Is Cloud Computing Right for Your Business?

By Craig Nelson – special guest to The Security Catalyst

Cloud Computing.

Is it right for you? Sure.

Is it right for your business? <crickets>

By now, many have adopted a “cloud”-based service for personal use (sometimes without even realizing it). The definition of “cloud” can be a bit fuzzy at times, but to keep it simple: it’s a service provided over the Internet (“the big cloud”). This cloud includes services (from “smaller clouds”) from providers that offer hosted email, backups, document editing, picture sharing, and even password storage.

By linking all of the “clouds” together via fancy software (running on our desktop or elsewhere), our computing experience is much more fulfilling (and certainly more complex).

Given the vagueness of the definition, we can all rest assured that we are on the cutting edge by using “clouds” for our personal productivity.

But, when will “the cloud” be adopted and considered mainstream by the small, medium, and enterprise businesses of the world?

Three reasons businesses choose the cloud

The business reasons cited for using “the cloud” are likely one or more of the following:

1. Lack of time or expertise (including security) to build and maintain an in-house solution.

2. Seeking the advantage/speed of new features that are released quickly.

3. It’s cheap (either free, or subscription fees).

Beyond simple points, consider the depth and complexity of each.

Software technology can be complex to learn, install (correctly), and run (correctly). It only takes one mistake to reinforce the fact that essential tasks — such as patching, backup and restore, and monitoring — are expensive and time consuming.

With a finite amount of time and resources, many chose to focus on the business and leave the technical challenges to someone else (the cloud provider).

At the end of the day, this boils down to ensuring the service is running with the right features to drive a fulfilling and non-frustrating computing experience.

Can the cloud be more secure?

Many security breaches are due to improper configuration and lax administration and maintenance.

These issues can be pushed into the providers hands, who can manage “low level infrastructure issues” in a cost-efficient way through economies of scale. When a security defect is discovered, it’s likely the provider can quickly patch all of the instances of the software, and centrally determine if the defect had any consequence (i.e. it was used to compromise data).

If additional security is desired, additional security controls can be applied – matched to the value of the information. For example, organizations concerned about protecting the privacy of their data may choose to encrypt it before backing it up into a cloud-based solution.  The encryption will cost some additional CPU time, and add a bit more complexity to the restoration process.  However, it’s a cost that that can be readily accepted.

The Cloud – Personal

At a personal level, “the cloud” allows a consumer to do more with less, and allocate valuable time and money in other ways.

Individuals sitting on the sidelines — who don’t trust the cloud — will dwindle over time as reasonable mitigations are developed to alleviate concerns. For example, many online backup providers offer the ability to encrypt data with keys that are unknown to them (thus partially alleviating the concern that the provider’s employees can view data stored by its customers. I say partially because you still need to trust that the software is doing what they say!).

New services (such as Lastpass) are emerging to protect the most secret of our secret information (passwords).  A few years ago, I couldn’t imagine that such a service would be widely adopted.  However, now, it seems to be trickling into the “essential software” list of well-respected technologists.

The Cloud – Business

It’s a bit different at the business level.

Many businesses today are sitting on the cloud sidelines. This is because using the cloud for business purposes isn’t quite mainstream. From an architectural perspective, there are questions pertaining to the performance and manageability of cloud-based resources, and if the focus should be on “private clouds” (locally hosted resources that use similar patterns and practices related to cloud computing) rather then “public clouds.”

IT shops, who for the last 10 years have been fighting patch management, auditing, and other security issues, need time to understand if the cloud can meet the dizzying array of requirements that have emerged from the “post-9/11 security boom.”

Is the cloud right for business?

So, is “the cloud” right for your business? This is a serious decision – one that could cost a business its reputation. Thus, it has to be answered with clear conviction rather than the typical illusion associated with security.

Here’s a start: ask these three questions and discuss the answers with your team – including your security pros – to start to find out:

1 – What regulations is the business subject to? What operational principles and policies does the business have?  Can the cloud provider provide an adequate level of support? If not, can deficiencies be mitigated?

2 – Does the cloud provider offer security controls that allow an adequate level of protection?  If not, can deficiencies be mitigated?

3 – Does the cloud provider offer a level of operational transparency, so appropriate metrics and logs can be used for monitoring and reporting?

About Craig Nelson

Craig Nelson works at Microsoft, and is the host of the Cloud404 Blog (http://blog.cloud404.com).  His expertise and education is in incident response, computer forensics, and security architecture.

On tap at The Security Catalyst for February

Greetings from Myrtle Beach!

We did it.

The house is rented. We packed, sold or donated most of our “stuff.” We loaded up the RV and headed south.

More important, we are liberated. I feel grounded, connected and free.

The purpose of this change is to live simply and engage with more people – to seek experiences over “stuff.” Part of our focus on learning and living deliberately allows me more time to focus on the programming and content we provide through the Security Catalyst Online Experience.

In addition to our contributors powerful insights forged in the trenches (more below), this month we welcome some guest voices (and topics).

On tap for February

Our contributors have some great insights to share, including:

• The key to effective communication and overall success when working with others from Trish
• Martin explains how disruptive change, when well planned, crisply executed, and continually adjusted can enable organizations to “jump the curve” and function well above where they were previously
• Why we need more attention focused on the consequences of actions with a challenge to help prevent and reduce fraud from Sharon
• Using compliance to your advantage without doing damage; as a result – decision makers may be more willing within the context of a compliance effort to spend money on information security, but they may also be more open to education and awareness efforts from Dennis
• Aaron shares how to avoid legal 500 error with privacy policies

And I’ll be climbing back into the writing saddle – and sharing my focus for the year with the awareness that works™ column.

Guest Voices

Craig Nelson – a good friend from the beginning of my career – chimes in with his insights on how businesses can determine if “the cloud” is right for them.

We might sneak in another guest voice or two (and try to convince them to stick around for the balance of the year!).

Engagement is the key to success

I invite you to read, consider and engage: likes, dislikes and constructive challenges are welcomed!

Connecting and engaging in person is a rich experience, indeed.

To that end, we’ll be leaving Myrtle Beach in the middle of February and traveling to San Franciso with stops planned in Atlanta, Dallas, and Phoenix.

Are you along the way?

If so, I’d love to explore how we work together.

Into the Breach – Audio Series – Chapter 7 (Putting the Strategy to Work: A Pilot)

Welcome to the continuation of the Into the Breach: Protect Your Business by Managing People, Information and Risk audio series. (Click this link) to learn more about this how this book solves today’s challenges and pick up a complete copy. This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author. Join us for a new chapter released on the first Tuesday of each month (there are 13 chapters total).

What you’ll find in this episode (Chapter 7)

The strategy has been revealed. The fundamentals of what is now The Catalyst Method have been shared (note: if you want the update on The Catalyst Method, contact us to learn more).

So how do you implement in a way that gets results?

In this chapter, “Putting the Strategy to Work: A Pilot,” Michael explains the basic approach – with key insights – to engaging people in the process of protecting information. Learn how to select the pilot approach that works best, build the team and plan a strategy that drives tactical and strategic success.

There is no “one-size-fits all” approach, and this chapter lays out how to make the right decisions the first time. Get a jumpstart on success with this chapter.

You want more, so after listening…

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

1. Engaging (not following) Michael on twitter (http://twitter.com/catalyst)
2. Subscribing to The Security Catalyst podcast & blog to get more insights
3. Learn more about The Catalyst Foundation Series – proven success for security initiatives to excite, ignite and turn insiders into allies who reduce business risk!

Go deeper Into the Breach with Michael Santarcangelo with EMC

Each month, EMC pulls back the curtain and provides more insights and a deeper discussion with Michael Santarcangelo about the elements in this chapter. Learn how to harness the power of their people to inform and improve the risk management process in a matter of weeks.  Go to www.configuresoft.com/securitycatalyst today to register now and listen to the recorded sessions from before and get access to the latest session.

