Thursday, November 29, 2012

It’s Q4, is your house in order?

4th Quarter always seems to be the busiest quarter of the year; add in elections and you have a quarter fraught with disruptions. For CIO's and IT Directors, it's the inevitable question – "did my team contribute to the success of the company this year?" There should be metrics readily available to prove or disprove this question. Hopefully, the question isn't, "Did my team's dysfunctions take away from the stability of the company this year?" If so, there are bigger issues that probably can't be resolved by (successful) strategy meetings with the business before the end of the year.

I'm sure there are some that are thinking, it's December 1, what can you possibly accomplish in 30 days? Actually, plan on 19 work days. Many of those days for IT employees will mean catching up with vacation time that you couldn't take at any other time during the year. But, let's take a stab at making that timeline productive. The chances are good more of the business is taking vacation, so, overall, the office should be quieter than the norm.

Day 19 – Pull in your management team or leads and review with them what the purpose of the strategy meetings is going to be – determine how to provide excellent IT services in a manner that supports the business.

Days 18-14 – prep for meetings with the business

  • Review year to date outages
    • Do you have metrics necessary to segregate the outages by function and reason?
      • If not, you need to create an independent Incident Management team
    • Have the issues that caused the outages been worked through?
      • If not, you need to establish a stronger root cause analysis protocol and create an independent Incident Management team to manage those type of incidents
    • Have either quick-fixes or permanent solutions been implemented?
      • If not, you need to create an independent Incident Management team to manage that process

Note, the recurring theme. If sufficient focus is not being given to understand, shorten and preventing outages, you have zero credibility with the business. Not a good place for a CIO or IT Director to be in.

  • Review incident and problem ticket totals
    • Do you have the metrics necessary to segregate the incidents by business unit, infrastructure component and application?
    • Are issues being resolved within the established Service Level's (SLA's)?
    • Are customers complaining?
    • Does someone in IT have regular meetings with the business to go over problem tickets? If not, why not?
      • An IT team that has regular meetings with the business to HEAR their issues is an informed team.
        • The takeaways from those meetings should be ACTIONABLE. Otherwise, the business will become impatient. The purpose of the meetings should be clearly understood – you tell us what's wrong, we'll present you with solutions.
        • If the complaints are too ambivalent, meet with management to get to the bottom of the ambivalence.
      • The business needs to feel that they are heard or they will stop listening to the IT team and go elsewhere.
  • Review IT Spend
    • Where did you spend money this year?
      • This should be fresh in everyone's minds as the 2013 budget planning sessions should have been completed just months before.
      • Money follows problems so if the money you are spending or planning to spend is NOT being used to a) understand, shorten and prevent outages and b) correct problem and incident ticket issues – you may have a disconnect that needs to be resolved.
      • Are you spending sufficiently to hire and train IT staff? Are you offering CBT and online training courses? Are you insuring they have sufficient time within the workday to keep up with evolving technology?
      • Are you providing your IT team the tools they need to efficiently do their jobs in a timely fashion?
    • Are you planning more spend to support or grow your business?
      • Does that coincide with the business leader goals?


 

Now that you have this information at hand, you can begin strategy meetings with the business. Better late than not at all. The best scenario here is for you to already have regular strategy meetings with the business and you can simply review where you and they are and what you can do to make the coming year better for both teams.

Days 13, 11, 9, 7 – Meet with the business

Days 12, 10, 8 and 6 – Meet as a team to review the information provided by the business and brainstorm as to resolutions. Include as many of your IT team as you can. They need to feel engaged and part of the solutions. While it may slow the process a bit, you need to embrace the craziness that is your team. The brightest IT people are not always managers or leads. Make the situation work for your whole team. If staffing is an issue, rotate in and out the IT team members that can attend.

[Separately, the CIO or IT Director should provide feedback to the business of what was heard. This may or not match up with what the business meant. BE SURE.]

  • No idea should be thrown off the table
  • All ideas should be assigned to someone other than the person proposing it to look at pros and cons
  • This should be a collaborative effort, but the person proposing the idea has "game" in the solution, you want this to be a fair collaborative effort.
  • Part of this process should be comparing the results of your prep meetings with the responses from the business and where each business issue fits.
    • If there is not a direct correlation, in theory, there should be. Investigate. It is your job to support the business.
    • You won't be effective in the business' eyes if your goals don't coincide with and support the business focuses.
  • Invite trusted vendor partners to review your feedback. Ask what they are seeing in the industry.
  • Meet with peers to ask what they are doing in problem areas.


     

Day 5 – Meet with Managers and Leads again to review progress, status and plans. Now is the time to trim out the proposed solutions that are a) too costly, b) too obscure that would take focus off of your core competencies and environment.

Day 4 – Prioritize your efforts and narrow the scope. If you don't narrow the scope you'll be playing darts with dull points because nothing will actually get accomplished.

Day 3 – Communicate with the business what your plans and takeaways are. Give them proposed timelines, letting them know that the dates could shift.

Day 2 – Call today IT Appreciation Day. Make it an annual event. Invite everyone to nominate someone for appreciation. Invite vendor partners to donate giveaways.

Day 1 – Actually appreciate everyone. IT teams love food. Give them silly awards that they can keep on their desks. Have drawings for the partner giveaways. Give away tickets to the local NFL football team or the Christmas concert being held or "something".

I don't honestly think IT Teams are appreciated enough because no one really understands what they do. So, to all the IT Teams out there, good job.


