What is Organizational Context (GV.OC)?

The organization's risk context, including mission, mission priorities, stakeholders, objectives, and direction, is understood (formerly ID.BE)

Business Environment (ID.BE): The organization’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions 

GV.OC-01:

The organizational mission is understood to prioritize cybersecurity risk management (formerly ID.BE-2 and ID.BE-3)  

Introduction:
In today's interconnected world, cybersecurity risks pose significant challenges to organizations across all sectors. eXpress badging acknowledges the importance of proactive cybersecurity risk management to safeguard our critical assets, protect our stakeholders' information, and ensure the continuity of our operations. This document outlines our organizational mission for understanding and prioritizing cybersecurity risk management, drawing inspiration from the NIST Cybersecurity Framework (CSF) ID.BE-2 and ID.BE-3 guidelines.

Purpose:
This document aims to establish a clear and comprehensive mission statement that guides our organization in prioritizing cybersecurity risk management efforts. By aligning our activities with industry best practices, we aim to enhance our resilience, reduce the likelihood and impact of cybersecurity incidents, and foster a culture of security awareness across the organization.

Organizational Objectives:

  1. Develop a deep understanding of the organization's information assets, associated risks, and potential threats.
  2. Identify and assess vulnerabilities and threats to our information systems, networks, and infrastructure.
  3. Prioritize cybersecurity risks based on their potential impact and likelihood of occurrence.
  4. Implement proactive risk mitigation strategies, controls, and safeguards to reduce our overall risk exposure.
  5. Continuously monitor and reassess our risk landscape to adapt and respond effectively to emerging threats.
  6. Foster a culture of cybersecurity awareness and accountability among employees, contractors, and stakeholders.
  7. Establish robust incident response and recovery procedures to minimize the impact of cybersecurity incidents.
  8. Regularly review and improve our cybersecurity risk management practices through lessons learned and industry best practices.

Scope:
This mission applies to all individuals, systems, applications, and networks within the eXpress badging. It encompasses all departments, functions, subsidiaries, contractors, and partners accessing our information assets.

Definitions:

  1. Cybersecurity: The practice of protecting information systems, networks, and digital assets from unauthorized access, use, disclosure, disruption, modification, or destruction.

  2. Risk: The potential for an unwanted outcome or negative impact resulting from exploiting vulnerabilities, threats, or uncertainties.

  3. Risk Management: Identifying, assessing, prioritizing, and mitigating risks to minimize potential organizational harm.

  4. NIST CSF: The National Institute of Standards and Technology (NIST) Cybersecurity Framework provides a comprehensive set of guidelines, best practices, and standards for managing cybersecurity risks.

Policy Statement:
eXpress badging is committed to prioritizing cybersecurity risk management to protect our critical assets and maintain the trust of our stakeholders. We will align our practices with the NIST CSF ID.BE-2 and ID.BE-3 guidelines and continuously improve our risk management capabilities to address evolving threats. Our mission is proactively identifying, assessing, prioritizing, and mitigating cybersecurity risks throughout our organization.

Roles and Responsibilities:

  1. Senior Leadership: Provide leadership, resources, and support for effective cybersecurity risk management.
  2. Information Security Team: Develop and implement risk management strategies, assess vulnerabilities, and deploy security controls.
  3. Employees and Contractors: Comply with cybersecurity policies, report security incidents, and actively participate in security awareness programs.
Implementation:
  1. Establish a dedicated information security team responsible for managing cybersecurity risks.
  2. Conduct comprehensive risk assessments to identify and prioritize risks.
  3. Develop risk mitigation plans and allocate appropriate resources for their implementation.
  4. Deploy necessary security controls and safeguards to minimize identified risks.
  5. Implement an ongoing monitoring program to detect and respond to emerging threats.
  6. Provide regular training and awareness programs to educate employees and contractors about cybersecurity best practices.
  7. Establish incident response and recovery procedures to minimize the impact of cybersecurity incidents.
  8. Continuously evaluate and improve our risk management practices based on industry standards and lessons learned.

Compliance and Enforcement:

Non-compliance with this mission may result in disciplinary action, including but not limited to, termination of employment, contract termination, and legal action, as appropriate.


Review and Revision:
This mission statement will be reviewed annually or as needed to ensure its relevance, effectiveness, and alignment with industry best practices and regulatory requirements. Revisions will be made with the approval of [Senior Leadership/Designated Authority].

References:
a) NIST Cybersecurity Framework (CSF): https://www.nist.gov/cyberframework

By adopting this organizational mission for understanding and prioritizing cybersecurity risk management, eXpress badging is committed to protecting our valuable assets, maintaining the confidentiality, integrity, and availability of information, and fostering a resilient cybersecurity posture.

