The Business-Technology Weave


June 7, 2010  4:50 AM

Business Continuity and Data Breach; hardly mutually exclusive, and yet…



Posted by: David Scott
business continuity, business risk, contingency planning, contingency plans, data breach, disaster planning, disaster prevention, disaster recovery, risk management

 

According to a recent survey by BDO, “Business Continuity” ranks higher as a security concern than “Data Breach” among most U.S. companies.  Security risks such as wars, natural disasters, and terror attacks were cited by 55% of responding companies, vs. 44% expressing concern about breaches of security and the resulting privacy and theft issues.  

One could well ask:  If you suffer a catastrophic compromise of data, and the resulting compromise of reputation and trust, are you not imperiling the continuity (the continuing) of your business?  Well, sure… but… plenty of organizations have suffered large, embarrassing, breaches of data – and have survived quite nicely.

If you really want to understand Business Continuity in the face of large-scale catastrophe, consider New Orleans:  When those levees broke during Hurricane Katrina, how many businesses, large and small, had locks on their doors?  How many had system and data backup and recovery plans?  How many had robust Disaster Recovery plans?  All to wash away in the comprehensibility of a flood.  Business = Gone.

That’s what we’re talking about when we talk about Business Continuity.  For businesses in New Orleans back in ‘05, no measure of a conventional Disaster Recovery plan would suffice.  Given the fact that levees were long understood to be underspec’d for a Cat 4/5 hurricane, it would seem that a prudent business would have extended its DR and Continuity planning to include the surrounding whole:  Perhaps joining a local association of companies in common purpose to lobby local government for a true surety posture that secured the local environment.  You need a place to do business, first and foremost.

Today, true Business Continuity planning means that you must, in part, survey where you’re at in a physical sense, and assess physical vulnerabilities to public infrastructure, power, water, security, roads, access, policing, emergency response, recovery postures, etc.  Your organization may not have a powerful lever in influencing local leaders’ actions for the protection and securing of your surrounding whole – but that doesn’t mean you can’t lay the groundwork, or ally yourself with other sympathetic organizations, in making the case for a surrounding policy and plan for security.  That is, the “security garden” in which your organization grows and prospers.

What would happen to your business in the face of a “dirty bomb” (dispersal of radioactive matter), or a natural disaster such as a hurricane or tornado?  While human life and treatment for survivors would be the first priorities, the continuity of business would be a close second:  Hospitals, emergency response, policing – these all are businesses in The Business-Technology Weave.  Even charitable organizations are considered “business” here:  They are in the business of getting something done according to mission and desired outcomes.  For any human activity, a real recovery needs to have people working and getting back into the routines of their lives quickly.

Maybe you’re thinking, “I’m not in a city that’s below sea-level with aging levees” (as was New Orleans); perhaps, “I’m not in a major metropolis like those most vulnerable to terror strikes” or “I’m not in a tornado zone.”  And yet, who in the Gulf foresaw the spill and the impact to business?   Today’s business continuity planning must examine risk and contingency in a much more imaginative and comprehensive fashion.

Next:  We’ll consider lessons from the BP oil spill.  We’re going to examine BP’s deficiencies, not from any political perspective, but from an empirical point of view, so that the “local” organization - that is, yours – can learn from the disaster in the Gulf.  Prevention must be made a value, a standard, a mission, and most of all - a belief.  Increasingly, in more and more areas, prevention on a steady, ongoing, basis is going to be a thorough necessity to ensure business continuity.

This examination, from the perspective of The Weave, will lead us to the largest, most comprehensive disaster imaginable… and what can be done in terms of prevention.  But I’m getting ahead of myself…

 June 7th:  On this day in 1963, the Rolling Stones made their first television appearance (Thank Your Lucky Stars) and released their first single, “Come On”

June 4, 2010  5:51 AM

Lions and Tigers and Data Breach … OH MY!



Posted by: David Scott
acceptable use, computer education, computer training, data breach, eCulture, IT Wars, security awareness, Security Plan, security policy, security training, the business-technology weave

(with apologies to The Wizard of Oz)

Forty-six States have now enacted data breach notification laws, whereby businesses must contact consumers to advise when their personal data gets lost or stolen.  Laws also exist in the District of Columbia, Puerto Rico, and the Virgin Islands.  It’s a safe bet that the remaining States will get around to notification laws. 

Why are such laws necessary?  First and foremost:  Breaches happen.  Secondly, people wish to know – are entitled to know – when their sensitive data is compromised so that they can take action to protect themselves.  Not least, breaches are on the increase.  Why? 

