Additionally, neither these seven requirements nor any others specify the security of work processes, which must be a legislative oversight inasmuch as work processes are sources of stolen identities. Further, and in addition to all of the problems just mentioned, these broad laws with their pervasive omissions were intentionally written to be flexible— despite the established fact from the field of security management that security of anything requires comprehensive, firm, and distinctly delineated standards.
To further explain, the “flexibility” clauses of Section 314.3, FTC Standards for Safeguarding Customer Information, were specifically written so that small businesses could comply without incurring costly consultant fees and also so that the information security program would cover a “continuous life cycle” that, over time, can “meet the needs of a particular organization or industry.” In short, businesses that can afford it may each comply with the laws, according to their needs. Thus, the laws require of businesses no universal standards for either people or work process security. And without universal standards for people and processes, there can be no security. Fortunately, there are solutions.
Personal information—identities—can be secured in businesses using inexpensive and universally applicable solutions that also are sufficiently comprehensive to bring businesses into compliance with all current as well as anticipated laws to be enacted in the future. The solutions are security standards developed using established and effective methods from industrial and organizational psychology, business management, and the field of criminal justice. Security standards developed using these methods comprise the information security program, or, more formally, the Business Information Security Program (BISP).
BISP SECURITY STANDARDS
Many businesses use universally accepted and widely documented methods from industrial and organizational psychology and the field of quality management to select high-performing employees who perform their work using quality-driven processes. These management methods, when adapted to security management, can select and develop high-security workforces that perform jobs using security-developed work processes. Security, as with quality, must center on both “people” and “work processes.” The methods are straightforward and easy to implement.
People Security
Reputable personnel tests select job applicants for performance, motivation, and integrity. Other management methods socialize newly hired employees into honest company cultures that are developed using yet other established procedures. Thousands of businesses already use these tools that focus on “people” and “honest performance.” For information security, the focus also is on “people” and “honest performance.” The same industrial and organizational methods can be, and are effectively used in Part II of this book, to develop “people” standards of security. Not only are these methods valid (they measure what they purport to measure) and reliable (the measures are consistent), but they also are capable of increasing profits by reducing the monumental losses due to identity thefts.
These methods, moreover, are consistent and stable temporally, situationally, and organizationally, regardless of business size, type, or geographical location. This means that the people security standards are universally applicable, not only now but also over time and into the future as new laws are enacted. The technical industrial/organizational term describing this universal stability is “generalizability.” And this generalizability is precisely what the FTC standards call for in Section 314.3 requiring information security programs to cover a “continuous life cycle” that over time will “meet the needs of a particular organization or industry.”3
These flexible FTC standards intend in part to make security affordable for small businesses. But security is not cost prohibitive. For “people” security, the investments range from a few hundred to several thousand dollars, depending on the complexity of the business. The methods used for security are tangible, amortizable assets that can be used repeatedly; and they do not deteriorate, degrade, or otherwise become obsolete, for either people or work process security. In comparison, civil fines under the Health Insurance Portability and Accountability Act (HIPAA) are specified at up to $100 per violation, and criminal penalties range from $50,000 to $250,000 and from 1 to 10 years in prison. Work process security methods also are economical to develop and last as long as management is motivated to employ them.
Work Process Security
First used in the mid-1940s to establish and measure efficiency in manufacturing processes, “quality” standards are now required to ensure, for example, quality services, quality products, and, effective in 2005, the worldwide uniformity of bar codes. The quality process template has been made and refined over time. It is this template that established quality in manufacturing processes that now can be used to produce security in work processes. That is, the quality management methods can be applied to security management, because manufacturing processes are analogous to work processes. The only difference between the two is that “work” processes refer to white-collar job tasks, such as conducting financial transactions or assessments that require processing of personal and other information, whereas manufacturing processes refer to blue-collar jobs, such as assembly or product development that requires processing of materials. Both involve work processes.
These quality management methods, used together with information process risk assessments from the field of criminal justice, produce two results:
Information process risk assessments identify internal and external risks to security in work processes.
Once so identified, mechanisms and methods are developed to secure those processes.
