Preventing Identity Theft in Your Business
Page 16
Pareto analysis is a two-step procedure. First, the analysis prioritizes problems identified in the cause-and-effect analysis and the flow chart, in order of importance. The location in an information process where threat of identity theft is the greatest is also the most important problem and the first in order of priority to be secured. Second, the Pareto diagram, a simple bar chart that lists the frequencies of potential threats to a location, is created. The Pareto analysis quality control tool, adapted by the BISP for security control, is defined, described, and illustrated in Appendix J. Take time now to review Appendix J. Then continue on with the exercises below to complete Standard 12, the Information Process Risk Assessment.
STANDARD 12. INFORMATION PROCESS RISK ASSESSMENT
Standard 12 calls for a risk assessment to be conducted on information processes within a department. The new project team is to use the results obtained from the analysis conducted in Chapter 8 by the first project team. In that chapter, the first project team developed lists of “personal” and “business” identities and the sources of those identities into the department. It is these sources that are the subjects in the first exercise here, using the previously described quality-to-security tools.
Goal: Conduct an information process risk assessment on information processes within the department to secure the process from threats of identity theft.
Specific Objectives: There are four objectives.
Identify incoming sources of identities into the department—personal (employee and customer) or business, or both. Do one category of identity at a time (e.g., personal then business). For ease in discussion and descriptions, it is hereafter assumed that the focus of attention is on personal identities.
Trace the flow of the identifying information as it is processed through the department by tracing the documents that contain such information.
Determine the locations in the process where the identities are most susceptible to theft.
Secure this information process—the input–throughput–output process—in which job tasks on a document (e.g., loan application) are sequentially performed by different job positions within a department.
Orientation
To complete Standard 12, the Information Process Risk Assessment, first follow steps 3 through 7 in the orientation given above. Then go on to exercise 1.
Exercise 1. Identify Sources of Personal Identities
Estimated Time: This exercise was completed by the first project team.
Obtain from team 1 the list of incoming sources of personal identities. If this exercise 2 (in Chapter 8) had not already been completed, use these instructions:
Use structured brainstorming to determine where the identities first come into the department. To do so, generate a list of all present and future potential sources of incoming sources of information. Focus on the places or locations where information first enters the department. For example, if information is sent through the mail and the mail is delivered to a location in the department, that location—desk, mailbox, or other—is the first source and the entry point into the information process. Information (e.g., identities) can also come into the department by fax, phone, e-mail, or other internal or external memos, letters, or other sources.
The information process risk assessment concerns information within a department. What occurs with the information before it arrives or after it leaves the department is not in the process and is, therefore, not in the control of the department. To the extent that the information is processed across departments, the security of the information depends on information process risk assessment being conducted in those departments as well. Use the lists of incoming sources of personal identities in exercise 2.
Exercise 2. Track the Flow
Estimated Time: Three Hours
For each source—the entry point of information into the department, the “input” stage in the process—on the list (exercise 1), use flow-charting to trace the identity as it is processed through the department. That is, trace the input-throughput-output flow of a document, statement, or other form that carries personal identities.
An important note: Be certain to distinguish between how the information is processed and where it is processed. For example, how refers to verb terms such as “distribute,” “deliver,” and “sort,” and where refers to nouns such as “desk,” “mailbox,” and “computer.” Thus, an identity theft could occur during distribution, delivery, or sorting, or by taking from a desk, mailbox, or computer. The author suggests using the nouns—the where, the sequential job positions where identifying information is worked on; that is, where tasks are performed using the identities. See Appendix I, Exhibit I.2, for a simplified example of locations in a flow chart. These job positions or locations are the first to be secured and then the transfer paths between the locations can be secured.
To continue, follow the document (containing the identity) beginning at its source and through the job positions that perform the standard job tasks on this type of document (e.g., loan applications). Generate an input-throughput-output flow chart using the standardized engineering symbols, the universal language for interpreting flow charts, presented in Appendix I, Exhibit I.1.
Exercise 3. Locate Weaknesses in the Information Process
Estimated Time: Three Hours
This exercise uses the quality-to-security tools interchangeably. That is, building on the flow chart analysis from the last exercise, proceed to apply formal brainstorming at each point in the flow chart process to generate as many ideas as possible as to how personal information could be subjected to theft at that location in the process. Use the flip chart, create the task statement, and follow the rules for personal time and the round robin. Perform this exercise now.
