought up and addressed in order to be successful and leadership can encourage this type of communication by addressing all issues publicly during meetings (Sull, p.34).  One common problem in this step of the process is priority-proliferation “when managers make decisions by focusing on specific issues in isolation without considering the existing portfolio of activities within the organization” (Sull, p.34).  When this problem arises, leaders may forget to end certain activities to free up the resources to devote to newly needed ones (Sull, p.34).   Finally it is important to set up simple rules during the prioritization process and it is also very important for leaders to be decisive and know when to say no (Sull, p.34).

Making Things Happen:

Making things happen is all about “the promise – a personal pledge a provider makes to satisfy the concerns of a customer within or outside the organization” (Sull, p.35).  Depending on the clarity, details, and quality of the promises made, the outcome of this step will vary.  For example, if all of the parts of the promise are not agreed upon by all parties involved, all of the parts of the promise will probably not be delivered or committed to.  It is important for more discussion during this step in the strategy loop.  “Managers should adopt a tone of supportive discipline, demanding explicit promises and holding people accountable for them but also helping those individuals to deliver on their commitments” (Sull, p.35).  One example given in the text of this process is an approach used by people in the software industry called “scrum”.  Every day at the same time, the team meets to discuss what they have done since yesterday, what they will do today and what they will do before the next “scrum” (Sull, p.35).  The most important leadership trait during discussions to make things happen is trustworthiness, a manager shows this by leading by example and keeping his or her own promises (Sull, p.36).

Making Revisions:

Making revisions is very closely related to the first step in the strategy loop of making sense of a situation.  During the making sense step, a mental picture is gained, but there will be a time when this mental picture will need to change because of “new opportunities or threats” (Sull, p. 36).  This is where the cycle of the strategy loop starts over.  It is time to say out with the old and in with the new.  Organizations of today are constantly changing and without making revisions, it is possible to undermine the whole reason for coming up with the strategy in the first place.  “Thus managers must keep their mental pictures fluid, modifying them in light of changes in the broader context” (Sull, p.36).  Now in the discussion to make revisions it is important to think of the situation as an experiment by analyzing the recent results and revising as necessary (Sull, p.36).  Pauses in the strategy loop are important and managers should set aside a time to learn from what has happened thus far and then make revisions for future success.  During these discussions, there is sometimes a fear of blame to be placed on someone for something that didn’t go right or a fear of admitting mistakes by the persons involved in the process.  Management can avoid these pitfalls by treating the discussions as experiments; “the team discusses what it expected to happen and why, versus what actually happened, and then it explores any gaps between expectations and reality” (Sull, p.37).  The leadership trait required for making revisions is “intellectual humility”, admitting to the fluidity of leader’s mental models (Sull, p.37).

Overcoming Competition in a Global Market

It is equally important for businesses to consider and understand their competition in both local and global markets.  Authors Ghemawat and Hout (2008) discuss ways for multinational corporations to overcome competitive giants in their industry and succeed no matter their size or orientation.  They quote “multinational companies from developed and emerging economies alike can gain a competitive advantage by moving outside their comfort zones” (Ghemawat, p.83).  There are several ways discussed to do this when faced with certain situations:

  1. 1.      When new segments emerge: Established corporations need to project market growth and ensure they invest in that area, control the weight of their global capabilities, and use price and branding to shift the demand for their product (Ghemawat, p.83).  One example that the article gives to do this large companies like Sharp and Samsung slashing prices on flat screen TV’s to encourage customers to buy them over cheap conventional televisions made by the Japanese.  In doing this they overtook the market and eliminated the competition. (Ghemawat, p.83)

Newly introduced corporations should use their local knowledge, find a niche for their product in overseas consumer markets, and avoid entering higher cost markets. One example in the article of this is an e-commerce site called Dang-dang in China realized that the country had a poor credit card payment system and developed a better cash settlement system for Amazon. (Ghemawat, p.83)

  1. When cost structures can converge: Established companies should study and echo local competitors cost structures as closely as possible and hire from a local pool as well as internationalize senior management positions (Ghemawat, p.83).  An example of this in the journal: “IBM and Accenture are ramping up operations in India and absconding with much of the local talent by paying more for it – simultaneously lowering their own costs and raising those of Indian rivals” (Ghemawat, p.83).


Emerging multinational corporations should expect to lose some of their cost structure over time and prepare to compete at the next level.  Overseas they must use core operating strengths to sustain business (Ghemawat, p.83).  An example of this a Chinese auto-parts manufacturer using the knowledge it gained from success in China and applying the same concepts to its locations in the United States (Ghemawat, p.83).


  1. When the value chain can be rearranged: All multinational corporations need to use the value chain to their advantage by spreading parts of it all over the market in the best locations for that particular product.  They can also partner with specialists and make new additions of their company as multinational as possible (Ghemawat, p.83).  One example of this concept is for a company to specialize in one part of the value chain, such as customer care, to gain a competitive advantage and then outsource other areas. (Ghemawat, p. 83)

A flexible business knows where it fits in the competitive market, what its competitors are doing and are preparing to do, and how to best use its product and strategies to the business’ advantage.  Globalization is a good example of flexibility in business.  It takes a lot of flexibility to introduce a product to an overseas market and especially to operate a business in a global market.  A manager cannot know what to expect as there will always be things that are new and changing in both competitive and global markets.   