 
Posted by at No comments:

Friday, November 16, 2012

Access Review in light of Patraeus Scandel

Although I focus on technology risk discussions for the most part, and prefer to avoid politics in a public forum, the discussion about security clearance and access to confidential documents bring to light another aspect of risk management that I believe is highly relevant. I thought this even more so with the Jill Kelley involvement. Paula Broadwell and Jill Kelley represent two civilians that These two women were evidently granted security clearance based upon access they wanted to have to environments and individuals that average individuals don't have. I don't intend to go off as a moral compass for either General Patraeus or General Scott's alleged actions. This is simply about access rights.

Let's take Paula Broadwell first.

  • I can understand Broadwell's access being granted to talk to Patraeus based upon them meeting and his feeling comfortable with a potential Biographer.
  • I can understand Broadwell's being allowed to speak with Patraeus' colleagues and staff.
  • I can understand Broadwell being granted a basic visitor badge to public areas within the buildings and locations that Patraeus worked in. (give her to the bathroom, to the kitchen and vending machines IF she didn't have to pass through any potentially secure areas to get there)

Questions I have:

  • Was Broadwell provided with any level of security training prior to being granted her access?
  • Was her role defined and boundaries discussed?
  • Was her access reviewed by an independent source with no "game"?

Now, Jill Kelley.

  • Mrs. Kelley is a civilian who because of her social standing was given a title of "honorary consul general". I don't know about you but that title is impressive. Take away the "honorary" and I'm really impressed.
  • The State Department and the Department of Defense stated that Mrs. Kelley was a volunteer.
  • As a social liaison to MacDill Air Force Base, Mrs. Kelley had access to a number of individuals she otherwise would never have met but no real paid responsibilities even though she worked with South Korea


     

Questions I have:

  • Any volunteer can walk into Central Command at will?
  • Were there limitations on where Mrs. Kelley could enter?
  • Was there any type of review as to Mrs. Kelley's credit worthiness to hold that type of clearance?
  • Was Mrs. Kelley's access fitting for her every day role? Was it on the same level as a janitor, a cafeteria worker or the person who takes care of the plants?
  • Why did she have any expectation of protection for her role when she called 911 or sent emails to the Mayor of Tampa?

It would seem from the outside that both Mrs. Broadwell and Mrs. Kelley overstepped their boundaries and were allowed to do so because of their connections to senior military and government officials. From what the media has published, it would seem that both women had extraordinary access to resources the average person could only dream of.

I recognize some of these questions may appear naïve. Patraeus was, after all, the head of the CIA. What is disconcerting though is that there are people who are above scrutiny. If our national security is important to us, then no one person and no one person's access should be considered above question or reproach. At a minimum, those with security clearance should be reviewed and approved granted based upon a specific criteria.

I'm sure a lot more will come out about the scandal but at the root of it all, people were given access to places and persons that could have endangered the national security of our country. But is it possible that it boils down to access control and review?


 
Posted by at 1 comment:

Monday, November 12, 2012

Is your IT team the weak link?

A recent article in "Bank Info Security" http://www.bankinfosecurity.com/fraudsters-target-bank-employees-a-5269?rf=2012-11-09-eb&elq=7cc1647406704dd7bc60a34c9d54e8b0&elqCampaignId=5063, tells of a breach disclosing hundreds of thousands of customer's records. Experian, the credit reporting group, revealed that the reason for the breach was due to lax security at a credit union's IT department. This has to be especially vexing to those customers who then had to monitor their credit and lose sleep at night about the potential impact to their finances, present and future.

In IT, there has to be a balance between effort required to do your job and reward for discouraging data loss. The balance depends upon the potential liability to the company for data loss.

While it's difficult to insure a breach will not occur, there are some basic fundamental safeguards an IT department can take that will create a layered security approach and deter a breach from having a payoff.

  • Create, follow and periodically test adherence for policies and procedures that support an established risk appetite
    • Separation of Duty
    • Implement Least Privilege Principle
      • Establish a reporting system for certain Privileged Account uses and insure review is performed on a regular basis
      • Create multiple logins for system administrators with access to vulnerable environments
      • Require management approval for privileged account creation
      • Work with system vendors to establish granular permission requirements
      • Where possible, limit the scope for system accounts
  • Beginning with development, consistently follow a documented and socialized SDLC (Software Development Lifecycle) – including using either masked data or non-customer data for testing environments
  • Establish periodic security and risk training for IT employees
  • Establish architectural guidelines with management sign-off on any system changes that modify security parameters
    • Include a review by selected Security personnel
    • Include a sign-off from business to insure they are aware of security changes to applications
  • Use Role-Based Access Controls
  • Limit data transmissions from end user subnets
  • Secure all data transmissions containing customer data
  • Limit and monitor physical access to sensitive systems
  • Implement an Incident Response Team to insure consistent response in the event of a breach.
  • Implement a strong problem management/resolution process. Although this is not specifically security-related, it supports a consistent business approach to issues.

For the most part, none of these are expensive requirements. They do require a mature process attitude but there are a lot of positive benefits that come from this attitude including improved system availability, less overtime for IT staff and most definitely an improved technology risk footprint.

These steps will compliment and support a rigorous risk attitude in an environment where data loss could be costly. At a minimum, they instill a disciplined approach to managing the IT environment. You never go wrong by emphasizing this type of approach in IT


 

 
Posted by at No comments:
Subscribe to: Posts (Atom)