On my travel theme, a news article this week brought home to me the importance of thoroughly authenticating employees. Are they who they say they are? Do they the qualifications they claim?
The article that caught my attention stated that an allegedly unqualified Qantas mechanical engineer signed off on the safety of more than 1000 flights without having a licence to do so. It is alleged that the "impostor" forged his aircraft maintenance engineer's licence because he had not passed the Civil Aviation Safety Authority exams required.
True? I have no idea, but it reinforces the point that sadly, people are not always who they claim to be. Thorough checking of qualifications and employment background are vital processes and must form a key element of security management.
Do you have these processes?
Saturday, August 25, 2007
Friday, August 24, 2007
Information Security? Not at the airport!
This week I found out that travel broadens the mind, in multiple ways!
I got a lesson in information security.
On a wet Monday morning, flights were delayed and the lounge was full. The section of the lounge with the work cubes was packed, and around me, people were busy on the phone.
I spend time working on information security to protect confidential data, and after 10 minutes, I has a lesson that information security is a company-wide issue, and not just IT.
Was it the gentleman on the other side of the cube who was on the phone, describing (in detail) the contracts that he was sending for approval? He described the market research services, and the issues with the contracts. Or was it the gent to the left who was chairing a meeting for a financial service company, or perhaps the lady behind me who was discussing issues with remote monitoring facilities.
All confidential information that they were sharing with a group of people they didn’t know.
Do they forget where they are, or just assume the other lounge guests won’t listen?
As I said, this just reinforced to me that Information Security is a 360-degree issue, and the policies must include when and where people talk about their business.
I got a lesson in information security.
On a wet Monday morning, flights were delayed and the lounge was full. The section of the lounge with the work cubes was packed, and around me, people were busy on the phone.
I spend time working on information security to protect confidential data, and after 10 minutes, I has a lesson that information security is a company-wide issue, and not just IT.
Was it the gentleman on the other side of the cube who was on the phone, describing (in detail) the contracts that he was sending for approval? He described the market research services, and the issues with the contracts. Or was it the gent to the left who was chairing a meeting for a financial service company, or perhaps the lady behind me who was discussing issues with remote monitoring facilities.
All confidential information that they were sharing with a group of people they didn’t know.
Do they forget where they are, or just assume the other lounge guests won’t listen?
As I said, this just reinforced to me that Information Security is a 360-degree issue, and the policies must include when and where people talk about their business.
Friday, August 17, 2007
Is all Data created equal?
How many places do you have data stored? Excluding the data you have residing on servers, what about the data you have stored on your personal devices?
You may have multiple data stores. Your laptop of course, your PDA, mobile phone, USB sticks and removable hard drives. Any more?
In most organisations, “corporate” data, such as accounting information and even email, is secured, protected and managed for back-up.
So, are your spreadsheets and presentations any less valuable to you? The business won't stop trading if they are lost, but what about your productivity? What would happen if they were all lost tomorrow? Are you relying on email as your archive?
This raises three questions
1. What is the security and protection for data on mobile devices, if they are lost or stolen?
2. What is the back-up process for this data?
3. Should this data (documents) be treated differently to other data (accounting)? If so, is that explicit in policy?
You may have multiple data stores. Your laptop of course, your PDA, mobile phone, USB sticks and removable hard drives. Any more?
In most organisations, “corporate” data, such as accounting information and even email, is secured, protected and managed for back-up.
So, are your spreadsheets and presentations any less valuable to you? The business won't stop trading if they are lost, but what about your productivity? What would happen if they were all lost tomorrow? Are you relying on email as your archive?
This raises three questions
1. What is the security and protection for data on mobile devices, if they are lost or stolen?
2. What is the back-up process for this data?
3. Should this data (documents) be treated differently to other data (accounting)? If so, is that explicit in policy?
Thursday, August 9, 2007
Taking Care of Business - 2
A week ago, I posted a question on Linkedin (www.linkedin.com), which asked
“What do you want from your IT Department? Are you getting it?”
I got only 8 answers in a week, which is low, particularly when compared with the 100+ answers to the question “If Vincent ran out, would you buy him some paint?”.
So, on a site with a massive number of professional members (quoted at 12 million), only 8 people had the interest in IT to answer. Of the answers, 7 of the 8 related to the IT Department as a service organisation, which goes to the topic of my Blog, posted a couple of weeks ago. Both of these facts should be slightly concerning to the IT community.
Of the answers, I thought the cleverest answer, (and it made me smile) was from Melodie Neal
“Do not ask me if I've tried rebooting to solve a problem: I tried all the routine stuff before I called you. Try to think outside your comfort zone: the answer to every technical problem does not come in a box with Microsoft's logo on it.
Warn me when you plan to disrupt services, and let that warning be at least 1 business day before the outage. I work to deadlines, and I can only manage my customer's expectations properly if I know what level of service I can expect from systems you run. If you know that something is on the fritz, such as the mail (again), try to let people know promptly.
Try to understand the business we are in, and what tasks we have to perform regularly. Ask a few staff to describe their working day. Spot the gaps where people are using their own equipment to make up the short falls in yours. Try and make the gaps smaller”
I received an answer that I thought summed it up, so I chose it as the Best Answer - from Stuart Ali
“Ability to make decisions based upon organisational need rather than constrained by purchasing policy, current process and budget. Isn't ICT about building capability? ... but isn’t that a mistake of most service providers... focusing on the here and now, believing they are just a "service provider"... then are struck down with bewilderment when a new competitor takes the market by storm!”
