Nozomi Kawashima giving a lecture
An often overlooked factor in disaster response concerning non-government organizations (NGOs) is being able to remain functional after a disaster damages the area where their operations are based. In order for an NGO to deliver relief services to the affected local populations, they must not only survive the disaster themselves, but have a plan in place to ensure that they are able to immediately deliver relief to local populations. International Medical Corps is continuing to work with corporate experts in Business Continuity Planning (BCP) by delivering a second series of disaster preparedness workshops designed to help local Japanese NGOs create solutions to risk-related challenges and better prepare for future emergency response and recovery efforts.
Last Fall, International Medical Corps and corporate experts delivered a three-part workshop series on Business Continuity Planning (BCP). When asked about issues not covered in the first series of workshops, NGO participants said that information management is a major concern when delivering humanitarian assistance. Whether during an emergency or in stable circumstances, NGOs need to gather, store, process and communicate large amounts of information, some of which is potentially sensitive. Sensitive information may include personal data about beneficiaries, staff, partners and donors, as well as, internal information about their operations. Many Japanese NGOs realize the need to protect the sensitive information they have been entrusted with, but they often do not have the systems, policies, or procedures necessary to protect the information against various elements of risk.
To address these concerns, International Medical Corps is renewing their partnership with veteran experts from two premier Japanese risk management corporations, Tokio Marine & Nichido Risk Consulting Co., Ltd., and Mitsubishi Corporation Insurance Co., Ltd. This new three-part workshop series is focused on Information Management, and is designed to give Japanese NGOs practical knowledge on how to better manage and protect their information.
At the end of the workshop series, each NGO will have created its own information management rulebook that fits its respective organizational needs. Assignments are given to participants before and after each workshop, and the lessons are shared internally with their staff members so that the training is transferred beyond the individuals participating in the workshop.
Workshop Part 1: “An Introduction to Information Management for NGOs”
On February 25, 2014, International Medical Corps successfully conducted part one of this three-workshop series, in which a total of 20 key staff members from 13 organizations participated.
Nozomi Kawashima (a certified Information Privacy Consultant at Mitsubishi Corporation Insurance Ltd.) and Yosuke Sakamoto (Senior Consultant in Business Risks Department at Tokio Marine & Nichido Risk Consulting Co.) jointly taught participating NGO management staff members about the fundamentals of information management. The topics covered included:
- The Essentials of Risk Management and Information Security
- Issues concerning Personal Information & the Need for Information Management
- Risks related to Information Management & Case Examples
- Assessment and Prioritization of Information Assets (group-work)
Computer viruses, hacking, information mishandling, and damage/destruction of equipment due to accidents or natural disasters were among the various hazards discussed. During the lecture, the consultants introduced examples from their own corporate sector, including the major risks that have been documented by corporations, and various initiatives being undertaken to protect their information. In small group discussions, NGO personnel shared examples from their own experiences and compared corporate risks with the risks they saw within their own organizations.
NGO staff agreed that among the most common risks they faced in information security included: the failure of staff to identify sensitive information and/or not taking extra precautions to protect it; the lack of a clearly communicated policy within their organization around information security; and the lack of IT skills among staff to enable effective implementation of information security measures.
To encourage the participants to think strategically about information management, the consultants accentuated their lecture with case study activities. They introduced an example of an NGO worker who had taken home confidential beneficiary data in order to work on a report with a fast-approaching deadline, only to have her home PC infected by a computer virus that proceeded to steal all of the data. Participants discussed what measures the organization should take to handle this situation responsibly and to minimize negative consequences. Afterwards, the consultants commented on the proposed approaches and gave their own advice about how they would deal with this scenario. For the last 30 minutes of the workshop, participants worked in groups to complete an information assets identification exercise based on a case study of an imaginary NGO by using the lessons they learned during the lecture.
Workshop Part 2 (scheduled in April 2014): “Risk Assessment and Prioritization for Information Management.”
Workshop 2 will focus on practical training by incorporating a variety of group-work activities and discussions based on specific scenarios. Topics the NGOs will examine at this workshop include: assessing the nature of information collected by each organization; assessing the risks to beneficiaries, staff members, and the organization as a whole if a breach of their information occurs; assessing current physical, digital, and communication information security measures; and identifying potential vulnerabilities (e.g., failures in awareness and/or security procedures) and how to address them.
Workshop Part 3 (scheduled in May 2014): “Countermeasures for Information Management and Creating Information Management Procedures”
Based on their work in the previous workshops, each NGO will create an informational management rulebook that meets its organizational needs. The BCP experts will provide feedback to each organization’s draft and offer suggestions/advice for improvement.
Participants working in small groups
Yosuke Sakamoto giving feedback to participants