Podcast: Play in new window | Download (7.5MB)

Are You Using The Three “P’s” Of Successful Fraud Prevention?

By Sharon Shaw

Their SUV deeply submerged in a snowdrift John and Starry, through marital “discussion,” determine their GPS might have been wrong to suggest that last turn.

Effective fraud prevention requires an encompassing approach that looks at the chain of events before and after the current point — often called a 360-degree review. Skip this step and end up charting a course of action that has similar results to John and Starry’s adventure. Blindly relying on technology alone like John and Starry did does not ensure an unscathed surfacing from a potential fraud whiteout.

Use the three Ps: Past, Present and Potential

Potential is only realized after acknowledgement of the present and the past.

To be successful in fraud prevention requires a plan to effectively utilize all known facts, good or bad, and accounts for potential outcomes.

Accept the Past — No Matter How Unbelievable

Ask Harry Markopolos, the whistleblower in the Madoff downfall, how it ends if the reality of a situation is ignored. Had authorities taken heed of his earliest warnings the Madoff losses may not have been quite so devastating for so many.

As children we learn to avoid the truth (and responsibility) to escape the wrath of the unknown. As adults this learned response is sometimes forced to continue to satisfy unrealistic goals.

Accepting responsibility for what is happening is one of the hardest lessons to learn and some are determined to never master this ability.

Accepting the past – as it happened – is important in order to understand the path to effective fraud prevention in the future.

Realize the Present

Take a deep breath and acknowledge the current situation.

This is often an iterative process, and may require a bit more thought than initially considered. When it comes to business – the initial situation may appear that sales are being lost (and revenue declining) at an alarming rate. But is this the symptom, or the problem?

In this example, acknowledging the present requires going a bit deeper. Probe the cause(s) of the loss in sales. Is the service quality lacking, are delivery times unacceptable or is a competitor undercutting the pricing structure with major clients?

To uncover the truth often requires questions, conversations, patience and the stomach to face what the real challenge may be.

The upside of taking the time to do this is that preventing fraud is much easier when the real problem is known and defined. By dealing with the surface issues and ignoring underlying problems, the opportunity to prevent the seeds of fraud from germinating is missed. Only by removing the seed can fraud prevention be effective.

Harness the Potential

So where does the third P, potential, come in to play?

Once the problem is analyzed to the root, it needs to then be considered with the lens of “potential” – what will happen if action is not taken?

In our example, a loss of sales and revenue can easily put an organization out of business and these affects can be further reaching:  they can have a detrimental effect on the community and the world economy as a whole.

Ready to strap on a cape and save the world?

Baby steps lead to great things and the first step is the most important.

Resolve to step back and engage the three P’s of a current challenge. By analyzing the real challenge, it is possible to take control, move forward and devise a more productive plan.

Taking control is scary it means assuming responsibility for future, unknown, events.

To Decrease Fraud Risks, Review The Alternatives

The effects of fraud may not yet be felt, however if the situation goes unchecked it may not be long until they are. Talk with those involved and ask what suitable solutions could be. If both sides understand and are committed to a common goal an effective solution is easier to implement and has a higher chance of success.

Don’t hang up the cape yet; there is still work to be done.

The real problem has been found, the solution evaluated and a plan devised to implement that solution so, that’s it right?

Wrong, the process is not complete.

Successful fraud prevention is a continuous cycle that never stops. A plan devised from future goals and past experiences must be continually re-evaluated in order to be continually successful. Organizations and goals change from minute to minute so what works to prevent fraud today may not work tomorrow.

To stay one step in front of fraud, prevention plans have to be continually adapted to encompass new discoveries.

The journey of fraud prevention is only successful if everyone involved is willing to communicate and share insights. The past is key to understanding how the present became present and without understanding the present potential cannot be envisioned.

I challenge you to use the three P’s to improve one of your current activities and reduce the potential for fraud within the organization.

Share your ideas; questions and experience in the comments below to help us all improve.

Driving Compliance: What We Have versus What We Need

By Jim McFee

A common statement an auditor hears is, “our IT department is mature; we have everything we need for an IT Audit.”

A common thought an auditor thinks is, “yeah, right.”

So which of these statements is more accurate? More importantly, which one increases or decreases risk?

Without creating a laundry list, let’s take a look from the auditors’ perspective by breaking down the components of compliance into five main domains:

• Logical Access
• Physical Access
• Operations
• Change Management
• System Development

In my last article, I introduced the concept of developing a “Culture of Compliance”  — something to keep in mind as we delve deeper into each section.

Logical Access

Logical access is the way people (employees, contractors, partners) gain access to the systems that process information. An auditor looks for clearly defined and followed processes.

In my experience, this is where IT needs to work with the whole organization on the core of logical access: user provisioning (my fellow contributor Ioana Bazavan Justus is authoring a great series on Identity Management).

Once defined, logical access must be certified with established tools or a manual effort. The ideal approach is a preventive control that flags segregation of duty access across application systems. Few organizations use this today, but I strongly urge the consideration and adoption of this capability. The more common approach is a “detective” control that works, but requires a significant budget and hours to complete. To be clear, “complete” means re-testing!

Access reviews need to include identification of administrative accounts (including who has access to these accounts) and validation if the level of access is actually required. I recommend not taking anyone’s word for this, test and document it. It is important to have a documented methodology of monitoring administrative accounts and logs to prove it.

Physical Access

Physical access covers access to buildings, data centers and other sensitive areas. The appropriate policies and reviews need to cover the entire process for new hire, transfers, terminations, contractors, vendors, etc. To be effective, this often requires cooperation with Human Resources (HR), Legal, and Compliance and possibly some business units.

Think like an auditor: once access to the data center is documented, reviewed (quarterly) and signed, the auditor(s) will generally pick a terminated IT staff member to audit.

This is where the “culture of compliance” comes in – rather than hoping the process works, it pays to establish an environment where employees take the right actions as a course of action. In this case, it means they log all entry by contractors, vendors and other guests and validate this list against an electronic record of entrance.

A quick sign of success is when even escorted coworkers are asked to sign a log file for entrance into the Data Center.

Operations

Operations are the lifeblood of the organization.

Many organizations have a facilities department separate from IT, which requires cooperation between teams. This is also a reason to have a single person drive the compliance and audit process – to streamline these connections and provide a measure of continuity.

Make sure vendor contracts are in order for the facilities/physical equipment such as fire suppression, heating/cooling and other support systems. When the culture understands the importance of protecting this information, each department will notify others of changes and work together to ensure updates and “coverage.”

Good auditors look to assess if the team has a handle on inventory or manages by incomplete spreadsheets with a hope of accuracy. This is an area where the use of automated discovery tools pays dividends.

Much ground to be covered here, and it must include the details of who, what, where and when of Job Scheduling. Changes to job scheduling is  a process, whether it is for changing frequencies, adding, deleting, and even emergency procedures.

Another area of focus: ensure backup processes are documented, reviewed,  and followed.

Think like an auditor: provide logging details, be ready to explain the job failures and how they are handled! If an auditor asks about failures and the response is “we have none,” it triggers (or should) a lot more questions.

Change Management

In general the key to change management/development is authorizations.

This starts from the top with project approval forums all the way down to and including authorization to put code into production. Each phase, QA, testing, and CM should define requirements, necessary documentations and authorizations. Where appropriate several levels of approvals is required.

Change control is not limited to applications.

Include network configuration (port address) changes and changes to OS configurations need to follow  the change control process. Emergency changes often fall through the cracks of standard procedures. Establish a process that allows flexibility to get the task completed but make sure you have post documentation, and verbal approvals documented after the fact.