Being that most data breaches originate with human error it seems likely that a combination of lack of awareness, lack of education, sloppiness and poor decisions are reasons.

High profile breaches seem to happen on a constant basis.  For some perspective, have a look at The Chronology of Data Breaches, courtesy The Privacy Rights Clearinghouse.  That’s just the high profile ones and meant to be, in the words of the PRC, “… a useful indication of the types of breaches that occur, the categories of entities that experience breaches, and the size of such breaches.”  A comprehensive listing of breaches would scare you. 

Among “new ideas” in data protection is the banning of physical transfer of data.  This seems Draconian – and where would this begin and end?  As one example:  What if you wish to walk a thumb drive across the office?  You’d better refer to the organization’s Acceptable Use policy, Security policy and any other controlling documentation.  Can you imagine the granular detail of data security policies under such constrictions? 

But doesn’t it all come down to one thing?  Care.  Care that people are trained in the proper handling of data, and subsequent exercise of care.  That is, constant awareness for what you’re doing, what you’re putting where, why, when and how. 

A fairly high-profile company recently decided to have clients verify and update sensitive information.  They decided to merge data sets with each corresponding individual e-mail account and…  Send!  You already know what happened – things got scrambled and individuals received other folk’s sensitive data.

Where were standards for testing in a test environment, for then producing an action on a limited real-world basis for assessment, and final conduct of large-scale action?  Let’s not forget solid contingency planning for the unforeseen – but prevention is key.  I believe prevention is possible, but it requires care, awareness, and education.  Constant education.

The culture of your organization helps to determine what you do, how, when, and under what circumstances.  In this century, it all boils down to eCulture – electronic culture:  Know what you’re doing with electronic data and also what that electronic data produces:  Paper and other physical records and repositories, such as tape, disk, stick, phone, laptop – indeed anything that can store and transport data from a sheet of paper on up.  Policy, education and training – control – must also include personal storage devices that people bring into the environment.  Absent appropriate safeguards:  If people can do it, they will.  

Does your organization conduct regularized training regarding data security?  Depending on the nature of your organization, its people, and its business, you may need monthly, quarterly or annual awareness training.

Don’t let your organization’s good standing get mauled by a data breach:  The fallout – the loss of trust, loss of reputation, and the reparations – can be enormous.

 

June 4th:   On this day in 1896 Henry Ford took his first car, the Quadricycle, out for a test drive. 


June 2, 2010  10:35 AM

Cloud Computing and Security: Forecast Cloudy?



Posted by: David Scott
business continuity, business security, Cloud Computing, cloud security, IT security

 

With the advent of Cloud Computing – that is, Internet-based computing – many are asking, “Is it secure?”

 

That, of course, depends on who is managing your status in the cloud and their adherence to best practices and prudent new practices.  It also depends on your understanding of just what the cloud represents, and the degree of reliance you place on your piece of the cloud.

 

We’re going to focus on a couple basic security considerations here, and without being too assumptive, I believe this audience knows what cloud computing is.  However, and briefly, we can consider cloud computing to be:  1)  Platform as a Service (PaaS); 2)  Infrastructure as a Service (IaaS); and 3)  Software as a Service (SaaS).  The business advantages in shifting the burden for capital expenditures and associated maintenance to an outside entity are many – to include a reduced burden for number of staff, and the “inside” need to maintain that staff’s currency for changing and evolving environments.  Reductions of staff are not necessarily good for IT staff (and certain allied business staff), but we must acknowledge what the business edge is going to consider.

 

The chief concern for any organization, and therefore any IT senior staff who may be considering general recommendations or specific responses to business questions, is that whenever control of anything goes outside of your “four walls,” you lose a large measure of control.  We all rely on outside providers, and the overall infrastructure of the ‘net, but as one example:  A server in your server room, under the watch of your own internal staff, is not the same as an amorphous server “in the cloud.”  True, for outside elements, you can bear down on providers, you can make contracts as tight as you can possibly make them, but on the day you’re not delivering service, content, access… computingnone of your “remote” oversight much matters in the moment.

 

Nothing beats (or should be able to beat if you’re doing things right) internal security.  You can readily survey and adapt security.  You directly manage and access the personnel who manage security.  You can assess any breach potentials and make corrections of course on your terms, on immediate terms, on as strict of terms as you like.

 

On the other hand, it has been argued that cloud providers have a natural incentive to mount trust, and to brand cloud computing with security.  No doubt – but any provider has that incentive.