Business Partnerships

Business Partnerships are a great way for a business to remain flexible and keep its options open.  It is important to have a good support system, partner or team in any situation; especially in the business world.  Another factor for managers to consider is to add partnerships with other businesses and also consider outsourcing some of the businesses’ services.  Poppo, Laura and Zenger, Todd (2002) explain that while many argue that formal contracts between businesses undermine trust and encourage the opportunistic behavior they are designed to discourage, formal contracts and relational governance also can function as complements.  This complementary relationship is the focus of their paper and covers the following main points:

1.   Formal Contracts:  Rather than hindering or substituting for relational governance, well-specified contracts may actually promote more cooperative, long-term, trusting exchange relationships. Well-specified contracts narrow the domain and severity of risk to which an exchange is exposed and thereby encourage cooperation and trust (Poppo, p. 707).


2. Relational Governance: The continuity and cooperation encouraged by relational governance may generate contractual refinements that further support greater cooperation. Relational governance may heighten the probability that trust and cooperation will safeguard against hazards poorly protected by the contract. Finally, relational governance may help overcome

The adaptive limits of contracts: a bilateral commitment to ‘keep-on-with-it’ despite the unexpected complications and conflicts (Poppo, p. 708).

3. Data and Methods of Proving the Theory: Poppo and Zenger test whether relational governance and formal contracts operate as complements or substitutes using data on outsourcing relationships in information services during the early 1990s. The data was collected from surveys of senior managers regarding their sourcing of various information services, such as data entry, software application development, data network design, and network maintenance (Poppo, p. 708).


Formal Contracts:

A formal contract is a binding agreement between two organizations that outlines the actions, promises and obligations that one organization is to perform for the other.  The more promises and obligations made in the contract, the more complex the contract and also the possible disputes.  It is manager’s job to design the contract in a way that it outlines work to be performed, procedures for following up on the work and penalties for not completing the work as described in the contract.  If there are complications in the exchange, a manager must write in contract safeguards to protect both organizations, which can be costly if the contract is breached.  There are three common categories of exchange complications, better known as exchange hazards, which call for contract safeguards: asset specificity, measurement difficulty and uncertainty (Poppo, p. 708-709).

  • Asset specificity is required when there are significant investments in physical and/or human assets (Poppo, p. 708).  For example, an information technology specialist offering installation and training on new equipment acquired.  If this human relationship is ended, there is also a forfeiture of the contract to a certain extent (Poppo, p. 708-709).
  • Difficulty in measuring the performance of the hired contractor can also cause market hazards.  “Markets succeed when they can effectively link rewards to productivity – that is, they can measure productivity and pay for it accordingly” (Poppo, p.709).  Managers must decide whether to accept lower performance because of their inability to measure it or to create a more complex contract to better and more distinctly measure performance (Poppo, p.709).
  • Uncertainty is a hazard because it requires all parties involved in the contract to adapt to issues that were unforeseeable and may not be spelled out in the contract (Poppo, p. 709).

Relational Governance:

Relational governance occurs between two socially agreeable organizations that do not use a contract to outline the work.  Instead, there is a trust between the organizations that the work will be done.  Promises are made through social interaction which “promotes the norms of flexibility, solidarity, and information exchange” (Poppo, p.710).

  • “Flexibility facilitates adaptation to unforeseeable events” (Poppo, p.710).
  • “Solidarity promotes a bilateral approach to problem solving, creating a commitment to joint action through mutual adjustment” (Poppo, p. 710).
  • “Information sharing facilitates problem solving and adaptation because parties are willing to share private information with each other” (Poppo p. 710).

The social interaction of relational governance can minimize the hazards created by formal contracts.

Data and Methods of Proving the Theory:

Data for the study was collected via survey of Information Services (IS) executives.  The executives held specific positions in their organizations as the senior information services executive or the manager in charge of data-processing facilities.  Each participant had experience with managing and reviewing outsourced information services activities.  The “Directory of Top Computer Executives” was used to find the executives to participate in the survey (Poppo, p. 714).  Poppo and Zenger did find it hard to get full commitment for participation from these busy executives but those executives who pre-committed to the survey had a forty percent response level.  The data presented on the survey was from a buyer’s perspective and included the following variables: respondent position, company size, industry, IS attributes and performance (Poppo, p.714).

The result of the findings was that “increases in the level of relational governance are associated with greater levels of contractual complexity and that increases in the level of contractual complexity are associated with greater levels of relational governance suggesting that managers may complement their use of one governance tool with the other” (Poppo p. 720-721).  These findings suggest that relational governance and contracts function as complements rather than substitutes (Poppo, p. 721).

After studying these extensive findings, it is clear that in order for today’s managers to succeed they must trust in the partnerships of other organizations.  This will require ultimate flexibility as one source may not be able to deliver on time and a manager may have to hire another source on a short notice basis to achieve customer satisfaction.  As Poppo and Zenger have pointed out, long term relationships with other business have complimented a business’ success rather than hindered it.


As you can see, there are many things to consider when creating and running a successful business, but it is the things that you cannot see that will cause problems if you are inflexible in your planning and execution processes.  Keep all of these constantly changing values of the business in mind and prepare to change course when necessary.  If you do this, you are sure to stay ahead of the rest and keep your business afloat.





Donald N. Sull (2007). Closing the Gap Between Strategy and Execution. MIT Sloan Management Review, 48(4), 30-38.  Retrieved September 22, 2008, from ABI/INFORM Global database. (Document ID: 1360146091).

Ghemawat, P., & Hout, T. (2008, November). Tomorrow’s Global Giants. Harvard Business Review, 86(11), 80-88. Retrieved November 7, 2008, from Business Source Complete database.

Poppo, L., & Zenger, T. (2002, August). Do Formal Contracts and Relational Governance Function as Substitutes or Complements?. Strategic Management Journal, 23(8), 707. Retrieved September 22, 2008, doi:10.1002/smj.249


Other sources referenced

Robbins, S., & Coulter M. (2007). Management. Upper Saddle River, NJ: Pearson Education Inc.