PART II
IDENTITY THEFT PREVENTION
Securatio populi suprema lex.
(The People’s security is the highest law.)
Legal Maxim
CHAPTER 7
THE BISP PLAN: TIGHTEN YOUR BUSINESS BORDERS
Large and small businesses alike, whether domestic, international, or multinational and regardless of service, product, or market, share in certain common assets.
BACKGROUND REVIEW: FOUR-FACTOR MODEL OF INFORMATION SECURITY
There are four valuable assets that all businesses share:
People (employees and customers)
Work processes
Proprietary information
Property
These four factors, or security fronts, are highly interdependently integrated: people in their work processes verify, validate, manage, and maintain “personal” and “business” information using business properties—both actual (computers) and virtual (e-business Web sites). This integrated interdependency across the four factors means that businesses must secure each factor in order to ultimately secure their business borders.
Conveniently, the Business Information Security Program (BISP) is universally applicable; that is, the methods and the exercises used to develop the Security Standards apply similarly to all types of businesses. The only difference businesses will experience in applying the BISP is the time required to complete each exercise: The greater the size and/or complexity of the company, the greater the time requirement. Nevertheless, even the largest and most complex business enterprise can afford the time required to secure its assets, beginning with the first front, the people.
People: The First Factor
The primary assets of every business are people: the employees who are and maintain the organization; the customers who support and sustain the organization; and the suppliers, vendors, contractors, shareholders, and other stakeholders, any of whom may have access to employee or customer identities. Throughout history, a relatively small percentage of people have committed crimes in the workplace against coworkers and customers. Examples are workplace violence and white-collar crimes of fraud and embezzlement. The twenty-first-century crime of identity theft adds another dimension—a relatively few dishonest insiders inflict emotional and financial pain and suffering on coworkers and customers by stealing and fraudulently using their identities.1 These insiders may be temporary, contract, permanent, full-time, or part-time employees, or individuals impersonating employees—perpetrators who may hire into a company for the sole purpose of engaging in identity theft.
To protect the majority of U.S. workers and their customers from the threat of this insidious offense, the simple solution is to secure the entire personnel process, from recruitment, to selection, to organizational socialization and occupation. Only in this way can people—the employees and their customers alike—be secure in the marketplace. But businesses can be victims, too, and identity security involves the process front, where both “personal” and “business” identities can be threatened.
Processes: The Second Factor
Processes refer to the input-throughput-output of information on employees or customers as this information is processed in a department. Information, such as personal and business identities, is an asset that can be secured by securing the information processes—the sequence of job tasks performed on the information (identities). A process, for example, may be the sequence of tasks required to fill work orders or medical prescriptions, to conduct financial audits or prepare tax forms, to prepare employee payroll checks, to process credit card applications, or to establish retail credit accounts. For each of these, the job tasks expose names, addresses, Social Security numbers, tax identification numbers, and other personal and business information, or identities. Without such information, there would be no job tasks to perform: The jobs exist to process identifying information.
An example of a work process is taken from an actual case in which a major automaker leases automobiles to corporate managers. The process begins with the receipt of an application from a manager for the lease of an automobile, which arrives at the leasing department through company mail or by U.S. mail, e-mail, fax, or telephone. Upon receipt, the information on the application is verified against company records to confirm the applicant’s job position with the company. Then the applicant’s identifying data—name, Social Security number, and driver’s license number—are verified with the state’s driver’s license bureau to check for violations and confirm validity of licensure. After all information has been verified and the application is approved, the company dealer is given authorization to release the automobile to the manager. From the point of entry into the department to the authorization to the company dealer, identity information is processed through a series of sequential job tasks in multiple job positions. Whether processed digitally or in paper format, there are many points, links, or places within and between the steps in this process in which identity information can be pilfered. The Information Process Risk Assessment (Chapter 18) is the BISP method used to secure proprietary information in all types of work processes and for any type of business.
Proprietary Information: The Third Factor
Proprietary information—the third factor—is a business asset that is integrated into each of the other three factors in the model: people, processes, and property. Technically, proprietary information is any confidential business information including marketing objectives, product designs, business plans, and any other information related, either directly or indirectly, to the profits earned by the sale of a company’s products or services, including employee, customer, and business identities. Although the BISP focuses entirely on protecting the “identity” form of proprietary information, BISP methods can be used, in follow-up exercises, to secure all proprietary information. Regardless of the type, all proprietary information can be secured by securing the people, processes, and property.