System Development

Time to really consider, implement and/or follow SDLC documentation (need a starting point, check out:  http://www.shellmethod.com/refs/SDLC.pdf). Pay close attention to the two primary parties, the end user and developer parties and their responsibilities.

A simple question to start the process: does the current process, what people are actually doing, match what is documented?

In many cases – maybe even most – the answer is either no, or worse, “documentation, we don’t have documentation!” Larger, more mature organizations tend to have a dedicated quality assurance (QA) department that often engages in auditing or assessing the system development process.

In general, workflow applications are great but avoid the concept of “assumed authorizations”. The workflow better meet the documented levels of authorization.

Some people may sneer at the concept of “culture of compliance,” but their personal experiences don’t diminish the importance of engaging people in every aspect of the process – to the point where it is ingrained in the very culture of the organization. The reality is that compliance becomes a process, and the organizations that are focused on engaging their people are able to meet compliance goals without imposing (too many) additional burdens.

Quite simply, this is establishing, nurturing and supporting a culture of compliance.

By considering these five areas, it is possible to provide some structure and ask good, probing questions that lead to conversations that ultimately inform the decisions and actions of others. Change the way people think when developing and making system changes and 85% of your challenges will gradually melt away.

This is simple to test:

1 – Have a manager ask an SE to grant him admin rights, completed with a bit of a story. If the result is a change in access on the fly, there is an immediate opportunity to educate. In my experience, the education might be better as a discussion with questions, as opposed to scolding and “gotcha.” Connecting the person to the consequences of their actions – in their words – goes much further.

2- Ask the customer if they do post implementation testing. Does it meet the initial scope of the project? Are “lessons-learned” documented and kept on file.

3 – Ask the Data Center manager when the next scheduled fire suppressant equipment inspection is due. Not needed instantly but they should be able to produce a copy of the contract and last maintenance records.

What do you think?

Share your challenges, successes or questions about how to effectively drive your audit and compliance program in the comments below.

Strategies and guidelines for developing a motivational strategy

by Trish Smith

Happy New Year! Has the year started with a bang, full of passion and excitement? Or is motivation lagging?

Last month we explored the concept of motivation and why employees’ motivation is important. As the year brims full of potential, the timing is perfect to develop and implement a motivational plan for your employees.

While there is no one-size-fits-all plan for improving employees’ motivation, there are some proven guidelines that simplify the process and lead to success. There are five factors considered essential to a successful program:

• Flexibility
• Increase positive behavior
• Decrease negative behavior
• Provide constant feedback and a framework for teaching skills
• Be an overall positive approach

Is the problem really about motivation?

Before developing a motivational system, determine whether the problem is actually motivation. Could it be something else, such as lack of access to the tools needed to do the job, or the working conditions of the job itself?

These aren’t motivational issues and cannot be fixed with a motivational system. These and other environmental challenges need to be addressed beyond motivation.

No Limits?

Improving motivation is an investment. Investments have limits – so what is the organization is willing to do to improve employee motivation? While this often boils down to cash, sometimes other investments can be beneficial, too. Regardless of the answer, it is essential to ask.

There is nothing more demotivating than to be promised something, only to find out afterwards that the company can’t or won’t do it.

Steps to create a motivational system

1. Analysis

The analysis is focused on determining what factors are in scope. Will efforts be to:

• Implement a program based on performance?
• Develop new ways to satisfy employees’ needs?
• Change discipline policies?
• Create new opportunities for employee learning?
• Make the organization more receptive to employee feedback?

These are starting points – and the program will likely be a blend. The key during the analysis is to focus on where improvements will occur.

Without focus, the risk is of turning the program into just another ineffective “flavor of the month”, and making the chances of any future, well-intended change programs less successful.

Including employees in this process is critical to its success. After all, they’re the ones who best explain what would improve their motivation. Making them allies in the effort to create a workplace where they can bring their best will increase the chances of program success.

2. Development

This is the nuts and bolts of the system. Use all the resources at hand to develop the actual motivation strategies and specific methods, such as developing a new feedback system for employees to share ideas, a new continuing education program, or a recognition system for outstanding customer service. Make sure to involve relevant managers, executives, decision makers and influencers in the plan. Buy-in is important: the last thing the company wants is to roll out a new program without approval, only to have it shut down before it even gets a chance to work.

3. Materials

What materials are needed to support the program and engage people? Does it require new forms (electronic forms might be a strong option), a new company wiki, or a new guidebook?

Make sure to enlist the skills and talents of anyone who can help you in this area, including HR, IT, and administrative support. Michael often talks about finding and amplifying the good; when it comes to developing an effective program that truly engages people, this can be accomplished by letting them participate in the development and improvement of the materials.

4. Monitoring

The goal is to get it right the first time. But even if that happens, monitoring is an important, often overlooked, element. Monitoring provides insights and guidance necessary to make changes and help the system evolve.

When considering what and how to monitor, include goals, objectives, and criteria for their success. If possible, set dates by which the goals and objectives must be met.

Develop methods for people to track their progress in the program, or by which others (for example, their supervisor) can track progress.

Remember to focus on effectively tracking behaviors, not attitudes; goals and objectives need to be things that are quantifiable, not vague concepts. “Number of staff attending afternoon meeting” can be more easily tracked than a vague concept like “employee attitude”.

5. Training

Conduct training with management staff. After all, they are the ones primarily responsible for employee motivation, and the ones who can best observe motivation levels. Make sure the team understands the purpose of the program; that it’s not to punish employees, or to create a falsely positive atmosphere, but rather to deliver those things that employees feel are most important to their work, in order to create a workplace that employees can do their best work in.

6. Implementation

Simply put, it’s time to roll out the program. In smaller organizations, it’s possible to do this in a centralized manner, but for larger organizations it requires a phased approach. Regardless of how, it’s vital to initiate the program in a way that shows people it’s fully supported and an integral part of the organization’s processes.

7. Follow-up

Hold regular meetings to evaluate the program’s progress. Incorporate employee feedback in the program, and make changes to it as needed. The program will need adjustment as time goes by, as motivation is a journey, not a destination, and what works for one employee at one point in time may not work for them six months later.

Flexibility – the first of the five criteria – is key to success.

Implemented a motivational program? Starting one? Leave us a comment – we’d love to hear about your own journey.

Sources:

http://docs.google.com/viewer?a=v&q=cache:S4_J9QwXOJYJ:slo.sbcc.edu/wp-content/uploads/motivation.pdf+how+to+develop+motivational+system&hl=en&gl=us&sig=AHIEtbTiEUmbld3vu7u73h2v5wNcLi3N0Q&pli=1

http://docs.google.com/viewer?a=v&q=cache:ltZWfJqyQIQJ:www.mooseheart.org/pdf/PacketOfEffectiveSkills.pdf+how+to+develop+a+motivational+system&hl=en&gl=us&sig=AHIEtbQ-2Sr1PVmIJi7fvM2NstQPZX0ZhA

Prioritizing Systems Integrations

Avoiding the biggest mistake

The biggest mistake that identity management implementers make is biting off way more than they can chew – we all have grandiose ideas of integrating all of the company’s systems and fully automating them, too! It never sounds that hard when the team is sitting around the conference room table, excitedly brainstorming.

Unfortunately, it doesn’t work that way but as it turns out, fully integrating every last system with identity management is a bad idea anyway – at best it will be costly, at worst impossible.

Reality is that most systems will not integrate out-of-the-box. For those that don’t, full integration means extensive custom coding to ensure a comprehensive two-way interface between the identity manager module and the target system. Legacy systems that are particularly “old” (in technology years, that is) may lack protocols in common with identity manager, making a full integration impossible.

The good news is that fully integrating every system with identity management is not necessary to have a successful implementation. The key to success is effectively deciding which systems warrant a full integration, where an indirect interface will work, and which systems do not require any interface at all.

