Step 3. Start creating your lists. Exercise 1 and others use formal brainstorming. Exercise 1 generates a list of identities used in departmental work processes. Some team members may be familiar with brainstorming as a problem-solving tool. There are, however, many brainstorming approaches, and some are more or less structured. For the BISP, the brainstorming is highly structured and formal. It is important to guard against relaxing this simple tool because deviations will fail to produce the results needed for security. Appendix C gives detailed and step-by-step instructions for conducting formal brainstorming. Also, Exhibit C.1 shows a sample brainstorming task statement created by a team working on a bioterrorism contingency plan, and Exhibit C.2 lists the results of a formal brainstorming session conducted by a team at the headquarters of a major automaker in Detroit. At this time, carefully read the instructions in Exhibits C.1 and C.2. Now begin with exercise 1.
Exercise 1. Identify “Personal” Identities
Estimated Time: One–Two Hours
This exercise exemplifies why employees are the best and perhaps the only individuals capable of securing confidential business information. A team of employees from the same department, each of whom holds a different job position, knows the content of the work performed within the department. Working together and using formalized procedures, the team members can identify the types of personal identities used in those work processes or that are otherwise accessible to the job positions.
Use structured and formal brainstorming according to the instructions in Appendix C. Generate a comprehensive list of the types of personal identities accessible to or used in work processes within your department. Your first “task statement” on the flip chart might be: Determine the types of identities used in work processes in our department. (Exhibit C.1 provides a sample task statement.) When conducting the brainstorming, consider any personal information that identifies employees or customers. Include any personal identifier, such as bank account numbers, credit card numbers, Social Security numbers, and employee identification numbers.
Write your task statement on a large flip chart to provide the central focus of attention. When noting a form of identity on the flip chart, use general terms such as “credit card numbers” and “bank account numbers,” not the actual account (or other) numbers. Strive to complete this exercise within the time range. Then continue with exercise 2.
Exercise 2. Organize “Personal” Identities and Determine Entry Points
Estimated Time: One–Two Hours
Using the list of personal identities generated in exercise 1, now conduct cause-and-effect analysis to build on and organize this list. The goal is to categorize the personal identities according to their sources of entry into the department. These entry points will be secured in a later exercise. Conduct the cause-and-effect analysis (the second quality management tool) according to the specific BISP instructions described in Appendix D. Exhibits D.1 and D.2 show an example of the cause-and-effect framework. Before conducting the cause-and-effect analysis, carefully read Appendix D and review Exhibits D.1 and D.2.
Exercise 3. Identify “Business” Identities
Estimated Time: One–Two Hours
Follow the instructions in Appendix C for structured and formal brainstorming to generate an exhaustive list of the type of “business” identities accessible to, or used in, work processes within the team’s department. The team will use these business identities in subsequent exercises.
Exercise 4. Organize “Business” Identities and Determine Entry Points
Estimated Time: One–Two Hours
Using the list of business identities generated in exercise 3, now conduct cause-and-effect analysis to categorize the identities according to their sources of entry into the department. Follow the specific instructions in Appendix D required by the BISP for conducting cause-and-effect analysis.
Summary
In exercises 1 to 4, two lists of identities were developed—a list of personal identities and a list of business identities. In addition, two other lists were developed showing the sources of these identities—personal and business. If all four lists have now been developed, then check off the completed exercises under Standard 1 on the Security Standard Checklist (Appendix A) and move on to Standard 2. Standards 1 and 2 together form the basis for the exercises in subsequent chapters.
STANDARD 2. WHO HAS ACCESS TO YOUR BUSINESS IDENTITIES?
Goals: First, identify both “internal” and “external” job positions that require knowledge of “personal” and “business” identities—credit card or bank account numbers, Social Security numbers, pass codes, and others. Then match the personal and business identities with the internal and external job positions that have access to those identities, as follows:
Exercise 1. Determine “internal” job titles.
Exercise 2. Match “internal” job titles with “personal” and “business” identities.
Exercise 3. Determine “external” job titles.
Exercise 4. Match “external” job titles with “personal” and “business” identities.
Specific Objectives: Use brainstorming, organizational charts and, if they are available, job descriptions, along with a one-hour focus group interview, to help pinpoint job positions that require access to identities. Later, the team will develop Security Standards for the work processes for those security-related job positions. The brainstorming is to be formally conducted by the team in the usual way; the organizational chart may show departmental job positions and titles; the job description may list job tasks that the team may be able to determine require access to identities; and the focus interview with other departmental employees may provide incremental and important information, and serves to integrate those employees into the BISP initiative.
Orientation
The BISP requires a specific focus group interview approach. Appendix E provides the details and step-by-step instructions on how to organize and conduct BISP focus group interviews. Carefully read the instructions in Appendix E, then continue with exercise 1.
Exercise 1. Determine “Internal” Job Titles
Estimated Time: One–Two Hours
Obtain the organization chart and also the departmental job descriptions for the jobs within the department, if available. Working from these documents and from team members’ knowledge of the jobs within the department, conduct structured and formal brainstorming, using the strict BISP approach (Appendix C). First create the task statement and then generate a complete list of the job titles for all jobs within the department—these are the internal job titles. This list will be used in exercise 2, for the focus group interview.
Exercise 2. Match “Internal” Job Titles with “Personal” and “Business” Identities
Estimated Time: One–Two Hours
Use the list of job titles from exercise 1 for the BISP focus group interview. The goal, using the focus group interview, is to match the types of “personal” identities and “business” identities, such as bank account number, credit card number, Social Security number, tax identification number, or other, with job tasks for each job title. In preparation for the focus group interview, follow the directions in Appendix E and:
Randomly select up to eight employees.
Elect one team member to ask “questions” or “prompt” employees to help trigger their knowledge of the types of identities used in the various departmental job positions, referred to by the job titles.
Elect a team “recorder” to list responses on the flip chart.
Other team members participate in the interview by generating new prompts triggered by employees’ responses.
Conduct the focus group interview in two 30-minute stages:
Match “internal” job titles with “personal” identities.
Match “internal” job titles with “business” identities.
To begin, emphasize to employees that the “focus” of the group interview is on the job and not the person who perfo
rms a job. Explain also that the purpose of this group interview, and subsequent BISP exercises, is to involve all employees by obtaining their opinions on information that will help secure the company’s people and work processes from threats of identity theft.
Exercise 3. Determine “External” Job Titles
Estimated Time: One–Two Hours
The present goal is to identify “external” job positions (referred to hereafter by their specific job titles) having access to “personal” and “business” identities, using the team approach and structured brainstorming. External job titles are those held by suppliers, vendors, database management companies, and other second and third parties. Specific examples are computer supplier, printer repairperson, call center agent, office cleaning contractor, office supply salesperson, invoice billing agent, database processor, and so on. Business transactions with external parties provide a conduit through which identities can cross business borders. In order to secure the pipeline, the team must identify those specific external parties. The first step, therefore, is to identify the external job titles. The second step is to match those job titles with the types of identities accessible by those jobs.
To prepare for the brainstorming session, obtain from the accounting department the names of vendors, suppliers, contractors, outsourcing companies, and other external entities. Working from this and other information, now use the team approach and structured brainstorming to generate a comprehensive list of external job titles involved in business transactions with your company. Use the flip chart with a task statement. As always, refrain from using the names of individuals holding those external jobs but refer instead to the job titles. For these job titles, you may also associate the company names (e.g., Johnson Company vendor). When the complete list of external job titles has been generated, move on to exercise 4.
Exercise 4. Match “External” Job Titles with “Personal” and “Business” Identities
Estimated Time: One–Two Hours
Now match the list of external job titles with the types of identities accessible to those jobs. Use the list of job titles generated in exercise 3 for a second focus group interview with a second, randomly generated group of eight departmental employees. Select as participants employees not involved in the first focus interview so as to obtain perspectives from a wide range of employees and to include as many employees in the overall project as possible. To prepare, elect a team member to give the “prompts” that will help employees trigger knowledge of the types of identities used by the various external job positions. Also elect a team “recorder” to itemize the responses on the flip chart with the task statement (Appendix E). Other team members participate by generating new prompts triggered from responses.
Conduct the focus group interview in two 30-minute stages, matching the external job titles first with “personal” identities and then with “business” identities. Emphasize that the focus is on the external jobs and not the individuals who perform those jobs. Explain also that the aim is to involve all employees in the development of the BISP by obtaining their opinions on information that will help throughout the project to secure the company from threats of identity theft.
Summary
In this chapter, Standards 1 and 2 were developed. For Standard 1, four lists were generated: two lists to identify “internal” and “external” job titles, and two lists to identify their sources into the department. Similarly, for Standard 2, four lists were developed: two lists of internal and external job titles, and two related lists that match the titles with specific types of “personal” as well as “business” identities. Use the checklist in Appendix A to record the completion of these exercises.
Through these exercises, the team now knows the:
Types of personal and business identities used in departmental job tasks
Sources of entry of those identities into the department
Specific internal and external job positions that require access to identities
Types of personal and business identities accessible by those job positions
This company-specific information is the basis of the four-factor model of information security, the guiding framework used in each chapter that follows, to create the standards that tighten your business borders.
CHAPTER 9
SECURING THE PEOPLE FRONT: THE SECURITY JOB ANALYSIS
For the Business Information Security Program (BISP), personnel decisions, from recruitment, to selection, to promotion or demotion, are all based on the results of a formally conducted “job analysis” that uses systematic procedures to comply with Equal Employment Opportunity Commission (EEOC) and Title VII statutes. The unit of analysis is the job, not the job incumbent. Companies that fail to conduct job analyses are exposed to liability in the event of charges of discrimination in personnel practices. This is because the job analysis identifies and describes the tasks performed on a job, and ultimately all personnel decisions are based on the performance of those job tasks. From determining pay ranges, to recruiting and testing the qualifications of job applicants, the overriding purpose is to select the highest-performing job applicants—those who can best perform the tasks identified by the job analysis. Yet many companies do not conduct job analyses, out of a mistaken belief that doing so is too costly or because of misunderstandings about the purpose and procedures.
Indeed, there is confusion about the job analytic procedure, perhaps because, over the years, researchers have discovered new approaches and techniques that have added new language and methods to a once-basic traditional procedure (which, nevertheless, still complies with legal statutes). Today, terms associated with job analysis, such as “knowledge,” “skills,” “abilities,” “traits,” “attributes,” “behavior,” “competencies,” and “tasks,” have complicated the literature and confused some companies. For example, a job “task” is a specific job “behavior” that, when more broadly defined, is sometimes now called a job “competency.” There are also misunderstandings about the procedure itself. For example, job “analysis” often is used interchangeably (and mistakenly) with job “evaluation”; however, the terms are not synonymous. The unit of analysis for job analysis is the job, whereas the job incumbent is the unit of analysis for a job evaluation. Additionally, many sometimes complex variations exist on how to conduct a job analysis, not all of which, unfortunately, meet the EEOC requirements. The traditional job analysis, however, is straightforward, and the tasks performed on a job can be identified in three easy-to-conduct steps: (1) interview, (2) observe, and (3) survey the job incumbent on the job tasks he or she performs.
The security job analysis follows the step-by-step instructions of this traditional approach with one additional short step to identify jobs that are security-sensitive—those jobs that use or have access to personal and business identifying information. Those jobs also are considered positions of security and authority, because those jobs are given access to personal or business identities, or both. These are the jobs to which the security standards apply. The security job analysis, therefore, without complexities or confusions and using a method applicable to any job in any business, brings the traditional job analysis up to twenty-first-century security standards.
STANDARD 3. SCIENTIFIC JOB ANALYSIS FOR SECURITY DECISION MAKING
Goals: Determine the security-relatedness of jobs within the department.
Specific Objectives: Incorporate into the traditional job analysis a security-sensitive component to identify job tasks for jobs within the department that use or have access to either personal or business identifying information, in compliance with EEOC Guidelines and Title VII statutes for fairness in personnel practices.
Orientation
The preparation for the job analysis requires:
A review of laws pertinent to the “traditional” job analysis
A team composition unique for this standard only
Knowledge of a few technical terms
Identification of
departmental job “sets”—jobs having similar or identical job tasks—by using existing job descriptions, if available
Step 1. Review the laws. Under Title VII of the Civil Rights Act of 1964 and the U.S. Equal Employment Opportunity Commission’s Uniform Guidelines1 on Employee Selection Procedures, employment practices must be job related and consistent with business necessity. Employment practices include recruitment, testing, hiring, promotion, transfer, and firing. Personnel decisions, according to these laws, must be related to the tasks performed on the job, and tasks on the job are determined by conducting a thorough job analysis. The BISP and the security standards require a security job analysis to determine whether “security” is a job-related component. This step provides the team with relevant and essential background information on the laws required for job analysis. Team members should carefully read and then review as a team the Title VII regulations for personnel practices. For each item listed, the Web site link is provided.
Preventing Identity Theft in Your Business Page 8