 

As we’re fond of saying in The Weave:

 

     In the realm of risk, unmanaged possibilities become probabilities…

 

“Risk” is the operative word here:  You must actively manage against the possibility of security breaches, or episodes of inoperability, or anything the cloud is delivering to you, for you, or operating on your behalf.  Most data and security breaches are due to human error – and “outages” are security breaches in my mind.  If you have an outage of any sort, your business or particular element can hardly be called “secure.”  Therefore, awareness and common sense are key in backing up best practices and wholly new practices in the realm of insuring your piece of the cloud.

 

If you’re in the cloud or going to the cloud, what imaginative, evolving, practices are you bringing to your extended environment?  Is your security forecast sunny… or cloudy?


May 28, 2010  1:27 PM

WorkFors: Those to Whom you Report



Posted by: David Scott
business management, HR, human resources, IT Wars, personnel management, the business-technology weave

  

We’ve discussed WorkOns and WorkWiths – let’s wrap this series up with the WorkFors class. 

 

These are the folks who “work on” you – the IT leaderand include any entity or individual who has sway over IT-business matters.  These are your direct supervision, senior management, your governance committee members, your board, and other senior players who have influence.  It also includes clients, members, and customers.  For your organization, it may include regulatory bodies or government agencies.  But the steadiest and most influential WorkFor interactions will be with those superiors in the organization itself.

 

For the IT leader, you must embrace the fact that many, if not most, of these people are not particularly interested in information technology.  Even when they are, they don’t have time for a lot of details.  They are not oriented to details – at least in a situational sense.  They don’t have time for details – they have people working for them that attend to those.  You for instance. 

 

WorkFors are big-picture players, and are focused on results.  They’ll want to hear about solutions, not problems.  They want to hear about progress.  They want to hear about productivity and efficiency.  They want to hear about success.  Keep in mind that anyone you speak to in this group, no matter how highly placed, has to report to someone too.  Their burden for delivering success is in an arena of stress that is likely greater than yours. 

 

In order for you to succeed, you must align your resources and methods so that you deliver consistent success to this group.  If you’re escalating problems to the WorkFors, you have not done your job effectively at the WorkWith and WorkOn levels.  You have not established your sanctions, sponsorships, and you likely have failed to make the sale (in terms of cooperation, teamplay, etc.).  Perhaps you’ve exceeded the limits of your lead.  Remember this:  If you start to sense yourself as tipping toward a “problem reporting” stance when engaging with the WorkFors, as opposed to a “success reporting” and summary style of communication, you must make immediate adjustment.  A qualified exception is your interaction with your direct supervision.  Here, you’ll iron out problems and strategies.  But even here, you must present solutions – you must have a positive answer for moving business forward. 

 

As you may suspect, TechnoShines can be rare in this group.  There is an overwhelming majority of TechoFinds here, and a sizable proportion of TechnoBinds.  The heavy proportion of TechnoFinds in this group works to an IT leader’s advantage, and also to any Business manager when interacting and discussing the Weave.  That’s because WorkFors rely on your knowledge and the strength of your position to pilot the organization into the future.  Once you’ve established a sound reputation with this group based on solid performance and trust, you should find very rewarding relationships.

 

It should be a rare situation where you go to this group to lobby for relief – but if you feel you must, or if you have a special relationship at this level whereby someone specifically wants to be kept apprised in a more detailed fashion than is usual, you must yet remember your audience.  Keep things very focused, very positive (even when reporting problems), and make certain you pose valid solutions to problems in a positive way.  Your reputation should be such that you are seen as the facilitator to progress.  Nothing is personal, everything is business.  Nothing is personal, everything is business.  It matters not how some others engage – this is your engagement, and this will be your reputation’s enhancement of your credibility. 

  

Those that facilitate progress will ultimately cook to the top, regardless of temporary setbacks or small, inconsequential, battles lost.  Keep that larger picture in mind when talking to the big-picture people.


May 27, 2010  8:02 AM

TechnoShines, TechnoFinds and TechnoBinds



Posted by: David Scott
business management, eCulture, HR, IT Wars, the business-technology weave

   

You will find three kinds of people in the WorkWith group.  (Indeed this next examination of people in the Weave can be applied with equal vigor to WorkOns, WorkWiths, and WorkFors.  But there is the most significant representation and impact inside the WorkWith group). 

 

The three kinds of WorkWiths are: 

 

     1) TechnoShines:  Those who like technology, embrace it and look for ways to leverage it.  These people partner well with IT.  They go out of their way to cultivate good relations with the IT staff.  They appear happy, well adjusted, participatory, and understand technology quite well – therefore, they use technology very well.  They are generally pleasurable to work with for these reasons. 