It is important to carefully consider which systems will require integration at the beginning of the process –ideally before the product is chosen or design work is started – as this decision will drive many of the product requirements. This also focuses the data/process cleanup and other preparatory efforts on the right systems at the right time.

A proper prioritization now ensures maximum efficiency going forward.

But first, a few notes…

B2E and B2C

Much of the focus in this series is on B2E (business-to-enterprise) implementations – that is, identity management within the organization for employees and non-employees using company systems.

When appropriate, I will touch on B2C (business-to-consumer) implementations, but in general, from a process and data cleanup perspective, B2C implementations are much simpler. The typical B2C implementation may seem much larger because it has so many users (possibly millions) and there are some additional technology challenges (e.g., ensuring that the user interface works with any browser), but there is usually only one target system (or maybe a couple), and all users get the same permission set. In a B2C environment, it is important to get a few key decisions correct, and then apply them successfully – a lot.

B2E implementations on the other hand have comparatively fewer users but many target systems, and the complexity of permutations of access can be tremendous. Successfully solve the process and data problems in a B2E identity management implementation and there will be few new challenges with a B2C implementation.

Source of record

“Source of record” – sometimes also called “authoritative source” – is the system that is always “right” with respect to a particular data element. For example, the HR system is typically the source of record for employee numbers. If there is ever a discrepancy in someone’s employee number between HR and another system, whatever HR says is the right answer. Similarly, the email system is the source of record for email addresses. For userIDs, identity management is the source of record.

Although this may seem pretty obvious, it can get fairly complex – especially in organizations with multiple HR or email systems that do not interface with each other. Consider creating a map to identify different data elements that will be important in the identity management implementation, and specifying the source of record for each.

Source of record key point #1: Although one system can be the source of record for multiple data elements (e.g., HR is the source of record for title and employee number), there should NEVER be multiple sources of record for one data element (e.g., LDAP and Active Directory are both the source of record for John’s location).

So what is the source of record for userIDs if there is no current identity management system in the enterprise?

Since userIDs are central to identity management, the answer to this question matters tremendously. Maybe initially the “source” is a database or even a spreadsheet – it’s probably dirty data, but it may be all that’s available. Once the data is cleaned and identity management is implemented, identity management becomes the source of record for userIDs.

This brings me to the most important point about identity management…

Source of record key point #2: Just because it’s the source of record (or authoritative source, which makes it sound even more important) doesn’t mean it’s accurate! Identity management is only as good as the data it receives. A key failure of many identity management implementations is not the technology or even the efficiency of the underlying processes – it’s the lack of accuracy in the source data.

I cannot emphasize the importance of clean data enough, and that’s why the next couple of articles will be focused solely on data cleanup. Unfortunately, some data cleanup goes way beyond an identity management implementation. Many organizations find that HR or other source data is at best missing or outdated, at worst outright wrong. That’s a whole ‘nother can of worms that we’ll discuss later.

For now, let’s get back to this article – prioritizing systems for integration/interface with identity management.

Prioritizing systems effectively

Priority 1: Sources of record and other primary systems

There are several key sources of record that must fully integrate with identity management. Chief among these are:

• Human resources (may be multiple systems)
• Directories (LDAP, Active Directory, etc.)
• Email system(s)

Beyond these “universal” systems, each organization will have other essential systems to be integrated. A guiding principle for success is that any system that is a source of record for a particular data element required by identity management should be fully integrated, meaning that there is two-way communication between the target system and identity management, allowing for automation of data exchange, provisioning/deprovisioning, etc.

Any system that is a source of record for key identity management data is considered Priority 1. The list may stop here, or there may be other primary systems that warrant a priority 1 classification. Here are some criteria for categorizing other systems as Priority 1:

• easy to integrate out-of-the-box
• business critical
• large numbers of users with high user turnover

Selecting the right Priority 1 systems makes the project team more likely to experience an immediate benefit in terms of user experience, achieved ROI, and/or increased security/reduced risk.

Priority 2: Secondary, complex, legacy, or small – but still important

Priority 2 systems are on this list for one of several reasons:

• they meet Priority 1 criteria but the integration would be extremely complex
• they’re important systems but there aren’t *that* many users
• they’re important systems but too “old” to integrate

When faced with a Priority 2 system, consider these options:

• create a generic process that tracks what access is granted via identity manager
• identify the information that is needed and how frequently, and design a data export to a simple flat-file that can later be batch uploaded to role manager on a schedule
• spend the extra time and money on a custom integration

The first option – the generic process – combined with manual workflow and a one-time “dump” of users that already have the specified access allows for the tracking and automation of workflow tasks, which is a step in the right direction. But it is very important to know that this solution does not facilitate user recertification, because there is no interaction with the target system.

The second option – flat-file data transfer – is totally unglamorous, but viable. Careful analysis is needed in this case. In some situations, this option is fairly simple to implement, and provides a lot of benefit. In other cases, this option is not much less work than a full custom integration – if that’s the case, might as well go for the whole solution.

Both options preclude auto provisioning/deprovisioning. Only a full custom integration will allow for that, but from a user management perspective, the challenge is doing the right thing at the right time – especially as far as the auditors are concerned. Most often the problem isn’t administrators failing to do their job – the problem is administrators not knowing there is a job to be done. If identity management can initiate the right tasks at the right time, 90% of the problem is solved. Sure, having it happen “automagically” is better, but the most important thing is that it just gets done.

Leaving some out – at least for now

One of the main tricks in the successful implementation of identity management is to know when to say when.

Whether because they’re too old or too small, there will be some systems that just shouldn’t be on the integration list – certainly not now, maybe not ever. The interesting thing is that one or two of those may be “important” systems from an audit perspective.

For example, we have a financial application at my company that is largely automated so it only has three users – we’ve had one user change in the past two years on that system. But it’s on the SOX list and the auditors are always very interested in this application. Even though it’s a critical application, we have no plans to integrate it with identity management. This is an extreme example, but we have another application that is also on the SOX list with maybe 1-2 dozen users. This application is managed by a single administrator who knows every user personally. Any benefits we would gain from automation (user recertification, transfers, terminations, etc.) are negated by the administrator who often knows what needs to happen for each user before HR even finds out. It’s simply not worth spending the time and money to integrate with such an application because it is already so well controlled.

Populating the requirements list

Although we won’t be discussing requirements in detail until later this year, we’ll actually start building requirements along the way based on working discoveries.

After this month’s exercise, you should have a good idea about what needs to integrate, and to what degree. Ask your engineers to spend a little time examining the protocols that are used by your Priority 1 and 2 systems, as well as the APIs or other integration technologies that may be available on each system. These items will feed your requirements list – especially those pertaining to Priority 1 systems. If an identity management product cannot adequately “talk” to your Priority 1 systems, that may be grounds for instant elimination from the candidate pool.

Action Recap

This month, we covered the following key actions:

1. Identify data elements important to identity management and their source of record – create a map to determine which data elements come from which system, and make sure that none of the data elements have multiple sources of record
2. Prioritize systems to integrate with identity management – sources of record and high-volume systems come first; smaller and harder to integrate systems come second. Some systems should not be integrated at all
3. Start a requirements list – how could/would an identity management product integrate with the systems on your priority list?

How can I help?

Do you need some clarification or additional assistance? Do you have an experience to share with others? Leave a comment below so we can all improve together.

The Solution: Leading People, Managing Objects, and Accomplishing Goals

by Martin Fisher

Those who know me have come to expect me to “correct” them whenever they say “manage people”.

“Objects are managed, people are led,” is my usual retort. Sometimes I am met with a blank look, sometimes with a exasperated grimace, and sometimes (and not nearly often enough) by a questioning stare.

“What?” the quizzical friend often asks. “There’s not a difference worth mentioning.”