Recall the sixth provision of the GLB Act: Businesses are to identify internal and external risks to security. Information process risk assessments can help businesses comply with this requirement.
These methods for people and process security, together with the already required IT provisions, can comprehensively secure personal information in any business, anywhere. These methods produce security standards that constitute a Business Information Security Program that meets and exceeds the current federal legal requirements by securing not only “customer” and “consumer” identities but also “employee” and “business” identities—the sum total of information vulnerable to identity theft. Furthermore, this BISP increases profits by reducing the monumental costs of identity theft and identity crimes. However, although the BISP presented (in Part II of this book) in lay language requires no special training or skills and is not cost prohibitive, its success is conditional. Before embarking on formulating an information security program, first consider the warnings and explanations given in Chapter 6.
CHAPTER 6
CAVEAT LECTOR: LET THE READER BEWARE
The information security program contained in Parts II and III of this book may not be for you. The program consists of a set of security standards that are guaranteed to prevent identity theft in all businesses regardless of size, type, or location, but developing and implementing these standards requires the time and interest of managers and employees. Another prerequisite, however, in addition to time and interest, is the psychological commitments of the chief executive officers—the motivation and devotion the CEOs give to the success of an information security program and the support they give to employees to help develop it.
The success of the program is, additionally, subject to the discipline and willingness of employee-manager teams working together. To develop and implement the information security program, teams must meet for up to four hours each week over several weeks to follow step-by-step and consecutively ordered exercises. The messages to executives and employees that follow may help to determine whether an information security program is feasible for your company at this time.
MESSAGE TO EXECUTIVES
This book is based on considerable research on crime in the workplace, conducted over a period of 15 years in public and private companies with hundreds of executives a
nd employees; with criminals in 23 federal prisons across the United States; from investigations of identity theft crimes and networks; and, since 1999, from working with hundreds of identity theft victims. As you undoubtedly know (or you would not have purchased this book), no business is immune to crime in the workplace, especially the overarching crime of identity theft.
By the year 2005, an estimated 1.7 million people and an untold number of businesses will be victims of identity theft. The majority of these crimes will have been committed inside the workplace by a relatively few dishonest employees. These dishonest few threaten the security of your company’s four most valuable assets:
Your people—the majority of honest and hardworking employees, current customers, and consumers you wish to attract
Your company’s work processes—those sequential job tasks that comprise all job positions and through which personal information is evaluated, documented, maintained, and otherwise managed
Proprietary information—the personal information used in those work processes, without which your company cannot operate
Your property—the tools used to process the information, both real (computers, networks, and other digital systems) as well as virtual (Uniform Resource Locations [URLs], e-business Web sites, and e-mail addresses)
These four assets—people, processes, proprietary information, and property—can be protected from identity theft in your company, at little cost.
What are these costs? The greatest is the three- to four-hour workshops that must be held each consecutive week in which department managers and employees meet as a team to develop the security standards. The standards—the information security program—require a series of exercises that are to be completed in sequential order over several weeks. The number of weeks depends on the size of the department or departments to be secured and the complexity of the work processes—the series of job tasks that form the jobs within a department. In addition to the time involvement of the employee and manager team or teams (one team for each department), one of the exercises requires either focus group or individual interviews with other employees, officers, and other stakeholders. The cost in time for one focus group interview is estimated at one hour or less. All other costs are decision choices, some of which may involve either short- or long-term budgeting. Other than the time investment, most costs are relatively minimal. And for many of the security standards, there are no financial costs at all. In fact, the largest cost is not a dollar value but, rather, the psychological investment made by you, which will determine the success of the information security program.
You must approve, prioritize, and emphasize to your employees the importance to you of this information security program. (Employees themselves already recognize the need for security standards, as they want to feel safe within their own companies.) Your support for information security, and employee’s concern for safeguards, is important. With executive support, employees tend to embrace and assume ownership in initiatives they help develop and implement. For the security standard initiative, the methods involved can be described succinctly in a few sentences.