 

     2) TechnoFinds:  There is then that kind of person who is ambivalent about technology.  The “just show me what to do” types.  Give them a computer, keep it running, and you won’t hear too much from them.  They go with the flow.  They “find” that there’s a change coming, and roll with it.  We can think of them as having a sort of benign “whatever” attitude, and they deal with whatever comes down the pike.  These folks can’t be counted on for any groundbreaking suggestions, but they are generally positive – at their worst they won’t actively inhibit progress.  As they find that they’re in a Business-Technology Weave, they can be counted on to do what is necessary. 

 

     3) TechnoBinds:  The third kind of person is someone who seems unable to appreciate technology.  They may view it as a necessary evil – and worse for them, it is constantly evolving.  I hesitate to use the word techno-phobe here, although there are those.  But most of the people we’re considering in this category are able to use technology, and many very effectively. We know that within the Weave they pose a problem because they generally don’t treat IT matters well, and they don’t treat the people in IT very well.  Whether through extreme criticism or negative attitude, at best they slow progress and at worst they may halt it; they bind things up. 

 

Having defined these folks, let’s examine them closer.  It should be easy to slot the WorkWiths in your organization into one of these three groups.  Recognizing them and their corresponding behavior helps to work with them as effectively as possible. 

 

TechnoShines, TechnoFinds, and TechnoBinds in Detail

 

The TechnoShine:  The TechnoShine is a satisfying, even fun, person to work with.  Don’t underestimate the power of fun.  People are going to be a whole lot more creative, resistant to negative effects of stress, and much more productive if they feel they’re having fun and working with fun people.  This person is always looking for “the better way” and is enthusiastic regarding improvements – thus they bring enthusiasm and energy to change.  They work well with others, in and out of their department, and this carries over into their appreciation for what others do.  So how do we manage this WorkWith person?  What is the leverage in maximizing this person’s potential, contribution, and influence?

 

This person is an obvious candidate for the BIT team.  They will not only represent their department well, but they’ll have an overall appreciation for the organization’s business.  This kind of person tends to build time in an organization.  They’re well connected politically.  They don’t “job hop.”  They have important institutional knowledge.  They give credit where credit is due.  They will make suggestions regarding best-practice with appreciation for how it will affect, and enhance, other departments.  In fact, they make suggestions regarding other departments in a way that is not intrusive, but helpful and acceptable.  They also accept suggestions and criticisms very well. 

 

In addition to soliciting this kind of person’s participation on the BIT team, you can employ them to serve as a liaison.  Often they’ll become an informal liaison between their department and IT anyway.  However, the IT leader should push this kind of arrangement.  During large-scale implementations, someone in each business department needs to take the lead anyway in collecting business requirements and helping to translate those into effective solutions.  No less important, the TechnoShine can help buffer IT from some of the more difficult people in their area.  TechnoShines by nature are informal sponsors for initiatives, and IT in general, by virtue of their positivity.

 

TechnoShines are necessary to BIT endeavors.  However, don’t load the BIT team with TechnoShines to the exclusion of other valuable people who may not rise to this level.  You will have to have representation by virtue of position and influence, as well as ability. 

 

The TechnoFind:  The TechnoFind is a person who adjusts to the temperature around them.  They “find” that technology is permeating everything.  It is an increasing influence on the part of their daily lives, both in the professional environment and the personal arena.  They adjust. 

 

TecnoFinds do what is necessary, and little more.  They don’t like sticking their necks out.  Therefore they don’t make waves – which in itself can be valued in many circumstances.  They’re safe and practical people – they avoid risk.  So, how can we leverage this kind of person?  Should we merely be satisfied that they, at least, won’t “muck things up?” 

 

Actually, this kind of person is very useful.  TechnoFinds tend to be very honest about system performances and deliverables.  They are not idle complainers, therefore a criticism usually has value.  Nor do they “inflate” technology’s contribution.  They don’t seek to hang every bell and whistle on a system to the point of a diminished return.  Theirs is usually a very balanced, informed opinion.  They want to know how to get their job done – they’re not fooled by the “sizzle” and want the steak.  Most of the people in any organization will be TechnoFinds – therefore, you must satisfy this important majority.  This person is invaluable for feedback – how’s the new software performing?  How is your remote-access working?  Are you satisfied with HelpDesk support?  Since TechnoFinds will likely make up the majority of an organization’s staff, surveying them and exercising improvements in service to them is a winning combination.

 

But don’t look to this kind of person for a leadership role.  You don’t want to select this person to oversee their department’s implementation of a business software application module, for example – unless there is no other choice.  This person may or may not be a good choice for participation on the BIT team.  Remember, the BIT team’s seats are valuable.  The people who occupy them should be those who are informed enough to contribute, who desire to contribute, and who have the institutional knowledge and the good judgment to occupy one of these important seats.  A TechoFind person simply may not qualify. 