Nothing could be further from the truth and nothing, in my opinion, has done more to impede the progress of the information security profession.

The abject failure of leadership, from senior ranks, through middle management, to front-line supervisors has led to a culture that glorifies “meeting expectations”, extols the virtue of “accomplishing goals”, and is satisfied with “getting the job done”. Don’t get me wrong – these things are important – but they miss the vital difference: That a dynamic leader can take a group of people and almost always “exceed expectations”, “surpass goals”, and “get the job done better” and still have a happier team and more satisfied customers.

“How does that happen?” asks the still-quizzical friend, “Isn’t meeting expectations what we’re here for? Isn’t that enough?”

Sadly, it isn’t enough.

All people appreciate leadership. Everyone inherently wants to belong to a team that accomplishes exceptional results. Nobody wants to be in an organization that doesn’t excel.

The key to this is the Leader.

Leaders determine, by applying their leadership talents, just how far the team will go. Setting a goal and managing to that goal ensures that any additional capability is forever lost. Managing to a goal guarantees that the exceptional capability that is native to any team will be lost in a desire to just do “enough”. When we manage people, instead of lead them, we are condemning ourselves to forever experience sub-optimal results, never knowing what could have been accomplished.

“But my team is happy and my customer is satisfied. Doesn’t that mean I’m succeeding?” asks the friend as their frustration with the conversations grows. “You’re making more out of this leadership thing than it really is, aren’t you?”

This is the point where the friend has reached an almost Matrix-esque moment…

“Take the blue pill and this conversation ends. Everything goes back to the way it was and you can believe anything you want to believe. But take the red pill, and I’ll show you how you can take the leadership skills and talents you have and use them to transform yourself and your team. I’ll teach you how to truly get more done with more satisfaction.”

Which pill, my friend, will you take?

Security From Scratch: Getting the Lay of the Land

by Dennis Kuntz

“You rush a miracle man, you get rotten miracles.” – Miracle Max, from The Princess Bride

When building Security from Scratch, the challenge is in undertanding the situation from the start. Once the team is identified/assembled, the focus shifts rapidly to getting a handle on the security posture of the organization. This is not an “assessment” in a formal sense, but is more involved than simply checking for a firewall and antivirus.

Each situation is unique, but here are the areas I consider in my tactical review so I can understand what challenges lie ahead and form my plan of action:

• Information Security Policy
• Network/Perimeter Security Posture
• SDLC Security Policies/Procedures/Practices
• Applicable Compliance Requirements
• Security Awareness

I’ll share my approach and thinking below – but want to hear from you, too. Are there other areas you would include, avoid or otherwise consider? Leave a comment or send an email and we’ll expand together.

Information Security Policy

This is an area open to debate, but I like to check for and review the existing security policies. It provides insight into what, if anything, has been done. It generally provides clues, too, to why decisions were made.

I’ve found two major approaches to Information Security Policies:

(a)  a monolithic approach where the policy encompasses all areas with details

(b)  a piecemeal approach where you have a very general document that references more detailed documents.

If I get to choose, I prefer the piecemeal approach. It allows employees to get an overview of the policy and all of the areas covered, without overwhelming them with too much all at once with one huge document they’ll never read.

With the “piecemeal” approach, the details can be spelled out in the referenced documents that are easier to draft, update, and distribute.

Understanding the current approach and structure helps form a picture of the current environment. Here are some questions to ask when considering the existing Information Security Policy:

• Does a policy exist?
• Who wrote it, is it strictly boilerplate, and/or has it been reviewed by stakeholders and approved by management?
• Are the policies being followed?
• How are changes made/approved?
• Who currently maintains the policy?

Network/Perimeter Security Posture

Now, while I suggested just checking for firewalls and antivirus aren’t enough, it doesn’t mean they should be skipped. It’s too easy to limit one’s assessment of security posture to just those kinds of elements. With that said though, this is definitely something that should be included.

In addition to getting a good idea of the network architecture (diagrams, etc.), here are some questions to ask regarding the network and perimeter security posture:

• Is remote access allowed? If so, how – VPN, SSH, nothing?
• Are firewalls , WAF’s (Web Application Firewalls), and/or IDS/IPS’s employed? Where? Who manages/maintains them and their rule sets?
• Does your company have/maintain a DMZ?
• Is wireless access allowed from your premises (including both network access as well as “open” wifi)?
• Does your company have any resources/assets in “the cloud”?
• If in “the cloud”, what control does your company have over the security of resources, vs. those that are simply “built in” to the services offered?

This is obviously not a comprehensive list (if you think I missed something key, drop a comment).

The main focus is to get a tactical understanding of the network and potential points of exposure. While tactical, this allows the identification of strengths and weaknesses in the current layout to form the path to advance the posture.

Once the tactical review is done, it is important to run internal and external assessments to test the baseline performance of the existing controls. Ideally, this should include both comprehensive vulnerability assessments as well as comprehensive penetration testing. This can be easily handled in-house if budget is a challenge.

SDLC Security Policies/Procedures/Practices

It should be obvious that companies that conduct business on the “Internet” , develop software, or has any measure of internal development, that SDLC (System Development Lifecycle) practices are important as they relate to security.

However, this also matters to companies with only a web site that was created externally and is hosted/maintained by a third party ASP (Application Service Provider), with no internal development. When getting the lay of the land, take a look at the accepted development practices to make sure they take appropriate security measures into account.

Here are some questions to can ask :

• Who “owns” the SDLC?
• Is security specifically addressed in any SDLC documentation, especially regarding applicable best practices (i.e. OWASP Top 10 for web application development, buffer overflows for vulnerable languages, etc.)?
• Is there any formal secure development training available for developers?
• If third parties/outsourcing is used for development, are security practices published and/or open for review?
• What is the current state of security awareness among the developers, architects, etc. (this can be assessed by one-on-one interviews with developers, architects and managers)?

As with the Network/Perimeter Security Posture section, being able run assessments and have penetration testing done will go a long way toward establishing the effectiveness of current controls.

Applicable Compliance Requirements

If the company is subject to any compliance requirements, it is vital to establish the current state of compliance. I will be covering this topic in more detail in a later post, but here are some questions you should ask:

• Is the company subject to government compliance (SOX, HIPAA, etc.)?
• Is the company subject to non-governmental compliance, such as PCI-DSS?
• Does the company need to remediate any recognized compliance violations and/or is there a deadline for any existing compliance efforts?
• Regarding existing compliance efforts, where/how far in the process is your company?
• Who or what department oversees any given compliance effort?

As noted in the first installment of this series, establishing relationships with other departments –especially regarding compliance – can go a long way toward achieving your company’s compliance goals.

Security Awareness

While “Security Awareness” can mean different – and specific – things to different people, I’m referring to it here in more general terms. In essence, you need to take a look at your company’s current behavioral and cultural stance and openness toward information security. Here are some questions you should ask:

• How much support will you have from stakeholders? From management? From everyone else?
• Related to the previous question, how much latitude will you have in making decisions – will you get to run the show, or will you end up having to be an order-taker?
• Is your position the culmination of a concerted effort to “become more secure”, or is it the result of a begrudging attitude to achieve a bare minimum? The answer to this one may take some effort to answer honestly….

Turning Your Eyes Toward Defining – and Achieving – Success

Once you have all of this in place – your team and a good idea of where you are – you can begin to understand what is needed to define “success” and the metrics needed to quantify that success.

The Three Elements of Action

Your meeting was supposed to last just 45 minutes, but the first 35 have been devoted to the first agenda item.  Most eyes have glazed over and you are the only one speaking. Just as tired as everyone else you say, “OK, so we all agree that we’re going to do that?” Hearing no objection, you move on to the next subject.

You are relieved to move on, but don’t be surprised when you have to rehash the same subject at the next meeting. Do not mistake movement for progress; your discussion was an utter failure because it lacked the fundamental element to any progress: An Action Item.

