Human resources

Booz Allen wins Open Enterprise Award for collaborative environment

Booz Allen Hamilton won the Open Enterprise Award for 2009 at the Enterprise 2.0 Conference in Boston today for their innovative internal collaborative environment. The Open Enterprise research project, led by Stowe Boyd and Oliver Marks, conferred the award to a company that was “truly transforming their organization at its core through deep, enterprise-wide adoption.” Walton Smith, a senior associate at the Virginia-based consulting firm, presented “hello.bah.com” to the crowd.

Smith described how Hello was built around people, focusing on connecting associates to each other and activity streams to profiles. According to Smith, more than 40% of the firm has added content to the system, rapidly forming connections with one another. Booz Allen Hamilton used agile development to create their Enterprise 2.0 platform, a methodology that now allows the team to roll out a new function every two weeks. Smith said that “functionality is driven by the users.” One upcoming feature, for instance, will allow users to rank and rate the quality of content entered into the system.

One initial roadblock that Smith noted was human resources, which viewed itself as the “official source” of data. In fact, the new intranet actually allowed employees to clean up bad data entered by HR into PeopleSoft on the back end.

When asked about security and compliance concerns – critical to a consulting firm that deals with government data or works with corporations with sensitive intellectual property – Smith noted several aspects of the system that are designed to prevent data leaks. First, only Booz Allen employees are allowed on Hello – not contractors. Second, data that comes under regulatory compliance actually resides in SharePoint, which Booz Allen uses for document-based collaboration for restricted content. Users can link to content from blogs, Confluence wikis or other pages but are confronted with an access control layer. Within the restricted environment, familiar compliance tools used in knowledge management are employed, like access management, monitoring and logging.

Smith is aware of the possibilities for a data breach, noting that “our weakest link is our people – we spend a lot of time making sure they know which tools to use.” He’s also cognizant of potential regional compliance issues, such as European Union laws that require that employees must opt-in to share information like pictures or work history with others.

The creators of Hello also had thought through employee departures. Smith allowed that departures weren’t “so much of an issue, given the economy,” but that there is a process in place. When someone moves on, a banner is added to the top of his or her profile page indicating the departure. That person won’t show up on the dropdown menu, which only includes actives employees for searchers, but the profile page itself, including connections and intellectual property created for Booz Allen, remains.

Prepare for compliance auditors: Tighten access control

You’re a busy IT operations manager. You run a tight ship, including security operations. But are some of your basic controls as consistent as you think?

It’s worth figuring that out before the compliance auditors arrive — or ahead of an ugly security breach that lands your company in the headlines and compromises your clients or your company’s future.

Terminating access includes more challenges and complexities than you might assume for this seemingly simple task. It’s one of your control basics, like the fundamentals for a stroke in your squash or tennis game. Are your compliance fundamentals solid?

For basic access control, you depend on HR to provide lists of terminated employees. If their information is not complete, accurate or timely, will people say, “HR has a hole in security?” Or will it reflect squarely on you?

You probably already know the answer to that question! So help them out: review their workflow and report preparation procedures and capabilities.

When you take a closer look at that HR report, check to see if it includes three commonly overlooked categories: consultants, part-time workers or employees transferred but not terminated.

Without these, you cannot do your job properly. And sooner or later, a breach will develop from one of these categories that can put your whole company at risk.

That’s not the only gap you need to review, unfortunately, as HR often overlooks two other reports:  all terminated employees (prior 12 months) and off-cycle terminations.

So HR does terminations Wednesday morning to catch people by surprise. What about the one they did over the weekend because the person was on vacation? If someone is terminated on Friday night at 6 p.m., your staff will likely not get a report about this until Monday evening at the earliest — probably Thursday, more likely, when the regular weekly report comes in.

Sure, security operations staff terminates access every day in a large organization. But have you double-checked that no one fell through the cracks? Your staff, after all, are human. It’s easy to skip a line or overlook a report. Unless you are running this reconciliation regularly, you may be in for some surprises.

Surprise yourself and find these mistakes independently, rather than letting the compliance auditors find them.

Believe me, they will.

Take care of these complexities, and your compliance “game fundamentals” will be tight for the big match when the auditors come around to play.