 

However, in an instance where you must have a department’s representation on BIT, and the department is populated by TechnoFinds, you must choose the best person by virtue of position and influence.  Too, a TechnoFind may outclass certain TechnoShines by virtue of deep business-knowledge and sheer know-how in other areas.  Choose that person who best meets the diverse qualifications necessary to moving business forward.

 

We can’t afford to imply here that TechnoFinds are unlikely to make a contribution or deliver anything of value in contributing to the Weave’s momentum.  For example, solicit this person’s contribution when conducting requirements-analysis.  For the reasons stated above, this person will know the practical side for getting work done, and will be very matter of fact about what a new system needs to do.  They’ll have high expectations in meeting and beating what the old system did, as you can usually rely on them for the pragmatic view. 

 

The TechnoBind:  Uh-oh.  The time has come to discuss that kind of person that we’d all rather avoid, but that we must, alas, deal with.  We must try to discuss TechnoBinds in keeping with the overall positive tone of our discussions, but there are some simple realities that we need to examine if we hope to overcome the obstacles that TechnoBinds can impose.  Let’s define the TechnoBind in plain language – then we’ll discuss methods to blunt their influence, and where possible to neutralize them.  We’ll also note that TechnoBinds are frequently correct, and can contribute on occasion.  However, it is necessary here to recognize their contribution to inefficiency.  We’ll need to know how to identify them, and how to best handle them.

 

TechnoBinds can be very negative people – and frequently are complainers.  Therefore, when they’re in a Business-Technology Weave, IT represents a fat target.  So, too, does work in general.  Because TechnoBinds aren’t interested in acclimating and moving forward at an efficient pace, they contribute to their own, self-reinforcing, “complaint-ready” environment.  Be aware that TechnoBinds are a counter-productive influence on everything they come into contact with: their department, group projects, other’s attitudes, and so on.  They may not drive things backward, necessarily, but they create enough of a drag on events that they s-l-o-w things significantly, if not carefully managed.

 

Next and last in this series:  We’ll look at the WorkFor group – those folks we report to.


May 22, 2010  1:01 PM

The WorkWith: Squeezed in the Middle



Posted by: David Scott
business management, human resources, IT Wars, people management, workons, workwiths and workfors

As planned, let’s return to our discussion as originally begun on May 7th, Managing People in the Weave.  As necessary, review that post and its follow-ons regarding WorkOns, WorkWiths and WorkFors.

I think we all believe that IT professionals have unique challenges within support and betterment of business.  In understanding all of the people around us, we can come to better interactions.  Better interactions will yield success, promotion and achievement of your career goals – in addition to furtherance of business’s aims and success – no small thing!

Let’s pick up our discussion by examining the class of employee I call the “WorkWith.”  Remember, this second group is IT’s fellow managers and business staff – co-workers with whom IT has no direct formal control from a management standpoint.  They also comprise middle managers, controllers of business process, and are neither too senior nor too junior.

The WorkWith group helps to select and plan the future courses of business.  Many WorkWiths will be on the Business Implementation Team (BIT – see post of Mar. 8)  Here there can be a compounding of risk for change in behavior.  This is because (as with WorkOns) WorkWiths are frequently required to assume greater responsibilities within the scope of their present responsibilities – but the compounding factor is that they also have to manage and direct change.  This group is especially active in the preservation of order amid change, and the preservation of change amid order.  In planning and managing change, those involved have to stick their necks out.  Simultaneously, they have to cover the bases.  WorkWiths have to deal with consequences and are on the hook to report what’s going on and why.  They have to answer for things.

Too, the WorkWiths are likely in the middle – situated between the WorkOns and the WorkFors.  There is a special challenge to this group, because they’re not only communicating within the Weave – speaking with special care to Business and Technology – but they also have to communicate up and down the organizational hierarchy.  Theirs is a special balance.  For IT, let’s examine how this person may appear to you when changing groups.

 

Essentially, any WorkWith shifts and becomes someone you WorkFor when you’re dealing with him or her as a customer (as does anyone, in any group, for that matter).  Whether you’re updating the WorkWith’s department’s PCs, implementing new software solutions, or addressing general support concerns, you’re working for this person and you have to provide service to their satisfaction.  In these cases, the WorkWith can become demanding, even unreasonable, as the power tilts their way.  They have to get the job done and you have to deliver.  In this case, it helps to understand the pressures a particular WorkWith may be under.    

 

Next, we’ll examine three kinds of WorkWiths (TechnoShines, TechnoFinds and TechnoBinds) before wrapping up with WorFors.