Property: The Fourth Factor
The term “property” refers to tangible or intangible lawfully owned possessions of the business, including property within the company’s physical boundaries as well as the unbounded virtual properties. Tangible property includes the physical structures and surrounding grounds, computer, network, and other electronic communication systems and other equipment and materials used to conduct the business. The tangible properties of primary interest in these exercises are fax machines, landline telephones, and cell phones; employee and company mailboxes; desks, and file drawers; and the physical organization of job stations (positions) within a department. Tangible properties also include computers and any technology used to transmit, store, or process identity data. Many books and articles have been written on computer and network security. There are laws in place establishing security standards for this information technology. Methods to develop these (computer) standards, although not part of the BISP, are essential for comprehensive identity theft security, in combination with person, process, proprietary information, and property security.
The intangible property of specific interest here is the e-business Web site that operates in cyberspace. The concern in Preventing Identity Theft in Your Business is Web site security from the perspective of the customer. How secure does a consumer feel in submitting personal identities to your e-business Web site? The customer, whether on site or online, makes the final call as to whether to do business or not. To secure a business from identity thefts, the people (employees), their work processes, and the identifying information used in those processes must be secured, and customers must recognize this security. In later chapters, BISP exercises are conducted to develop a standard to measure and assess consumer perceptions of security when visiting your company online.
SECURING THE FRONTS
Securing the People Factor
In Chapter 8, exercises for Standards 1 and 2 will establish the basis for security by identifying your company’s personal and business identities, their sour
ces or entry-points into a department, and the internal and external jobs that use them. In subsequent chapters, standards will be developed to address people security, for it is the people—the employees and their customers—whose identities are stolen, and employees can be the first line of defense when it comes to threats to “information” security and identity theft.
The BISP uses the tools of quality management together with the methods of industrial and organizational psychology to secure the entire personnel function, thereby securing the people. Traditional methods designed to analyze jobs and then to recruit, screen, and select job applicants no longer are adequate for twenty-first-century business performance—security now must be incorporated into the traditional methods. When performed in the listed sequential order as described in these chapters, traditional personnel methods can be adapted to meet present-day challenges to attract and develop a high-performing workforce that is also secured from dishonest infiltrators. After the selection of job applicants, the next exercises develop standards for “organizational socialization” and to establish a “company culture of security.” Thereafter, the team is guided through a series of exercises to develop the organizational feedback system whereby performance is evaluated at the organizational versus individual level of analysis.
The people factor and the exercises to develop standards for people security are targeted toward job positions of security—those jobs for which the job tasks are related to the security of proprietary and confidential information. The exercises are based on scientific research and real-world applications with documented evidence for the reliability and validity of the results. When used for positions of security, the personnel practices fully comply with the Equal Employment Opportunity Commission Guidelines and the Title VII statutes for fairness in personnel practices.2
Securing the Process Factor
After people security, the focus is directed toward the work process factor. The exercises for work process security and the information process risk assessment use, in part, the results from exercises conducted in the chapters on people security. There are, in addition, other important identity theft-related processes to consider, such as the e-shopping practices of consumers; customer service practices and processes; and legislative processes that may inhibit, prohibit, or promote financial transactions. Therefore, the exercises in Part III develop Security Standards for each of these consumer and legislative practices or processes. The fourth factor, after process security, is property security.
Securing the Property Factor
The property is the intangible e-business Web site described earlier. Businesses increasingly depend on cybertransactions to remain competitive; even the largest department stores now have online catalogs listing thousands of products and services and use Web site announcements to promote them. But consumers, also increasingly, are reluctant to shop online—the risk of identity theft has scared many away. However, online shopping is as safe as shopping at the local mall provided the consumer deals with reputable businesses and uses some practical e-shopping rules—these are the “best practices” described in Chapter 21 on e-commerce processes. However, the overriding “best practices” are the Security Standards developed to secure the integrated and interdependent four factors (people, processes, property, and, thereby, proprietary information) so as to prevent identity theft.
CHAPTER 8
BEGIN THE EXERCISES: IDENTIFY YOUR BUSINESS IDENTITIES
As described in Chapter 7, the Four-Factor Model of Information Security is the guiding framework for the systematic procedures used by the Business Information Security Program (BISP) to secure your business’s identities. Recall also that all threats to information security and all information security solutions involve four valuable business assets:
People
Work processes
Proprietary information
Property (virtual and actual)
The BISP secures these four fronts through standards developed in a series of exercises sequenced throughout Chapters 8 to 22. Conveniently, all businesses can utilize the same exercises to establish and maintain security.