Next, building on the results of the brainstorming, conduct a cause-and-effect analysis to organize the brainstorming ideas along the four M’s: manpower, methods, machine, and materials. Review, if necessary the cause-and-effect procedure in the above orientation. Refer also to Exhibits D.1 and D.2 in Appendix D for the cause-and-effect analysis that was conducted by one company’s team. Note in the exhibits that the cause is one of the four M’s and the effect is the identity theft. Remember, the task now is to organize the target points or locations according to the cause.
To illustrate by way of a further example, if a driver’s license number is sent into the department for verification using e-mail, the possible threats to the theft of this identity may be one or all of the following: manpower (allowing others to use the computer); an unsecured machine (spyware on the computer); materials (unsecured hard copy of the e-mail message); or method—unencrypted or intercepted e-mail. Each of these four—manpower, machine, materials, and method—is the potential root source of the theft of the identity: name, address, Social Security number, bank account, credit card, or other. Systematically recognizing and analyzing the four M’s after initial brainstorming based on a flow chart analysis almost always reveals additional weaknesses in the information process. When completed, go on to the next exercise, the Pareto analysis.
Exercise 4. Prioritize Weaknesses in the Process
Estimated Time: Four Hours
Pareto analysis is used to analyze the results obtained from flow-charting and the cause-and-effect analysis. Use the columnar format depicted in Appendix J. List each incoming source in column 1. Create headings for the locations to be secured. In Appendix J, the location is described in terms of the sequential job positions through which the identity was “worked on,” or processed. Include a heading for Frequencies: the number of places in the process that the document passes through. In Appendix J, for example, the U.S. mail document passed through three locations. Next, simply for ease in visualizing the most important locations to be secured, transfer this information to a bar chart, using again the example in Appendix J. The bar chart is the basis for exercise 5—securing the information process.
Exercise 5. Secure the Information Process
&
nbsp; Estimated Time: Four Hours
So far, the route through the department of a document containing identifying information has been determined, as have the vulnerable weak points in this process. It is now time to secure the process. Use formal brainstorming to generate a comprehensive list of creative ideas as to how each location in the process might be secured. Be certain to use the flip chart, create the task statement, and follow the rules for personal time and for conducting the round robin (as described in Appendix C). Then organize this list of ideas using cause-and-effect analysis. The goal in the cause-and-effect analysis is to identify mechanisms or methods by which each of the items listed under the four M’s can be secured.
Exercise 6. Develop a Time Plan
Estimated Time: Three Hours
The results of the information process risk assessment are useless without a time plan to implement them. Upon completing exercise 5, agree by team discussion and consensus on short- and long-term time plans to implement the security mechanisms. Appendix H presents one company’s strategic plan for implementing mechanisms for security. Many short-term plans can be put into effect immediately without much time, effort, or other costs. Longer-term plans may require budgeting and formal approval from upper management. Be realistic and specific with target dates. Present the final results to management as recommendations for action.
In conclusion, the process front now has been secured; that is, security mechanisms are in place for the work processes used to manage and maintain personal identifying information. It is now time to turn attention to the property front—that is, the virtual property, the company’s Web site. E-shopping is not the wave of the future—it is here now. To maintain a competitive advantage and remain financially stable, today’s businesses must provide consumers with opportunities for e-shopping and online experiences that are perceived as safe and secure.
Unfortunately, consumers are increasingly reluctant to shop online for fear of identity theft. Much depends, however, on a customer’s perception of security while shopping online. In the next chapter, the team’s task is to ensure that customers feel safe when conducting business on your company’s Web site.
With the completion of this chapter’s exercises, the second project team has completed its first Security Standard—the process front. The next task is to secure the property front—the company’s e-commerce Web site.
CHAPTER 19
THE PROPERTY FRONT: THE E-BUSINESS WEB SITE
How safe do e-shoppers feel when they visit your Web site? All businesses conduct employee performance evaluations either formally as part of an annual review or informally during day-to-day operations. However, few companies, if any, assess the performance of their Web sites with respect to customer perceptions of security. For e-businesses, a customer’s assessment of the security of a Web site could provide critical information, which is the purpose of Standard 13.
STANDARD 13. WEB SITE SECURITY ASSESSMENT
Customers are the users of the e-business Web sites. Potential customers might use the sites if they perceive that their information is secured. The customer, therefore, whether an online shopper or not, is in the best position to inform the company of perceptions of security. In addition, by offering customers an opportunity to help secure their own privacy, your company conveys the message that it cares.
Goals: Develop a Web site security assessment, then administer the assessment to internal employees and to volunteer customers.