 


May 20, 2010  1:55 PM

Insecurity, Part III: A State Agency’s Data “Security” Posture



Posted by: David Scott
acceptable use, business policy, business risk, business security, data breach, data exposure, data security, data theft, IT policy, IT security, IT Wars, malware, the business-technology weave

[As necessary, please see the first article and Part II in this series]

Perhaps one of the most egregious problems facing the agency is network performance and security.  The workstations frequently lose their wireless connection to the server, and internet access drops.  Work is frequently lost – sometimes a lot of work:  clients can lose most of an online application; they can lose a resume they’re creating; they can lose letters; they can lose access to search windows with important job leads – the list can go on.

The wireless network is unsecured.  Anyone can hop on from inside or outside the building.  Yet, clients are advised that no hardware, such as laptops or thumb drives, is allowed in the room.  Are there violations?  Yes.  Is there any policy or other formal means, perhaps periodic announcements, indicating any sort of acceptable use for the room and its resources?  No – there is no Acceptable Use Policy.  Frequently, thumbs are found sticking out of the front of PCs… forgotten by clients.  It’s quite a potential for malware.

There are no regularized trainings or meetings of staff.  There is nothing to establish staff’s currency for the present business-technology environment, nor for coming and quickening future challenges.

Worse:  IT Governance, from the titular authority at the agency, on down through various department heads and managers, has an almost adversarial relationship with best practices –even common practices.  Disciplines and methods that have been around for decades – well-established and vetted practices –that serve in a critical capacity to the weave of business and technology are either poorly understood, or held in abeyance through ignorance.  And that, happily, is where I come in:  I’m in a capacity to advise, negotiate, and institute some best-practice disciplines that are long overdue and sorely needed.

But there’s nothing new here:  I’ve seen similar environments.  We all know they’re out there.  Many of you labor in them.  I would be very interested in hearing your story.  A note of caution:  I DO NOT want to know the name of your company or agency, and please do not share details that might expose your job security.  My entire thrust here is to make jobs safer, environments more secure, and to bring efficiency and accountability to security.

At the agency I presently counsel, I present assessments for solutions, with an evaluation of risk versus both cost of securing an area or issue, and cost of a potential bad outcome (such as breach, outage, exposure).  If Business – IT governance – turns down a proposed solution… if they minimize an assessment of genuine risk… they sign a statement indicating they’ve been advised of a particular situation, and present their view of it.  This is a meritorious way of protecting yourself while documenting known conditions – and a business’s decision to either make a change or dismiss a change as unnecessary or inadvisable.

If you’d like, please comment in the Comments section:  Perhaps I can advise and help.  I am always interested in the course of challenges within IT’s support to Business.


May 16, 2010  10:07 AM

Insecurity, Part II: A State Agency’s Data “Security” Posture



Posted by: David Scott
acceptable use, business security, content management, data breach, data theft, ID theft, IT security, IT Wars, security policy, the business-technology weave

 

Continuing with our exposure of services and associated liabilities from the other day: 

After a resume and any cover letters are crafted, they are e-mailed to the client’s personal e-mail account.  This is so they can maintain their own resume and letters and get access to them elsewhere:  Public library, home, etc.  This has led to a couple problems.  Frequently, clients have no e-mail account.  Many of the clients are blue collar workers who have no computer experience or skills; it’s been quite eye-opening.   In these cases, the Center creates a Yahoo  e-mail account for the client.

Many clients forget their e-mail passwords, and even their account ID.  So, the Center has these little business-sized cards, with the agency’s name proud and centered, and a line for e-mail ID, and a line for password.  Do any of these cards get lost?  You bet.  It’s rather confounding that, in 2010, modern system and data security measures have long held that you should NEVER write passwords down – and even login IDs should be protected, in my opinion.  Pairing the two on a card, with an e-mail account that contains a trove of personal information, and formalizing the process with the production of agency-approved cards (with agency name!), is bad practice on steroids.  And… we’re just getting started.

Nearly all clients return to the Resource Room on a regular basis:  To perform online job searches, to make application to jobs online, to tweak resumes, to write more cover letters.  Sometimes a returning client’s resume is unavailable – either through a lost e-mail account or the fact that a resume was never sent to an account – sometimes the client ends up with a folder of hardcopy resumes and somehow the electronic version didn’t make it to e-mail.  In these circumstances, which are all too frequent, there manifests a need to get the resume from a “resume bank” – this is a network drive that is unavailable for access in the Resource Room – even by the people staffing the room. 