“What do you want from your IT Department? Are you getting it?”
I got only 8 answers in a week, which is low, particularly when compared with the 100+ answers to the question “If Vincent ran out, would you buy him some paint?”.
So, on a site with a massive number of professional members (quoted at 12 million), only 8 people had the interest in IT to answer. Of the answers, 7 of the 8 related to the IT Department as a service organisation, which goes to the topic of my Blog, posted a couple of weeks ago. Both of these facts should be slightly concerning to the IT community.
Of the answers, I thought the cleverest answer, (and it made me smile) was from Melodie Neal
“Do not ask me if I've tried rebooting to solve a problem: I tried all the routine stuff before I called you. Try to think outside your comfort zone: the answer to every technical problem does not come in a box with Microsoft's logo on it.
Warn me when you plan to disrupt services, and let that warning be at least 1 business day before the outage. I work to deadlines, and I can only manage my customer's expectations properly if I know what level of service I can expect from systems you run. If you know that something is on the fritz, such as the mail (again), try to let people know promptly.
Try to understand the business we are in, and what tasks we have to perform regularly. Ask a few staff to describe their working day. Spot the gaps where people are using their own equipment to make up the short falls in yours. Try and make the gaps smaller”
I received an answer that I thought summed it up, so I chose it as the Best Answer - from Stuart Ali
“Ability to make decisions based upon organisational need rather than constrained by purchasing policy, current process and budget. Isn't ICT about building capability? ... but isn’t that a mistake of most service providers... focusing on the here and now, believing they are just a "service provider"... then are struck down with bewilderment when a new competitor takes the market by storm!”
Monday, August 6, 2007
How Secure is your Network?
I have been trying to think of a good analogy for IT Security. Insurance? Not really because insurance doesn’t prevent an incident occurring.
How about IT Security being akin to a cricket box (or a cup for baseball)? A cricketer wears one because although he is unlikely to get hit in that area, if he does, the impact is severe.
As we move to a self-service world with web sites interfacing (directly or through middleware) into financial, logistics, reservation and other systems, the opportunity for a security breach increases. The threat from outside the firewall is matched by the threat from within, with security experts suggesting that the risk of an employee abusing the system is much higher than an external “hack”.
This isn’t new – most organisations are wearing a box. Most have invested in good technology supported by strong policies. Can you feel a “but” coming?
The “but” is how do you know it is working at the optimum level? Has the set-up been changed to address the new threats, which are always developing? Who is “checking the checker”?
Let me give you a simple example. What happens if a Firewall device fails in your network? Does it fail open or closed?
So, to make sure that the investment is working, and if the ball does hit that area, the box does it job (stretching the analogy too far), your IT Security requires regular, thorough and independent testing.
How about IT Security being akin to a cricket box (or a cup for baseball)? A cricketer wears one because although he is unlikely to get hit in that area, if he does, the impact is severe.
As we move to a self-service world with web sites interfacing (directly or through middleware) into financial, logistics, reservation and other systems, the opportunity for a security breach increases. The threat from outside the firewall is matched by the threat from within, with security experts suggesting that the risk of an employee abusing the system is much higher than an external “hack”.
This isn’t new – most organisations are wearing a box. Most have invested in good technology supported by strong policies. Can you feel a “but” coming?
The “but” is how do you know it is working at the optimum level? Has the set-up been changed to address the new threats, which are always developing? Who is “checking the checker”?
Let me give you a simple example. What happens if a Firewall device fails in your network? Does it fail open or closed?
So, to make sure that the investment is working, and if the ball does hit that area, the box does it job (stretching the analogy too far), your IT Security requires regular, thorough and independent testing.
Friday, August 3, 2007
IT Skills Shortage - Update
Following up my posting of a few weeks a go, I just came across the survey from Graduate Careers Australia about Computer Science Graduates.
I know there are “lies, dammed lies and statistics”, but it seems that in this time of an IT Skills drought, a Computer Science is no short-cut to a job.
I would have thought that these graduates would be ahead of their peers in getting jobs, but apparently not.
Of new bachelor degree graduates who were seeking full-time employment, 82.4% had found it within four months of completing their studies, the report said.
For Computer Science, that figure was 78.8%.
Is this an indictment of the courses, or of employers not wanting to take the time, or spend the money to train graduates?
We can't leave the development of our industry professionals to "someone else".
For those, like me, who don’t know them, Graduate Careers Australia are a peak body with representatives from employers, universities and government who work to foster employment and career opportunities for graduates from higher education institutions.
I know there are “lies, dammed lies and statistics”, but it seems that in this time of an IT Skills drought, a Computer Science is no short-cut to a job.
I would have thought that these graduates would be ahead of their peers in getting jobs, but apparently not.
Of new bachelor degree graduates who were seeking full-time employment, 82.4% had found it within four months of completing their studies, the report said.
For Computer Science, that figure was 78.8%.
Is this an indictment of the courses, or of employers not wanting to take the time, or spend the money to train graduates?
We can't leave the development of our industry professionals to "someone else".
For those, like me, who don’t know them, Graduate Careers Australia are a peak body with representatives from employers, universities and government who work to foster employment and career opportunities for graduates from higher education institutions.
Subscribe to:
Posts (Atom)