Employee-manager teams working together complete a series of sequentially ordered exercises that are described in lay language and that require no special skills or training. Some exercises use tools from quality management and are already familiar to some employees. The exercises are structured so that each can be completed within three to four hours—the estimated time each consecutive week the team(s) must meet to complete each exercise. Once completed, the exercises in Parts II and III provide a set of security standards that will prevent identity thefts. The benefits include immediate and long-term dollar savings from:
Fewer fraudulently purchased products and services
Enhanced productivity of employees whose job tasks are not interrupted by their customers’ or their own identity thefts
Retaining customers who feel safe doing business with your company
Attracting new customers who have been made aware of your company’s information security program
Protecting your own employees from threats of identity theft
An additional and very special benefit is the distinguished “Seal of Information Security” your company will receive from the Michigan State University–Business Identity Theft Partnerships in Prevention, at the annual awards ceremony. The Seal testifies that your company has implemented and enforces the security standards required by federal law and signifies to employees and customers alike that everything possible is being done to protect them.
The caveat, therefore, is this: The success of establishing an information security program in your company depends, first and foremost, on the highest-level executives—your sincere motivation and follow-through are essential. If this kind of leadership involvement is not now possible, then “now” may not be the time for you. If, however, you are so determined, then the Partnerships in Prevention—an outreach initiative at Michigan State University—will work with you and your employees to ensure success. You may call on the Partnership’s management team to help you with any questions along the way. As a final step, the team will be happy to review your new information security program prior to implementation and in preparation for the annual awards ceremony.
MESSAGE TO EMPLOYEES
Although “business” identity theft is the latest crime trend, “personal” identity theft currently has reached epidemic proportions, which is why the first focus of identity theft prevention and control is on protecting “personal” identities. When it comes to safeguarding personal identities, employees, not upper management, hold the positions of authority. This is because employees who perform the job tasks that process personal information are also closest to the policies, practices, and procedures that can help prevent identity thefts. In fact, given management support, employees can develop, implement, and enforce security standards and, in effect, create and maintain an honest company culture where they can feel safe and secure.
The tools and methods used to develop these security standards for the workplace are adapted from “quality” management and also from other management sciences, including industrial and organizational psychology. For example, the workshop exercises involving work process security use quality management problem-solving tools—brainstorming, flow-charting, and cause-and-effect analysis—and the people security exercises use methods from industrial and organizational psychology. For all of the exercises, step-by-step instructions are provided and no special skills or previous training is required. For success, however, there are four conditions.
The exercises must be completed in the order in which they are presented in the chapters. The order of sequence does matter.
The exercises require department managers and employees to work together in teams for three to four hours each week for several consecutive weeks. (Earlier exercises may take longer to establish a learning curve.) Managerial involvement in these exercises is essential because managers must understand, accept, and approve of the specific security standards (there are options) the teams develop.
Each team is to consist of at least one, and preferably more than one, department manager together with two to four employees from that department. Large companies may have many departments and thus many teams, one for each department—comprehensive security standards require all departments be secured.
The team exercises must be completed consistently and in subsequent weeks by the same manager-employee team members. For some weekly exercises and for businesses with labor unions, the teams may involve bargaining unit members. The number of weeks it takes to complete the exercises can range from several to 30 or more, depending on the size of the company, the number of departments, and the complexity of job tasks (the work processes) performed within a department.
In short, the four conditions for success require discipline. Team members must follow the steps in the exercises and follow the exercises consecutively, with each exercise building on the p
revious ones. Teamwork must last as long as it takes to develop and implement the information security program—the security standards.
Parts II and III of this book present the program. It begins in Chapter 7, which describes the four-factor model of security: people, processes, proprietary information, and property. The model is the foundation for security standards that, when integrated with the information technology security measures that most companies already have in place, provide for a comprehensive information security program. Part II describes the tools and methods used in the exercises to develop the program.
Your success in each of these chapters is important to me, which is why I give you my contact information at the ID Theft Crime and Research Lab: [email protected], (517) 432-4236. Someone from the Lab management team will respond to questions in as timely a manner as possible. And I hope to personally award your company the Seal of Business Information Security at the annual ceremony, where teams are invited to give brief presentations on their success stories. Let me know if you might be interested. Now, let’s begin!
Preventing Identity Theft in Your Business Page 6