Up until April, the drill was to go to another room (a classroom with an open door) containing a physically unsecured fileserver.  A resume for retrieval was put on a thumb drive – that thumb then taken into the Resource Center and plugged into the client’s workstation, and resume transferred to that PC’s Desktop.  Can you guess what had been happening?

An estimate by staff members is that over a hundred thumb drives have gone missing – “lost” – with all sorts of client data.  I myself observed various “transfer thumbs” with a dozen or more records each.  It is conceivable that over 1200 records have been breached.  One staff member said that “perhaps hundreds” of thumbs had been lost.

It was only upon my mention of this security problem that the practice was stopped.  The procedure now is to e-mail the resume from the “bank” to the client’s e-mail account, and then to access the client’s e-mail, and thus resume, out in the Resource Center.  Why a mapped drive to the resume bank, with simple authentication, isn’t available to staff in the Resource Center is a total mystery.

Incredibly, upon my initial entrée, there existed no User’s Manual.  Upon initial contact with the Center clients must:  1)  Create a system identity and login credentials;  2)  Create (or have) an e-mail account;  3)  Access ResumeMaker and build a resume;  4)  Convert the resume from the native ResumeMaker format to MS-Word;  5)  Access various online jobsites – the primary being the state-run jobsite; and  6) Logout properly – to include a complete Shutdown – to scrub any work from the PC workstation they were using.

The lack of documentation, a simple user’s manual, meant that even savvy people needed a hand-hold through the process.  I was able to produce a very robust manual in an afternoon’s time – and am happy to say that many people  use it.  This frequently frees staff so that they can help those who most need it.  Further, the last part of the manual, is perhaps the most important:  The Logout procedure…

The Logout remains an incredible breach situation at this Resource Center – it is an ongoing liability now.  Upon login, a small window on the PC (which gets minimized on the Taskbar) indicates who is logged on to that PC.  A gray bar in the window states “I am finished using this computer – sign me out.”  All clients click that when leaving – the screen goes to a login state.  HOWEVER – the desktop and other data storage areas of the PC are not yet scrubbed!  The PC must be completely shut down:  Only achievable in this environment by hitting a Microsoft “Flag” key on the keyboard, and then clicking “Turn Off” above the Start button, and a subsequent “Turn Off” option in a popup box.

This Shutdown procedure was completely undocumented.  Further, and particularly when the room is busy, clients aren’t told to completely shut down their session by insuring the computer was off – nor are they aware of the potential for their data’s breach.

Next:  Part III – No documentation, no policies, no security training/meetings, no wireless security.  A culture with an almost adversarial posture regarding best practices and best progressions; no maintenance of a responsible forward edge for a secured environment.  AND –  what we’re gonna do about it.


May 15, 2010  9:20 AM

Insecurity: A State Agency’s Data “Security” Posture



Posted by: David Scott
acceptable use, business security, content management, data breach, data theft, IT security, IT Wars, security policy, the business-technology weave

 

I’ve been doing a little work for a big State agency.  By “big,” I mean big budget, large number of citizen-clients served, lots of personnel records, and – as in all big environments – lots of potential for harm absent strong controls.  What sort of harm are we talking about?  Data breach:  With exposure of names, addresses, work histories, and even arrest records and information about children and spouses…  occasionally, SSNs are parts of these data sets. 

And in fact, the potential of harm turned into actuality:  A large breach has happened – and has gone totally unreported in the news or to any of the agency’s oversight authorities.  Stunning is the fact that for months a breach situation was ongoing, known, and no steps were taken to stop the ongoing loss of data:  Sort of a slow-motion, high volume, leak of data.  Wow.

For this reason, the agency and State shall remain anonymous.  I’m confident that I can provide a reasonable guarantee of anonymity being that I’ve contracted at a number of facilities.  However, even if the agency comes to light, exposure would be a good thing:  It would likely accelerate critical fixes to systems, practices, and policies.  I am at present wrestling with making my concerns known to a higher level of State Government; I must assess IT governance’s understanding of peril and their associated sincerity in securing the environment ASAP – and the speed and quality of changes in delivering security – vis-à-vis client risk for identity theft or just exposure of sensitive, perhaps embarrassing, information.