Every action item is comprised of three things:

• A Person
• A Deliverable
• A Date

Absent one of these three things, a decision is not an action item. It is a wish. All would-be “action items,” “goals,” or “decisions” which  fail to include one or more of these components were a waste of your breath and their time. Action items must be clear, measurable, and have accountability. Unless you want to rehash the same issue at the next meeting, never walk away without identifying a person, a deliverable and a date for each action item, regardless of the subject matter. Let’s analyze some would-be “action items” from actual meetings:

Assignment 1: “Development of a power point presentation to train staff.”

Person	None.
Deliverable	A powerpoint presentation. However, the subject matter of the presentation is not clear in this context.
Date	None. This presentation will never be late, because it’s never due.
Outcome	Inaction. This is a wish, not an action item.

---

Assignment 2: “Staff will take decisive action aimed within the next 30 days at having the new privacy policy ready to be trained upon.”

Person	Nobody, or more specifically, everybody. Note the excessive use of passive voice. An action assigned to everybody is nobody’s responsibility.
Deliverable	None. If you can tease a deliverable out of this, you deserve a raise. What exactly does “decisive action” and “ready to be trained upon” mean?
Date	30 Days. However, this date doesn’t mean much because there’s no deliverable or assignment.
Outcome	Inaction. This is a wish, not an action item.

---

Assignment 3: “Jane Davis should work with the Communications Department to discuss the issue of posting the entire training program on the website for free downloading to all visitors.”

Person	Jane Davis.
Deliverable	Hold a discussion with the Communications Department. Although they probably intend for Jane to post the training program, her only assignment is to have a discussion. It might have been written better, “coordinate with the Communications department to post the training program in by the end of the month.”
Date	None.
Outcome	Inaction. This is a wish, not an action item.

---

Assignment 4: “Kevin Jones will identify key end-users, such as educational and other relevant organizations, and develop a database of end-users, by the end of January.”

Person	Kevin Jones.
Deliverable	Database of end-users. Of course, with this responsibility, Kevin must also have the authority and resources to execute the assignment.
Date	January 31st.
Outcome	Action. This is an action item.

The three components of action are a person, a deliverable, and a date. Here’s your assignment: Next time you lead a meeting, don’t rest until you identify the three elements of action for every assignment. It’s the single most effective thing you can do to shorten meetings and avoid rehashing the same issue again in the future.

So let’s evaluate my assignment:

Person	You.
Deliverable	Require a person, deliverable, and a date for every assignment you make.
Date	Your next meeting.
Outcome	Shorter, more effective meetings, happier employees, and real action. This is an action item.

Into the Breach – Audio Series – Chapter 6 (Implementing The Strategy to Protect Information)

Welcome to the continuation of the Into the Breach: Protect Your Business by Managing People, Information and Risk audio series. (Click this link) to learn more about this how this book solves today’s challenges and pick up a complete copy. This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author. Join us for a new chapter released on the first Tuesday of each month (there are 13 chapters total).

What you’ll find in this episode (Chapter 6)

Chapter Six is where Michael explains how to customize and implement the Strategy to Protect Information. The information he shares is designed to bring immediate results. This set the stage for the refinement of what is now called The Catalyst Method™ — what Michael teaches, guides and uses to help organizations get results that transform insiders into allies who reduce business risk.

Go deeper Into the Breach with Michael Santarcangelo with EMC

Each month, EMC pulls back the curtain and provides more insights and a deeper discussion with Michael Santarcangelo about the elements in this chapter. In fact, for this chapter, Michael explains how he has modified the implementation and refined “The Catalyst Method™” to get real, rapid results. Learn how to harness the power of their people to inform and improve the risk management process in a matter of weeks.

Go to www.configuresoft.com/securitycatalyst today to register now and listen to the recorded sessions from before and get access to the latest session.

You want more, so after listening…

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

1. Engaging (not following) Michael on twitter (http://twitter.com/catalyst)
2. Subscribing to The Security Catalyst podcast & blog to get more insights
3. Learn more about Michael’s keynotes – and hire Michael Santarcangelo to excite, ignite and turn insiders into allies who reduce business risk!

Podcast: Play in new window | Download (14.3MB)

Strike Up the Band: Building Security from Scratch

by Dennis Kuntz

“Individual commitment to a group effort — that is what makes a team work, a company work, a society work, a civilization work.” – Vince Lombardi

When faced with creating a new security program – Building Security from Scratch – it can be like George Taylor in The Planet of the Apes: you awaken to find your ship has crashed and you have little more than the clothes on your back. You have to figure things out and make use of what’s around you.

When in this situation, it is important to establish your bearings quickly. There are a lot of things to digest in order to start making a difference. As fate would have it, this seems to be a specialty of mine; I have accepted the challenge of creating a new role at least a half-dozen times in my career.

In my new position I have the honor and challenge of building a security program from scratch (hence the name of this column). Over the next year, I am going to share my plans, insights, and lessons-learned to contribute to a dialogue where we all can improve the way we protect our organizations.

Based on my experience, there are three steps to take when starting from scratch:

1. Getting Together: Who’s on Your Team?

The first question focuses on the team: “What will my team look like?” This is key whether you’re a “one man band” or you have (or get to build) a team. Understanding who is “on the team” puts you on a path to create a plan to determine how to be most effective tactically, and how to achieve strategic success. And the answer is more than just having people report directly to you.

This is not set in stone – more time generally yields a clearer picture, but starting with a picture is key.

2. Assess the Situation: How Will this Work?

With a snapshot of the team in place, it is time to assess the resources. This includes existing resources (personnel as well as software, etc.) and potential resources (budgeted items, management’s flexibility for unplanned spending, etc.).

As you identify resources – and the gaps between them – you’ll start to get a vision of your current situation, and your company’s overall posture. As this picture develops, you will more easily be able to map out how to address the gaps using those resources.

3. Get to know the family

Just as important though, is to figure out who the right people are in your “sister” departments, such as Human Resources, Legal, and as you might guess, IT.

Human Resources is essential because it manages the relationship between a company and its employees. While there are many non-risk functions an HR department performs, one of the most important is in managing situations involving employee misconduct, terminations, and other delicate issues. There will often be an overlap between HR’s responsibilities regarding any kind of internal employee issue and Information Security’s role in protecting internal assets. You will definitely need HR’s help in proceeding in any kind of internal investigations as it relates to employees, and they can definitely benefit from your expertise when addressing certain kinds of employee issues – and they may not even know it.

The Legal team in an organization normally helps to protect company assets by dealing with anything from relationships with external entities (via contracts, NDA’s, etc.), alongside HR with internal employee matters, managing the company’s posture when dealing with legal issues/requests that arise from “outside” the company (discovery requests for pending litigation, law enforcement requests, etc.), as well as compliance matters (PCI-DSS, HIPAA, SOX, etc.).

As an information security professional, you probably already have at least some familiarity with the functions of both of these groups. It should be pretty easy to see how cultivating relationships with these departments – and those like them, such as Document Management and Compliance departments – can help in your efforts to build your program. And that’s whether it’s a tip-to-tail effort, or something more concentrated like penetration testing. Less likely and possibly more beneficial to you, is that these departments may not be fully aware of the benefits you bring to their efforts.

Turning the One Man Band into a Symphony

Information Security is about managing risk.

In creating a security program, it pays to realize that even when alone, it requires a team. Showing other groups how their jobs can be easier while helping to manage risk and protect the company’s assets can effectively extend the security “team” beyond whatever may be listed on paper.

What are you doing as a one-man-band to make a difference? What challenges are you tackling? Drop a note in the comments and we’ll take it from there…

Prevent Fraud And Increase The Bottom Line with These Three Steps

Across the globe organizations are forced to preserve limited resources, work with tighter budgets and somehow produce profits that are as realistic as Freddy Kruger presenting the Mickey Mouse Club.