Specific Objectives: This standard aims to measure the performance of the company Web site in terms of customer perceptions of security for conducting e-business and to solicit new ideas from those customers for improvements that might create a broader sense of security for e-shopping.
Exercise 1. Develop the Web Site Security Assessment
Estimated Time: Three Hours
Solicit and invite participation of a group of 5 to 10 company employees (other than the project team) from a cross section of departments for formal brainstorming and a focus group interview. The task is to use structured brainstorming followed by a group interview to generate the largest possible list of ideas that will make e-shoppers feel secure when using the company Web site.
Depending on their use of Web sites for conducting e-business and their knowledge of computer and network security, employees from a wide range of departments will generate different ideas. People with little or no knowledge of computers or e-shopping practices often offer new and unique ideas because they are not thinking “within the box.” The list of ideas can include technical methods for securing the Web site, but the ultimate goal is to generate new and creative visual or verbal messages that portray your company’s sincerity for customer security. This exercise is conducted in three steps.
Step 1. Conduct formal brainstorming with three groups of company employees: two groups of volunteer employees from various departments and the third, the project team. Before beginning, elect a project member to carefully review with the two new groups the step-by-step instructions for formal brainstorming (Appendix C). Carefully follow these instructions using a flip chart for each team, the task statement, personal think time without discussion, the numerical listing of ideas on the flip chart, and the round robin. (Remember, the round robin is the disciplined procedure in which each person reports an idea generated during the personal think time; the recorder lists the idea on the flip chart; the next person reports an idea; and so forth, without discussion, until all ideas, including new ones triggered in the round robin, are exhausted.) Emphasize during the instructions an anything-goes approach, and encourage piggybacking on others’ ideas to trigger new ideas. Challenge the teams to generate the largest possible list of creative ideas for Web site security.
Step 2. When the brainstorming exercise is finished, invite each team in turn to present their findings to the other two groups. After all presentations are made, use a fourth flip chart sheet to consolidate items generated by the three teams, eliminating duplicated items.
Step 3. Now use the items on this fourth sheet as the basis for a focus group interview using the four-M framework to guide the group discussion. The object is to prompt group members to think about how each idea on the list might be implemented; that is, to discuss options for practical applications. Before beginning, carefully review the rationale for using the four-M framework.
A typical agenda for this exercise might be:
8:00–8:30 Coffee and introductions
8:30–9:00 Instructions for structured and formal brainstorming
9:00–10:00 Conduct formal brainstorming
10:00–10:15 Break
10:15–11:15 Team presentations
11:15–12:00 Focus interview and discussion based on the four M’s
Feedback is important. Describe to the volunteer teams how their ideas are to be used to develop the Web site document, and after the assessment has been administered (exercise 2), make certain to inform each of these employees of the final results.
Exercise 2. Web Site Security Assessment
Estimated Time: Two Hours
Use the team approach and, in the next four steps, create and administer the Web site assessment and interpret the results.
Step 1. Use the ideas from exercise 1 and the example in Exhibit 19.1 to create a Web site security assessment. Administer the Web site assessment first to internal customers (employees) not involved in its development for their additions or other modifications. Administer the assessment to employees in the form that it will be administered to customers. For example, if the project team decides to administer the final document online, then administer the assessment to employees online as well. Allow one to two weeks for employee responses. Then through team discussion and consensus, evaluate and integrate into the assessment document pertinent items or details that make further contributions.
Step 2. Next, administer the final Web site security assessment online, in paper-and-pencil format through U.S. mail, to customers who visit the
onsite store, or use a combination of these or other options. Select from the company database and invite participation from a large group of volunteers who are current customers, including customers who do not yet use the company Web site for their business transactions.
Or administer the assessment through U.S. mail to a random sample of customers, or as part of a marketing campaign to inform and attract e-customers. Consider offering a coupon or some other form of compensation for customer participation. Note that this Web site security assessment is intended for use as an in-house document in which the customer, as distinguished from the consumer, is considered an insider.
Step 3. Score the results. To determine the Web site features that give customers the most and least sense of security, sum each item (the Web site feature) across all returned assessments and then order the items in terms of priority from high to low.
For example, if 100 customers participated and all selected “5” for the item “Seal of Information Security,” the highest possible score for that item would be 500. Alternatively, the lowest score for any given item would be 100, and the midrange score would be 300. Use this continuum as a benchmark to interpret the results, to order the items according to their relative scores, and to then identify items that could be included, emphasized, or omitted on the company Web site, based on customers’ perceptions of security.
EXHIBIT 19.1 Example of a Web Site Security Assessment