GV.OC-02:

Internal and external stakeholders and their expectations regarding cybersecurity risk management are determined

eXpress badging  Personnel and Contractors

  • Will complete all cybersecurity training within the first 30 days of employment
  • Will always be on alert regarding email and phone phishing attempts
  • Will immediately report to the Leadership Team any cybersecurity breach reported or observed
  • Will never store any PII data on a desktop or laptop; never!
  • Will only provide guest users access to Guest WiFi, and never to the company WiFi; never!
  • Will never bring in a portable storage device
  • Will never upload PII data to any non-approved cloud storage location
  • Will never provide Veonics Portal user access without vetting users before enabling

eXpress badging Production and Technical Support Department Personnel

  • Never open data or image files sent via email; only from secured and trusted resources
  • Only stores PII data on the company server for temporary work and uploads to the Veonics Portal upon completion of data work, and then all PII data is deleted off the company server once determined the files(s) are no longer needed 
  • Veonics Portal data is obliterated per company policy, or customer contracted requirements
  • Will not accept data on any portable storage device unless approved by company leadership and vetted and assessed by our IT team

eXpress badging Director-Level Personnel

  • All employee data is only accessible by Leadership personnel and can not be exported for use without approval from HR or IT leadership
eXpress badging Customer Service, Finance and Bookkeeping Personnel
All PCI-compliant data must be directly managed within the company's accounting software and never written down
  • If, for any reason, PCI-compliant data is written down and can never leave sight or possession of the writer, and it is shredded immediately once transferred into the company's accounting software

GV.OC-03:

Legal, regulatory, and contractual requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed (formerly ID.GV-3) 

ID.GV-3: Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed

Outside of PCI compliance, eXpress badging does not have any regulatory compliance requiring governance and management

Thresholds that will require compliance are for contracts regarding: 

  • DOD
  • DOE
  • CMC Related projects
Compliance must be understood otherwise; non-compliance can result in license forfeiture, contract loss, imposed fines, and possible jail time. To best manage, create a calendar Framework of Reviews once contracts are accepted

GV.OC-04:

Critical objectives, capabilities, and services that stakeholders expect are determined and communicated (formerly ID.BE-4 and ID.BE-5) 

  • Example 1: IT functions that provide or materially support critical services are documented within a Disaster Recovery Plan.
  • Example 2: Detailed procedures are in place to continue providing critical business services during an outage, natural disaster, or attacks such as denial of service or ransomware.
  • Example 3: Recovery plans enable service restoration within Recovery Time Objectives.

ID.BE-4: Dependencies and critical functions for delivery of critical services are established

Criticality Assessment Scale

  1. Level 1: Required but not critical
  2. Level 2: Required and critical for daily business operations
  3. Level 3: Required and critical for daily customer operations

AWS Licenses and Configuration (Level 3)

  • Hosts website
    • www.expressbadging.com
  • Hosted Veonics Portal
    • Data Server
    • Photo Server
    • Front End Server
  • Veonics Portal Securely manages
    • Badge design templates
    • Badge data; import, export, and integration
    • Badge photo images; import, export, and integration
    • Email Templates
    • System Users
    • Virtual ID Badges

eXpress badging Veonics Portal Trained Personnel (Level 2)

  • System Project Management
    • President (Joe French)
    • Director (Neil Grosse - IT)
    • Director (Michael Scott - Production)
Contract Developers and IT Support (Level 3)
  • Card Smart Technologies
    • Primary Portal System Architect
  • The Silver Logic
    • Secondary/Replacement Portal System Architect
  • Olive Branch IT
    • Client/Server Support
    • Cybersecurity Systems Management
  • Cybersecurity Insurance

Computer-based Software (Level 2)

  • Jolly Technologies (ID Flow Software - EOL)
  • QuickBooks Enterprise Software
  • Wasptime (time and attendance software) (Level 1)

Hosted Software (Level 2)

  • SentinelOne Cybersecurity/Antivirus
  • Digital Defense Pentesting and Network Vulnerability Testing
  • HubSpot CRM, Technical Support, Marketing, and Knowledgebase
  • Jira Software Development Management(Level 1)
  • Avalara Sales Tax
  • Bloom Growth Meeting Management and Business Planning(Level 1)
  • Adobe Photoshop (Level 1)
  • Pirateship.com and Stamps.com (Level 3)
  • GoDaddy.com manages URL domain registration

Hardware (Level 3)

  • Fleet of PVC ID Card Printers (15 to 20) 
  • RFID Encoding System 
  • Client Server Network of (20+ Devices)
  • Phone System (15 devices) (Level 2)
    • Backup is PC and headphone/microphone based 