The resulting crunch and pressure on employees combines with the global financial situation (with very deep individual impact) and unrealistic corporate expectations to form the perfect storm – for fraud.

I know the analogy for “perfect storms” has lost favor, but that does not dimish the reality that many organizations are and will continue to experience. This storm will crush organizations with the speed and randomness similar to Godzilla’s stomp through Tokyo.

The reality is clear: fraud is thriving in today’s turbulent economic climate. The Association of Certified Fraud Examiners (ACFE) 2008 Report to the Nation confirms this revealing that in 2008 $994 billion was lost to fraudulent activities..

To put this in perspective:

Dear Santa,

I want eight International Space Stations and fifty – yes, fifty — Space Shuttles. I plan to launch each shuttle 275 times  (since it only costs a mere $450,000,000).

P.S. The costs for this “gift” is less than the money wasted through fraudulent activities in 2008.

Silly, right?

Sadly, this is more reality than fiction. Consider the recent headlines: Baltimore mayor convicted on fraud charge, Fla. lawyer charged with $1B investment fraud Death Sentence for ₤35m Fraud Woman.The challenge we face is that this amount of fraud is only beginning. But it’s not too late to take actions now to weather this (and future) fraud storm(s) and come out the other side intact.

Want to head off fraud and improve the bottom line?

The time to act is now.

Prevention is possible and relatively simple to implement. Over the course of the next year, I am going to share insights and simple practices for a successful, proactive and achievable approach to fraud prevention.

The Flapping Wings of Fraud

Organizations impacted by fraud experience far-reaching effects, sometimes distressing the local community and even the world economy. Edward Lorenz’s butterfly effect is extremely relevant to fraud when taken in context of Bear Stearns, Lehman Brothers or even Bernie Madoff .

What may seem like a small indiscretion — the kind that causes no harm to any person — could actually be contributing to some thing much larger.

From tiny acorns massive oak trees grow. Left unattended that acorn will grow and grow.

Just like acorns, fraud thrives until someone takes action and removes the seed.

The key is to prevent the seed from germinating. This, in essence, changes the flap of the butterfly’s wings.

Understanding Fraud Leads to Effective Prevention

Fraud is the intentional or deliberate misrepresentation or concealment of material facts to deprive another of property or money.

Three elements must be present in order for fraud to occur:

• Pressure/Motive
• Opportunity
• Rationalization

Removing just one of these factors reduces the likelihood of fraud and increases the opportunity to improve the bottom line.

Reducing Fraud: With Half the Budget and Half the Team

No not mission impossible! The following three simple steps allow any organization to build a stronger and more profitable future no matter how limited the resources.

Step 1: Elimination Pressure/Motive

Employees who are sufficiently challenged, rewarded and cared about are more likely to stay with an organization and contribute to its long-term success.

Short term gains through cutting incentives and setting unrealistic goals will not contribute to the long-term organizational success. Associate turnover increases – which actually increases expenses (hiring new people is costly and labor intensive). More, this creates feelings of hardship and negativity that ultimately encourage fraud.

The first step is to actively reduce the pressure and motives for fraud through improved and consistent communication. We will work together on this in the coming year — but start today by asking questions, listening to the answers and engaging often.

Step 2: Elimination of Rationalization

When fraud occurs the perpetrator always has an interesting explanation.

Associates who steal client information often justify their actions with the falsehood that the organization will not be hurt significantly because they only took a small amount of information. They may even convince themselves that they are entitled to that money because the organization has them doing the work of three people and not increased their salary accordingly.

They further rationalize that the victim will not suffer financial loss as someone else will cover the costs.

While this can be a bit more involved, get started by stepping back and consider the culture of the organization: is a change in order?

Step 3: Eliminate Opportunity

What do employees do and how are they doing it?

In the coming year, we will explore common practices that also help reduce fraud, like segregation of duties and job rotation. A benefit to consider of these and other actions is the ability to increase the knowledge of associates and connect them back to the consequences of their actions. (Michael’s book, Into the Breach, nails this – and is a required read for anyone who wants to really make some changes in 2010).

Fraud occurs where oversight or accountability is lacking. Fostering a culture of openness and accountability helps prevent fraud – and actually increases long-term profitability.

Challenge For the New Year

As most people disengage for a few weeks, the time is right to consider fraud prevention for next year.

Start simple: between now and the New Year, modify just one behavior within the organization.

Take the first step towards creating a positive environment, which is more resilient to fraud. ‘Tis the season for giving — no better gift (in business) than the gift of hope for a long and profitable future.

Share your ideas and suggestions for the one thing you will change in the comments.

Working together, we can all make a difference!

6 Things Every CEO Should Know About Privacy Policies

Writing a privacy policy is a careful balance: Being realistic about what you can perform, protecting and instilling confidence in your customers, facilitating business growth and adaptation, complying with law, and above all, being honest.

Your privacy policy and security practices are the subject of federal, state and international laws, as well as FTC regulation. The FTC regulates unfair and deceptive consumer practices, and has a history of privacy policy enforcement actions. In fact, it is currently hosting a series of “Privacy Roundtable” discussions, focusing on behavioral advertising, social networking, mobile marketing, data aggregation and correlation, data brokering, cloud computing, and other now-common practices.

With increasing scrutiny on privacy policies and practices, here are six things every CEO should know about their company’s privacy policy.

Be Honest

Your mamma was right: Honesty is the best (privacy) policy. Be up front about what you do (or may do in the future) with your customer’s personal information. Many privacy policies make one of three “honesty” mistakes: 1. Over-Promising, 2. Under-Promising, 3. Omission. Each carries liability, so it is better to avoid any of the three.

Don’t over-promise. Your company may be held responsible for the representations in your privacy policy. Look out for phrases like “state-of-the-art,” “everything in our power,” or “our highest priority.” If your company really does use “state-of-the-art” technology to protect privacy, good for you. But you probably don’t, so be honest about it. While you may think that such phrases are just feel-good fluff, the FTC has brought actions against companies who fail to provide the state-of-the-art consumer protections they promised, even though they used otherwise reasonable practices.

Don’t under-promise. FTC guidelines and many state laws require that your company takes reasonable and appropriate measures on a case-by-case basis. It may be tempting to try and disclaim all duties to protect your customers, especially if you’ve had a breach. But this approach has pitfalls. First, it is impossible to disclaim all duties to your customers’ privacy. Second, you may scare away potential customers, or invite scrutiny (as Facebook well knows). Third, FTC actions have indicated that businesses cannot take a “wait-and-see” approach to consumer privacy. Instead, companies have a duty to act reasonably and detect problems before they cause loss, particularly if the they have made privacy promises to their employees or customers.

Tell the whole truth. Another temptation is to remain conveniently silent on a privacy issue you’d rather not talk about. This is also a risky strategy, because state laws (such as California, Texas, and soon-to-be Massachusetts, to name a few) impose specific disclosure requirements. Whether or not required by law, failure to disclose important privacy practices can spark FTC enforcement action as a deceptive consumer practice.

Be Complete & Conspicuous

Aside from potential FTC action, California law requires any company which holds personal information about a Californian to identify the types of information it collects about customers, explain how the consumer may change or update the personal information, and identify an effective date. The law also imposes an affirmative duty to disclose whether information will be disclosed to third parties for marketing purposes. California law also requires that a link to your company’s privacy policy be conspicuous. Most of the time, a link from the home page or in the footer will be sufficient.

A privacy policy is legally compliant when it addresses all of the various legal and regulatory requirements, but it is only complete when it addresses the full range of your unique business practices. For some organizations, that may be broader than you think. For example, a typical University engages in educational, financial, healthcare, network provider, non-profit, and goods and services activities on behalf of their students. That’s why there can be no such thing as a “boilerplate” privacy policy.