There is one end product for each standard: a security document or report. The resultant set of documents or reports are the Security Standards that collectively comprise the Business Information Security Program. By the time a business completes all the exercises in the chapters, it will have its own distinctive BISP because, even though the exercises and the standards are uniform for all businesses, the tangible end products—the security documents—are specific to the characteristics of job positions and work processes unique to each business.
The format for the exercises is consistent throughout the chapters: first, the goals are stated, then the objectives are specified, and, last, background information in the form of an orientation describes the requirements for conducting the exercises. For example, the orientation for the exercises to develop Standard 1 describes the requirements for the team composition and the method for electing a team and also gives instructions for using three quality-to-security management tools.1 Although these instructions plus additional ones in Chapter 9 are lengthy, they are essential for the successful completion of all of the exercises throughout this book. Please note: These instructions are not repeated in successive chapters.
Except for this chapter, in which two standards are developed, subsequent chapters are comprised of one or more exercises that develop one security standard. The results of each chapter are used to complete the exercises in successive chapters. A summary conclusion at the end of each chapter reviews what is required or what is to have been completed before the team moves on to the next chapter’s exercises.
The amount of time required to complete a chapter’s exercises depends on the size of the department and the number of different job positions within that department. However, a benchmark time is given at the beginning of each exercise, based on actual exercises conducted with companies having departments of various sizes. It is important to strive to complete each exercise within the estimated time range. Appendix A provides a Security Standard Checklist on which to monitor completion of exercises for each standard.
This chapter begins by identifying the “personal” and “business” identities in your company and continues with related exercises to identify “internal” and “external” job positions that use these identities to perform job tasks. It provides the foundation for the Four-Factor Model of Information Security, the model that, in the remaining chapters, secure people, processes, and property. Let’s begin!
STANDARD 1. WHAT ARE YOUR BUSINESS IDENTITIES?
Goals: Create two independent lists of identities (personal and business, exercises 1 and 3 below) as well as two correlating lists (exercises 2 and 4 below) showing the entry points of these identities into your department, in this order:
Exercise 1. Identify “personal” identities.
Exercise 2. Organize “personal” identities and determine entry points.
Exercise 3. Identify “business” identities.
Exercise 4. Organize “business” identities and determine entry points.
Specific Objectives: Create the above four lists using the team approach and two quality management problem-solving tools—formal brainstorming and cause-and-effect analysis. These lists prepare the foundation for securing the four fronts: people, processes, proprietary information, and property.
Orientation
Orientation consists of three steps:
Create the project team.
Review the definitions given in Chapter 1 for personal and business identities.
Carefully read the instructions, introduced below, for using the quality management tools.
Begin with Step 1.
Step 1. Create a project team of volunteered, selected, or elected employees who, with input from other company employees, will develop the security standards. The team is to be composed of a minimum of three and a maximum of five employees, i
ncluding at least one manager. Team members are to be from the same department or from related (interdependent or cross-functional) departments. Each team member is to hold a different job position because the BISP exercises require a breadth of knowledge about the jobs and job tasks within a department. However, it is not necessary to represent all job positions within a department. Team members should be longer-tenured employees who, relative to more recent hires, have superior knowledge of the business, its jobs, and its work processes. When assembling this team, and for continuity, identify employees whose job positions are most likely to enable them to meet consistently at the same time and the same day each week throughout the several weeks of the project.
The exercises for all chapters are to be completed by the same team. For comprehensive security, the people, processes, proprietary information, and property for all company departments must be secured. However, the BISP can be rolled out consecutively by department or concurrently developed by multiple departments, each with its own team. Small businesses with few employees may require only one team to secure the four fronts for the entire business. Appendix B provides a checklist of team prerequisites. Take time now to review Appendix B, then create your team.
Step 2. Once the team is in place, begin by reviewing the types of “personal” and “business” identities described in those sections in Chapter 1. Notice that the identities include the confidential information of employees, customers, and the business itself. In the present Chapter 8, the team will conduct separate exercises to identify the personal and the business identities. However, the identities to be secured may differ depending on the department. For example, the exercises for a human resources department may focus strictly on employee identities; the exercises for another department may focus only on customer and not employee identities.
Preventing Identity Theft in Your Business Page 7