Inventory (Level 3)

  • Customer Supplied and other RFID Stock
    • Stored in safe
  • Production Inventory
    • Stored in warehouse

ID.BE-5: Resilience requirements to support the delivery of critical services are established for all operating states (e.g. under duress/attack, during recovery, normal operations) 

Disaster Recovery

Critical Fail Points are (Level 3)

  • AWS Hosting
  • Server and Computer Network
  • Fleet of Badge Printers
  • RFID Encoding System
  • Contracted Software Development and Support

Critical Fail Point Factors

  • AWS Failure
  • Electrical Outage
  • Communication Outage
  • Building Evacuation 
  • Internal Cyber Breach
  • External Cyber Breach
  • Business Theft

Business Continuity

Business continuity is a business's readiness to maintain critical functions after an emergency or disruption. These events can include Security breaches. Natural disasters. Power outages.

Natural Disaster

  • Prepare facility for oncoming natural disaster
    • All laptops are removed from the facility
    • Disconnect all computers, printers, servers, and phones; seal each in trash bags and place them on an elevated table in the breakroom. 
      • Use a plastic tarp to cover the printer wall
      • Remove the server if deemed appropriate
    • Place all phones in trash bags and place 
  • Locate New Location
  • Remove functional equip

Cybersecurity Breach

  • Call OliveBranch immediately if a server/computer breach is reported
  • Call Card Smart immediately if a Veonics Portal breach is reported
    • Second, call The Silver Logic
  • Meeting with the Internal Response Team
    • All Directors, VP and President
    • Related Support Contractor
      • OliveBranch 
      • Card Smart 
      • The Silver Logic
  • Call Insurance Company
    • Take their lead regarding
      • Response to issue
      • Outbound notification communications if required
      • Contacting attorney(s)
      • Patching any needed breach thresold

Power Outage

  • Call power company
  • Notify customers using HubSpot email if downtime will exceed four business hours
  • If, for any reason, power is not restored within two business days, locate a backup location within the county and move a temporary badging team there until it is restored

Communication Outage

  • Call the communication service provider
  • The secondary communication provider line should automatically be enabled
  • Upon secondary communication provider failure, and after contacting them, have all phones forwarded to a primary mobile phone
  • Call and notify OliveBranch IT 

GV.OC-05:

Critical outcomes, capabilities, and services that the organization relies on are determined and communicated (formerly ID.BE-1 and ID.BE-4) 

Example 1: Business functions that provide or materially support critical services are documented within Business Continuity Plans.

The Customer

For most eXpress badging clients, it is likely possible to find an alternate vendor in the short future to address the absence of services related to employee, student, or member photo identification badge systems, supplies, and services. However, for some clients who need certainty spelled out, our Standard Terms and Conditions dictate that the responsibility of upholding business continuity falls partly on eXpress badging and the customer's procedures and processes.

Regarding our customers' dependencies on our services, more specifically, our badging software, the Veonics Portal, and the printers and supplies, the dependency toplines are:

  1. eXpress badging offers technical support services using phone, email, and website support ticket creation processes.
  2. Customers expect a trained employee-level team member to address reported issues within four business hours. 
    1. Our policy requires at least three staff members to address and manage support issues promptly.
    2. Our sales team, trained in identifying technical issues, responds to pre-sales supply orders.
  3. The Veonics Portal is an eXpress badging cloud-based badging software critical to issuing photo ID badges. If the Veonics Portal were to go down, it would directly impact eXpress badging in serving its customers, so neither could not issue photo ID badges during an outage. 
  4. eXpress badging communicates this dependency using a Service Level Agreement with several goals:
    1. Reference SERVICE ownership, accountability, roles, and/or
      responsibilities.
    2. Clearly define the SERVICES provided by the SERVICE PROVIDER and related
      SYSTEMS MANUFACTURES.
    3. Match CUSTOMER perceptions of expected SERVICE provision with actual service
      support and delivery by the SERVICE PROVIDER
    4.  Provide CUSTOMER with USER accountabilities and expectations

eXpress badging (SERVICE PROVIDER)

eXpress badging communicates openly with customers who want to engage us via phone, email, using our Knowledgebase, and through our Service Level Agreement:

eXpress badging is a value-added service provider selling professional PVC card printers and supplies for those needing to print badges on demand onsite.

eXpress badging is a source code owner and supplier of hosted badging software (Veonics Portal); customers can manage and issue photo ID badges onsite or use it as a contracted service where eXpress badging does all the printing and issuance, where badge templates are created, data is entered, photos are captured, data and photos are merged with the template, then badges are printed to a connected PVC card printer.

eXpress badging has been in business since 1993, incorporated in 2003, and for almost the entire time and still actively involved in the Identification System Dealers Association (ISDA-USA/ORG), ASIS/GSX, CEO Nexus, GrowFL, and ISC WEST; all with the goal of business continuity and keeping a pulse on our market. 