Privacy Policy Must Reflect (Changing) Practices

Like Ying and Yang, privacy Policy and Practice are complementary and inseparable. One consistent pattern of FTC actions is that updated information security practices are necessary to protect consumers’ privacy. As FTC guidelines indicate, “Good security is an ongoing process of assessing risks and vulnerabilities… Your business practices and privacy policy must be consistently updated to reflect current best practices and available technology.”

Get it Right the First Time

Even though your privacy policy must adapt to changing business needs, privacy policies cannot be retroactively modified. This issue is important in the following scenario: Suppose that your company decides it wants to sell customer personal information to marketers, but your privacy policy states that personal information “will not be shared with third parties without [customers'] explicit consent.” Changing the policy to allow you to sell personal information may apply prospectively, but new policy provisions will not apply to existing customers, without their consent. This can even apply to a transfer of personal information in a bankruptcy proceeding.

That’s why it’s important to get it right the first time. Your company’s privacy policy must allow you enough wiggle-room to adapt to future conditions, be complete, and still protect your customers. If you need to materially change your policy, make sure that you have the infrastructure to determine which version of your policy applies to which customer. It matters.

If You Say it, Do it

We’re all familiar with the Miranda phrase, “anything you say can and will be used against you …” by the FTC. If you make a representation in your privacy or security policy, you’d better be able to live up to it. FTC enforcement actions demonstrate that website owners must adhere to any statements of privacy or security, whether the statement is made online or offline.

Each representation about privacy or security is treated as a “privacy promise.” Feel-good marketing fluff does not belong in a privacy policy, because even “fluff” can create duties or liability, even if the duty is not required by law. Explicit security-related promises (such as a promise to use “state-of-the-art technology”) requires that the company take affirmative and ongoing steps to ensure that sufficient security is provided.

For example, in 2004 Gateway Learning Corp found itself the target of an FTC Deceptive Practice enforcement action for renting its customer list to marketers, even though their privacy policy said they wouldn’t. In recent years the FTC has taken similar action against Eli Lilly & Co., Microsoft, Guess, Inc., Tower Records, and Petco.com to name a few.

If your privacy policy says it, then do it.

It’s Your Business

As a soon-to-be attorney, I can say * that you should have a lawyer review your privacy policy. Lawyers help the privacy policy comply with legal and regulatory requirements, but it’s your responsibility to make sure that the policy is complete. In fact, I would go so far as to say that 30% of a privacy policy is compliance, and the other 70% is completeness.

If those numbers are any indication, they mean that your privacy policy should have 70% of its input from the Customer Service Department, the Accounting Department, Sales, Marketing, and perhaps even R&D. Without their feedback it will be impossible to document your important privacy practices and create a complete privacy policy. Privacy policies are not legalese and magic words. They are a blueprint of vital business processes. There is one sure way to get in trouble: Relegate your privacy policy to the legal department, and fail to get cross-departmental participation in its drafting. Banishing your privacy policy just to the lawyers may get you in trouble because the end result may be compliant, but incomplete And ironically, an incomplete privacy policy is a non-compliant policy.

Take Charge

As a CEO, COO, or Managing Director, you should do three things:

1. First, read your privacy and security policy. If it confuses you, it will confuse your customers. If it confuses your customers, it might be interpreted as deceptive by the FTC.
2. Second, make sure you can live up to your privacy policy. Watch out for buzzwords like “state-of-the-art,” “everything within our power,” “always,” and “never.” Make sure that you haven’t painted yourself, your customers, or your employees into a corner.
3. Third, update your privacy policy to reflect your business practices, or update your business practices to match your policy. Being honest and complete about your business practices is tough work, but will pay dividends long-term.

---

* No bias, and a healthy dose of sarcasm. In this case the author wishes to think of his opinion on the lawyers as an expert opinion rather than a biased one. In the author’s experience, there is occasionally little difference between “expert” and “biased” opinions.

When your employees don’t want to come to work anymore

What happens when people lose their motivation at work?

• Less efficient use of resources
• Less creative solutions (at a time when creativity is even more vital)
• Less productivity

And worse, the possibility of security breaches and risks. Some companies learned this lesson the hard way: TMobile in the UK , Greengrocer.com, and the Office of the Attorney General of Maryland.

When employees lose motivation, they become less of exactly what the company needs: A creative, productive contributor. Worse, they might become angry and disgruntled, causing a loss or theft of essential company information.

Motivation – I know it when I see it

So what is this abstract concept called “motivation”? Is it like love – hard to define, but easy to recognize?

According to Webster’s, to motivate is to “provide with an incentive, move to action, impel”. Motivation is, put simply, giving others a reason to do something: To do their job well, to be creative, and to be an asset to the company.

Now that we’ve defined it, can we describe it? What are some common motivators? Some things that have found to be effective motivators are:

• Positive reinforcement
• Effective discipline
• Fair treatment
• Satisfying employee needs
• Setting work-related goals

Notice something missing from the list?

If you assumed that “more money” would be a lock, it turns out it isn’t. The Minneapolis Gas Company completed a 20-year study of motivation. They asked 44,000 employees what they desired most from a job and found that, surprisingly, wages were not highest on the list. Job security was, followed by advancement, type of work, and pride in the company.

But even without the study, we all know that providing motivation is a good thing. The challenge is “how?”

I’ve listed some basic concepts of motivation to help you devise a system to give employees what they need, so they can contribute their best work:

1. Be the change

Employees won’t be their most creative, energized selves – they won’t be assets to the organization – unless you are, first. As the Minneapolis Gas Company found, intangibles rank higher than wages, and they start with your attitude and energy. Simple actions can start the process. Ask yourself: “If I were one of my own employees, would I see myself as an asset to the organization? Does the work I do reflect my most innovative thinking?” Some ways you can start being the change you want to see are:

• Welcome challenges. See them as opportunities, not as limitations. After all, without challenges, we don’t get a chance to exercise our skills and talents to their fullest potential.
• Ask if there are better or different ways something can be done. Good innovators practice creativity; they generate solutions, ideas, and concepts in every aspect of their lives.
• Be curious, ask questions, and develop problem-solving skills by practicing them.
• Take action – have confidence in your ideas, and dare to express them. Don’t fear failure; it’s inevitable, and the only way we learn. Above all, be persistent – don’t give up.

Remember, the positive energy and creativity of your team start with you.

2. Size the motivation to the person

Despite what some people might try to tell (and sell) you, there’s no “one-size-fits-all” system of motivating employees. Each person is different, as is each organization. The key to effective motivation is to discover what moves each person to be their best and to be an asset to the company.

How?

Start by asking. Then stop to listen. Watch the quiet moments. Then continue the discussion.

3. Motivation is a journey, not a destination.

People and organizations change; what works for the employee and the company at one point might not be as effective months later. By listening to and observing employees, motivations can be adapted to their needs.

Treating motivation as a one-time event or a destination leads to a situation where it would have been better to do nothing at all. Commit to the journey and reap the rewards (and continue to read Security Catalyst to get ideas and support).

It might be dangerous and harmful to assume employees are motivated by “more money.” The “trick” is to figure out exactly what will move them to become greater assets to the company, then give it to them. In my next article I’ll explore in greater detail how to develop a motivational plan for your employees, and ways to overcome some common challenges in developing such plans.

What challenges have you experienced with motivation? What successes have you had? Share in the comments….

Sources:

• Merrian-Webster’s Online Dictionary: http://www.websters.com
• Accel Team Development: http://www.accel-team.com/motivation/
• The Journal of Extension: http://www.joe.org/joe/1998june/rb3.php
• The Free Management Library: http://managementhelp.org/guiding/motivate/basics.htm)