In the course of my work, I’ve stumbled upon some egregious security problems.  These aren’t gnarly, difficult-to-see, expensive-to-fix liabilities.  These are obvious problems involving:  poor practice; lack of policy and documentation; and lack of training and awareness.  Through my involvement many of these liabilities have been taken care of.  Let’s review a few –

The agency has a large Resource Room at the front with about 30 PC workstations.  These are provided for clients and jobsearch activities.  That is, taxpayer-citizens who are generally unemployed or perhaps facing layoff.  Many of these clients are blue collar folks with little or no PC experience – many do not have computers at home, or they may lack internet access, or lack appropriate software and skills in producing a resume and related documentation in applying and competing for jobs.  There’s a rather nice proprietary application called ResumeMaker that does a good job in walking clients through documenting their education, job history, and the other necessary information in building a nice looking, comprehensive, resume.  Not only are computers and broadband available, there is help in the form of staff who help craft resumes and cover letters, help with uploads of same to online job openings, and who even do the typing for some clients. 

The first thing I noticed was that in creating a login profile for access to the computers, they were advised (onscreen) to use the last four of their Social Security Number and the last two digits of their Birth Year.  Further, upon subsequent logins to the system, this six digit login ID was not masked – the numbers were exposed in the login field, until the client clicked “OK.”  Of course, any client looking over another client’s shoulder, knowing full well the context and content of each ID, would be able to glean last four of SSN and last two of birth year.  Wouldn’t you know?  When I call Verizon, my mobile phone provider, the exact vetting info they ask for is last four of my SSN and year I was born.  I’m sure other examples are out there.  This login field is now masked, thanks to your humble blogger and his elevation of this breach potential.  But this pales in comparison to the rest of what I’m going to tell you – most of which remains to be fixed.  Over the next few posts I’m going to report exactly what I’m going to do in the face of a very poorly maintained environment.  I’d also like to solicit Comments for things you’ve seen out there.

Upcoming in the next post:  Data breach (client records); wireless insecurity; network outages with lost work/data; unregulated environment…  leading to…?  Stay tuned…


May 13, 2010  6:13 AM

You Say “Business Security,” I Say “IT Security”…



Posted by: David Scott
business management, business security, data breach, data privacy, identity breach, identity theft, IT security, IT Wars, organizational security, the business-technology weave

 

You say To-MAY-to, I say To-MAH-to…  one thing’s for certain:  When it comes to organizational security we cannot call the whole thing off.  Today, any business that has a single computer has an interwoven Business-IT security challenge.

I was speaking with a colleague who works in Washington, DC last evening.  We were talking about the interwoven (mutually reinforcing, mutually vulnerable) security means, methods and practices in the business-technology realm – the Weave.

Amazingly, his Fortune 500 ® company deals with clients who mount discussions and attempt whole solutions with virtually NO security considerations.  None, that is, until the client is brought back on balance by my friend’s company’s project managers and allied teams.  Unfortunately, there are other solutions providers in the mix and often his company has to deal with security considerations across a broad range of other “solutions,” associated providers, and competing lines of authority.

Consider this:  Almost any discipline in the physical world considers security up front.  Adding a room to your house?  The strength of the materials necessary has long been established – but beyond that, you or your contractor will consider how the room attaches to the existing structure; the floor will be sound, as will the walls, extended roof… etc.  Adding a deck?  The first consideration?… 

The size, number and strength of the supports holding the deck up.   The size of the deck will yield the potential capacity of people, therefore pointing to the size, strength and number of the supports.  You are securing the people’s safety who will be standing on that deck – before you even start to build. 

In any circumstance, there must be a virtual “security prism” through which every activity and construct is viewed.  The same goes for today’s IT-Business solutions:  Security must be Job One.  And yet, security lags and is often a sidebar consideration – or overlooked entirely.

It’s not difficult to find a great example – one that potentially touches us all.  According to a study by the Ponemon Institute (sponsored by Compuware), most banks are lacking critical data, privacy and security controls.  I picked banking because that should hit home – we likely all have bank accounts, and some measure of money and associated personal data associated with them, and we’d like to think those things protected and secure!  But…

Even though the survey found that 76% of organizations have a data protection plan, only 47% of those same organizations review new software apps and databases for privacy concerns and compliance to law prior to placing them in operation.  If that were the case 30, 20, maybe even 10 years ago, that would be one thing.  Today, it is stunning.

The survey also found that over 83% of financial service companies use live information, such as customer and employee data, for developing and testing.  More than half of these companies admit a lack of appropriate protections for real data in these circumstances.

What about vetting business partners when sending data to third parties regarding customers, employees and others?  Only 49% review these partners – and the same percentage lack even a standard contract for ensuring privacy protections of that data.

In the agencies I counsel and contract with, I hammer home the points: 

1)  Everyone in the organization must be a mini-Security Officer, and –

2)  They must view every action, project, implementation, business and IT change, through a virtual Security Prism.

Tomorrow:  What I uncovered at a State agency concerning personal privacy and data (the State and agency will have to remain nameless, but just wait until you hear this…)


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: