Preventing Identity Theft in Your Business
Page 15
Take five steps to develop the departmental appraisal instrument:
Retrieve (from Chapter 15) the list of items generated on company culture.
Using the items on this list, generate statements to solicit employee perceptions of how well the company’s honest culture is being maintained.
Create the five-point rating scale.
At the top of the instrument, create the instructions. Be certain to include the word “anonymous.”
At the bottom of the instrument, include a section for anonymous comments.
Upon completion of this exercise, four instruments have been developed, each designed to independently measure on-the-job performance from a unique perspective. The aggregate of information collected using these instruments will be used later to maintain organizational performance and security. To achieve these desired organizational outcomes, appraisals are to be conducted regularly on schedule with timely feedback. After the four appraisal instruments have been developed, go on to exercise 5 to establish the time plan for administering these appraisals and for conducting the feedback meetings.
Exercise 5. Develop Time Plans and Procedures
Estimated Time: Four Hours
Appraisals without feedback are like taking half a bath, playing nine holes of golf, mowing half a lawn, or working with no reward. The current need, therefore, is to develop time plans to administer the four instruments and to conduct the feedback meetings so as to (a) make procedural, mechanical, or other changes to improve organizational performance and (b) reward performance the company wishes to reinforce. To be effective, the administration of appraisal instruments and the feedback meetings must be conducted sequentially and in close temporal proximity. It is best to conceptualize this appraisal-feedback process as one seamless, overall procedure.
The time plans and procedures for administering the appraisals and conducting the feedback meetings will be unique for each company. For some companies, quarterly reviews may be too time-consuming and cost prohibitive; such reviews may be possible and practicable for smaller companies with fewer employees. Time plans also may depend on the number of departments and the number of job sets within departments, not to mention other company-specific factors. At a minimum, however, the appraisal and feedback meetings must be conducted semiannually, at firmly scheduled times each year. The continued challenge for the project team is to develop a time plan and procedure to accomplish these initiatives in the shortest time and at the least cost.
Step 1. Use the following guidelines for administering the appraisal instruments:
Develop a specific time plan to administer the four appraisal instruments; consult with management, consider the company’s calendar of other events, and select a time when most employees are likely to be available (e.g., avoiding holiday seasons and peak vacation periods).
Develop a procedure to administer these appraisals: Use formal brainstorming to generate ideas for the most efficient and cost-effective method for administering the four appraisals. (Consider administering the appraisals using the business intranet computer system or at scheduled meetings or conferences.)
Determine the job position or positions within a job set responsible for scoring the appraisals.
Establish a closing date for completing the appraisal procedure.
Step 2. For the feedback meetings, follow these guidelines:
Consider the composition of employees who will attend the meetings. As a formal rule: include in the meetings all individuals whose job performance will be discussed either individually or as members of a work (departmental) group.
Create two distinct opportunities for feedback and communication: (1) meetings between employee and manager and (2) meetings among employees and managers who work together as a group or whose job tasks require frequent interaction.
Specify times for these meetings, to be held as soon as possible after the appraisals have been conducted.
In terms of recognition and rewards, behavioral science research has shown that immediate reinforcement through prompt recognition increases the probability of desired behaviors. Both employees and their companies benefit from rewards that are tied into the appraisal and feedback system. Perhaps the most important people practice is the last: rewarding and recognizing valued employees.
Exercise 6. Recognize and Reward Employees
Estimated Time: Four Hours
To recognize employees, first identify their reward preferences. Generate a large list of reward preferences, based on what employees say they prefer. Consider both intrinsic and extrinsic rewards.
Intrinsic rewards come from an internal satisfaction of a job well done. Employees are assured of a job well done when managers recognize, compliment, and in other ways show appreciation. In these small but meaningful ways, managers mete out intrinsic rewards.
Extrinsic rewards are also under management’s control, in the forms of salaries or wages, bonuses, benefit plans, flextime, and other work accommodations. However, employees also appreciate smaller rewards, such as certificates of recognition, an unexpected hour’s early leave time, opportunities for development, or even autonomy in performing their jobs. Use this six-step procedure to develop the list of reward preferences:
Use formal brainstorming to generate a large list of creative ideas for rewards.
Organize this list of ideas using the cause-and-effect analysis and the four M’s (manpower, method, machine, and materials) to generate even more creative ideas.
Use the list of preferences as items in a survey to determine the most preferred intrinsic and extrinsic rewards.
Create a 1 to 5 rating scale for each item (preferred reward), where 1 = less important and 5 = most important.
Provide all company employees with an opportunity to complete the survey either online or through company mail. (You might be surprised to find what many employees consider the most preferred rewards.)
Conduct one last brainstorming session. Based on the results from the survey, generate, present to management, and establish times to administer preferred rewards. (For example, many companies hold annual meetings, conferences, or other events or occasions where employees can be recognized and rewarded.)
A MESSAGE TO THE PROJECT TEAM
Congratulations! Your team has just completed a long series of rigorous and intensively intellectual and time-consuming exercises to secure the identifying information held by your company. Because of your time, energy, and efforts, the employees and customers in your company can be confident that their personal identities are safe and secure on the people front. I cordially invite you to attend the annual award ceremony for companies that have implemented the Business Information Security Program (BISP). The Michigan State University Partnership team will be honored to formally recognize your team’s impressive accomplishments.
In conclusion, thus far in Part II, 11 BISP security standards have been developed and implemented to secure your company’s people. Their security is the first line of defense for information security. You can be confident that your company’s borders now are protected by employees who themselves maintain and enforce a company culture that is designed to promote security and prevent identity theft, and rightly recognizes employee performance. With business borders now secured on the people front, attention turns to the process front.
CHAPTER 18
THE PROCESS FRONT: SECURE BUSINESS INFORMATION PROCESSES
According to the Four-Factor Model of Information Security, all threats to information security and all information security solutions involve four valuable business assets: (1) people, (2) processes, (3) proprietary information, and (4) property (both virtual and actual). Proprietary information is any information a business holds in confidence, including marketing strategies, development plans, competitive business techniques, and the personal identifying information of its own employees and of customers. Financial and all other institutions can secure these forms of proprietary business information by securing the
ir people, processes, and property.
In the preceding chapters, the first project team developed Security Standards that, when implemented and maintained, are guaranteed to secure the people front from thefts of proprietary information, including the personal identities of customers and employees.
The goals for the second project team (composed of employees from the same department), described here through Chapter 22, are to:
Secure the process front.
Secure the property front—the virtual Web site.
Create a customer assistance program for victims of identity theft.
Develop an extensive list of e-commerce “best practices” for customers.
Design identity theft legislation that promotes a competitive advantage and does not impact a company’s budget or business operations.
Additionally, Chapter 23, dedicated to healthcare and healthcare-related institutions, provides an overview of the standards and procedures used to secure the national identity database created by the Health Insurance Portability and Accountability Act (HIPAA). This is a tall order! However, the team approach works quite well, and step-by-step instructions will guide you.
Before continuing, however, it’s time to select a new project team. This team must be comprised of employees and managers from the same department as the first project team, because the exercises in the remaining chapters continue from preceding chapters—and continuity within the department is imperative for security.
SELECT A NEW PROJECT TEAM
Goal: Elect, select, or seek volunteers for a new project team who will develop Standards 12–16 (and Standard 17 for healthcare-related institutions) to secure business information processes and the company’s virtual property.
Specific Objectives: Identify a minimum of three and a maximum of five employees and one or more managers from the same (or cross-functional or otherwise interrelated) departments as for the first project team. The team members must be employees whose job positions enable them to commit to regularly scheduled weekly meetings for three to four hours each week for the duration of the project. To select the new project team, follow the specific instructions in steps 1 and 2 in the orientation.
Orientation
First, carefully review and then complete the instructions in each of the following steps to determine the composition of the new project team and to learn how to use the quality-to-security management tools for developing the final series of Security Standards for the Business Information Security Program (BISP).
Step 1. Read Chapter 6 in its entirety: the “Message to Executives” and the “Message to Employees.” These pages describe the four conditions required to successfully develop the Security Standards.
Step 2. Create the project team. Create a team of volunteered, selected, or elected employees who, with input from other company employees, will develop the Security Standards. The team is to be composed of a minimum of three and a maximum of five employees, including at least one manager. Team members are to be from the same department as the first project team, as the exercises in the remaining chapters follow from and use the results of all preceding exercises.
Each team member is to hold a different job position because the BISP exercises require a breadth of knowledge about the jobs and job tasks within a department. However, it is not necessary to represent all job positions within a department. Team members should be longer-tenured employees who, relative to more recent hires, should have superior knowledge of the business, its jobs, and work processes. When assembling this team and for continuity, identify employees whose job positions are most likely to enable them to meet consistently at the same time and the same day each week throughout the several weeks of the project.
The new project team will complete the exercises for the remaining chapters. As discussed in an earlier chapter, comprehensive security requires the securing of people, processes, proprietary information, and property for all company departments. However, the BISP can be rolled out consecutively by department, or the program can be developed concurrently by multiple departments, each with its own two project teams. Small businesses with few employees may require only one team to secure the four fronts for the entire business.
If departments are implementing the BISP concurrently, each department is to, at this time, elect, select, or seek volunteers for the second project team. In so doing, first follow the prerequisites for team composition listed in Appendix B. Take time now to review Appendix B. Then create the new project team. Before beginning, learn about the quality-to-security tools that are used to create the Security Standards.
QUALITY-TO-SECURITY TOOLS
Step 3. The first series of Standards (1-11) were developed using formal brainstorming and cause-and-effect analysis, two quality management tools adapted by the BISP for security. Each of these tools will be used again to develop the remaining Security Standards. In addition, these remaining Standards require two additional quality-to-security tools: flow charting and Pareto analysis. The results obtained from formal brainstorming are used to conduct the cause-and-effect analysis, and the results of the cause-and-effect analysis are then used for flow charting and to perform the Pareto analysis. Each of these quality-to-security management tools is described later in this chapter, and all were designed for team problem solving. Additionally, each tool has its own specific conditions and step-by-step instructions.
Any deviations from these requirements, such as devising shortcuts, will jeopardize the accomplishments gained in preceding chapters and the Business Information Security Program itself. Before continuing, therefore, each team member is to carefully review the procedures for applying the problem-solving tools that follow.
Step 4. Brainstorm! Brainstorming is a method used to generate an extensive list of ideas that can be used to solve problems. Formal brainstorming is specific in its approach. Carefully read the instructions for formal brainstorming in Appendix C. Review also Exhibit C.1, which shows a sample brainstorming problem statement created by a team working on a bioterrorism contingency plan. For the sake of illustration, Exhibit C.2 lists the results of a formal brainstorming session conducted by a team at the headquarters of a major automaker in Detroit. For the BISP, the brainstorming is highly structured and formal. It is important to guard against relaxing this procedure; deviations will undermine the quality of the results needed for security.
Step 5. Conduct a cause-and-effect analysis. Cause-and-effect analysis is used to organize and build on ideas generated through formal brainstorming. Appendix D describes in detail the step-by-step instructions for conducting cause-and-effect analysis and emphasizes the importance in the analysis of using the four M’s: manpower, methods, machines, and materials. Appendix D describes the cause-and-effect method and Exhibits D.1 and D.2 graphically illustrate it. Appendix D and related exhibits are taken from an actual case. In the exhibits, the project team was in the process of identifying the entry points of identities into the department and also the possible sources of identity thefts once identities were inside their department. Take time to now carefully read the instructions in Appendix D and examine the fishbone diagrams in Exhibit D.1 and D.2 for organizing and building on the ideas generated in the formal brainstorming.
Step 6. Perform flow chart analysis. Flow charting is the quality-to-security tool used to trace the input-throughput-output of information (e.g., identities) through a department by tracing the sequence of job tasks performed in a work process that utilizes that information. Most or all work processes follow both a paper trail and a digital trail. An example is when a patron deposits money with a teller at a drive-in bank, which triggers a series of job tasks.
Initial procedures—the job tasks of the bank clerk—require and use the personal identifiers, such as name, address, Social Security and bank account number, to identify, verify, and retrieve the customer’s file from the bank database. The record of deposit is then entered into the database. A paper receipt is printed for the customer. T
hen the transaction is recorded on a bank statement, which is mailed to the patron, usually at the end of the month.
The steps throughout this financial transaction represent an information process. These steps involving a single bank deposit can involve at least five (or more) job tasks that are performed in at least two (or more) different job positions—and each of these five or more job tasks can be ordered sequentially from beginning (the deposit) to end (the bank statement). Flow-charting lays out visually this information process.
Flow-charting always follows the process through job positions and not the people who hold those positions. Job positions are relatively stable whereas people come and go. Moreover, it is the process that is to be secured.
Appendix I defines, describes, and illustrates information processes and how to illustrate them. Exhibit I.1 shows 12 of the most commonly used standardized engineering symbols—the universal language for interpreting flow charts. Exhibit I.2 shows how one team in the Leasing Department’s Vehicle Inventory Unit of a major U.S. automaker traced orders that are routinely faxed into that unit. These documents contain identifying information including the name, Social Security number, and driver’s license number of the individual requesting the lease (or sometimes purchase) of an automobile. At this time, carefully review Appendix I and Exhibits I.1 and I.2.
Step 7. Perform the Pareto analysis. The results from brainstorming are used to conduct cause-and-effect analysis; the results from cause-and-effect analysis are used for flow-charting; and the results of flow-charting are used for Pareto analysis. Just as the chapters in this book build on one another, so, too, do these four quality-to-security tools. This step introduces the last tool, the Pareto analysis.