Since 2018, eXpress badging has followed the EOS Worldwide  "Traction" model, developed by Gino Wickman, for its operation controls. We begin by dividing eXpress badging into accountability sectors, which we refer to as Our Way Books. We then assign the appropriate individuals to the relevant positions in our Accountability Chart and hold them accountable for each sector via quarterly Same Page meetings. Our Way Books are published on our HubSpot Knowledgebase and are only shared with authorized employees and some contractors, thanks to our compliance model. In 2023, eXpress badging was recognized as one of the GrowFL Top 50 Companies to Watch based on our successful integration of the EOS model.

The eXpress badging Way

  1. Customer Development
    1. Our Marketing Way
    2. Our Sales Way
    3. Our Knowledge Base Way
  2. Administration
    1. Our Finance Way
    2. Our Human Resource Way
    3. Coming soon: Our Compliance Way (paid for by all customers who demand it)
  3. Operations
    1. Our Operations Production Way
    2. Our Operations Technical Support Way
    3. Our Operations Software Development Way
    4. Our Operations Information Technology Way

About eXpress badging (CLICK  THIS LINK)

The Supply Chain

There are several primary vendors regarding the critical operations for eXpress badging and the Veonics Portal

Amazon Web Services (AWS)

  1. If AWS goes down, so does most of the world; however, since that is highly unlikely, we have configured our Veonics Portal instance so locational interruptions are mitigated using backups and redundant servers.
  2. AWS affects several eXpress badging services
    1. Our customers that print badges onsite
    2. Our customers that rely on eXpress badging to print and manage badge issuance for them as a service
    3. We also host our website on AWS and depend on it as an inbound customer development tool.

Card Printer Manufacturers

  1. During the COVID pandemic, eXpress badging faced challenges due to shortages of printers, cards, and consumables from our manufacturers. However, we could mitigate most of these shortages by procuring the necessary supplies before they were needed and maintaining higher inventory levels than required. Despite the on-demand manufacturing being crippled during COVID, we held our manufacturers accountable for their shortfalls. As a result, we ensured timely delivery of supplies to our customers.  Manufacturers include;
    1. HID Corporation (an Asa Abloyu Company)
    2. IDP America (an IDIS Corporation)
    3. SwiftPro  (a Kanamatsu Corporation)
    4. Digion24

Software Development and Maintenance

One of eXpress badging's three uniques is regarding our Veonics Portal "We own, use, maintain, and support our own cloud-based badging photo ID management software!"

Our Operations Software Development Way

  • JIRA Ticket Management
  • Veonics Portal™ Internal Training and Knowledgebase
  • Contracted Developer Partnership 1
  • Contracted Developer Partnership 2
  • AWS Management

eXpress badging is one of the original co-authors, product managers, and now the sole owner of the Veonics Portal source code. They contract the development and maintenance of the code to authorized and vetted partners who specialize in software development. eXpress badging, in a joint venture business called Veonics, LLC, developed the Veonics Portal starting in 2011. This was around when mobile devices became mainstream, and the Internet of Things (IoT) was gaining traction. eXpress badging foresaw the potential of these technologies to change the world and wanted to be a part of it. However, they could not find a suitable solution for a mobile-friendly virtual ID badge. So, they partnered with Veonics LLC and spent years planning and developing the source code together before onboarding their first customer in 2015 as an authorized Veonics Portal reseller. In 2018, eXpress badging purchased Veonics LLC and the worldwide exclusive rights to the Veonics Portal. The original partner's business who architected the source code is still active in supporting and aiding eXpress badging in transitioning to a new development firm. NDAs and SLAs manage the customer/code owner and vendor/developer relationship.

Fix and Repair IT Management and Maintenance 

At eXpress badging, contracted IT services are responsible for managing the network and devices due to the size of their employee base. Contracted IT services include the implementation and monitoring of desktop and local server cybersecurity tools on each device, penetration and vulnerability testing/reporting on both local network and AWS environments, cybersecurity training courseware, and certifications. Regardless of who performs the IT tasks, they are all held accountable through our contracts and by following our Way Book guidelines.

The eXpress badging Operations Information Technology Way

  • Deploys and maintains all business-operations software and hardware solutions
  • Accountable for all network infrastructure including user credentials, hardware, and software
  • Manages all computer and networking issues using HubSpot tickets
  • Oversees the cyber security and governance of each application, service, and infrastructure
  • Manages all physical security and facility operations solutions