how refers to → distribute → deliver → sort
where refers to → desk → mailbox → computer
Use the described universal engineering symbols to label the paths that HIPAA information takes as it flows (is processed through sequentially performed job tasks and job positions) through a department. Build on the flow chart by conducting structured and formal brainstorming and using cause-and-effect analysis and the four M’s: manpower, methods, machine, and materials.
Exercise 3
Secure the HIPAA process. Use the results from the formal brainstorming and the cause-and-effect analysis (and other methods described within the chapters) to generate mechanisms to secure the work processes.
Exercise 4
Develop short- and long-term strategic plans to implement these security mechanisms. Short-term plans are those that can be put into effect immediately without much cost or time. Long-term plans require formal approval and possibly budgeting. Be specific with target dates.
In summary, these four brief examples describe the straightforward and easy-to-use methods that are universally established and widely documented for their effectiveness in producing results that are valid and reliable. These are the methods used in this book to help companies provide comprehensive security for employees and customers.
Healthcare companies have come under harsh public scrutiny because of the costs of healthcare. Now, due to the increasing public awareness of the HIPAA database, consumers are even more fearful and hesitant when seeking services or products from healthcare businesses. This is unfortunate because there really is no cause for concern when a company has secured its business border inclusively and exhaustively, going beyond computer security. Companies that institute the BISP security standards will be in full compliance with federal laws and while doing so can also become recognized as concerned advocates for consumer security.
Now, it is time to congratulate the two project teams and company employees who helped build security for your company!
APPENDICES
APPENDIX A
THE SECURITY STANDARD CHECKLIST
IDENTITY THEFT PREVENTION
Project Team #1
Security Standard 1 (Chapter 8): Identify Identities
Exercise 1. _____Identify “personal” identities
Exercise 2. _____Organize “personal” identities and determine entry points
Exercise 3. _____Identify “business” identities
Exercise 4. _____Organize “business” identities and determine entry points
Security Standard 2 (Chapter 8): Match Identities
Exercise 1. _____Determine “internal” job titles
Exercise 2. _____Match “internal” job titles with “personal” and “business” identities
Exercise 3. _____Determine “external” job titles
Exercise 4. _____Match “external” job titles with “personal” and “business” identities
Security Standard 3 (Chapter 9): The Security Job Analysis
Exercise 1. _____Identify job tasks
Exercise 2. _____Create checklist of job tasks
Exercise 3. _____Administer checklist to incumbent-experts
Exercise 4. _____Score checklist
Exercise 5. _____The security job description
Security Standard 4 (Chapter 10): Recruitment for Security
Exercise 1. _____“Snowballing”
Exercise 2. _____Involve current employees
Exercise 3. _____Solicit new applicants
Exercise 4. _____Use personnel agencies
Security Standard 5 (Chapter 11): Personnel Selection for Security
Exercise 1. _____The Cognitive Ability Test: Option A
Exercise 2. _____The Cognitive Ability Test: Option B
Security Standard 6 (Chapter 12): Select for Motivation
Exercise 1. _____The Motivation Test: Option A
Exercise 2. _____The Motivation Test: Option B
Security Standard 7 (Chapter 13): Select for Integrity and Security
Exercise 1. _____The Integrity for Security Test: Option A
Exercise 2. _____The Integrity for Security Test: Option B
Security Standard 8 (Chapter 14): Select for Interpersonal Skills
Exercise 1. _____The Test of Interpersonal Skills: Option A
Exercise 2. _____The Test of Interpersonal Skills: Option B
Security Standard 9 (Chapter 15): Socialization, Company Culture, Realistic Job Preview
Exercise 1. _____Assess company culture
Exercise 2. _____Further analyze to identify improvements
Exercise 3. _____Create realistic job preview
Exercise 4. _____Develop strategic plans
Security Standard 10 (Chapter 16): The Security Orientation Program
Exercise 1. _____Design security orientation program
Exercise 2. _____Prepare written agenda for orientation program
Exercise 3. _____Present security orientation program to current employees
Security Standard 11 (Chapter 17): The Appraisal and Feedback Instrument
Exercise 1. _____Develop individual appraisal instrument
Exercise 2. _____Develop group appraisal instrument
Exercise 3. _____Develop self-appraisal instrument
Exercise 4. _____Develop departmental appraisal instrument
Exercise 5. _____Develop time plans and procedures
Exercise 6. _____Recognize and reward employees
Project Team #2
Security Standard 12 (Chapter 18): Secure Information Processes
Step 1. _____Carefully review Chapter 6
Step 2. _____Create project team
Step 3. _____The quality-to-security tools: Overview
Step 4. _____Brainstorming
Step 5. _____Cause-and-effect analysis
Step 6. _____Flow chart analysis
Step 7. _____Pareto analysis
Exercise 1. _____Identify sources of personal identities
Exercise 2. _____Track the flow of personal identities
Exercise 3. _____Locate weaknesses in information processes
Exercise 4. _____Prioritize weaknesses in processes
Exercise 5. _____Secure information processes
Exercise 6. _____Develop time plan
Security Standard 13 (Chapter 19): The E-Business Web Site
Exercise 1. _____Develop web site security assessment
Exercise 2. _____The web site security assessment: Administer, score, interpret
Security Standard 14 (Chapter 20): The Customer Security Program Document
Step 1. _____Listen to victim
Step 2. _____Review “Process of Healing” exercises with victim
Step 3. _____Instruct victim on immediate steps
Step 4. _____Discuss with victim the “Process of Healing”
Step 5. _____Instruct victim on additional steps
Step 6. _____Inform victim of credit report reviews
Step 7. _____Advise victims on writing letters of correction
Step 8. _____Advise victims of the police assistance role
Security Standard 15 (Chapter 21): E-Commerce “Best Practices” for Customers
Exercise 1. _____Develop e-commerce best practices
Exercise 2. _____Create letters to consumers
Exercise 3. _____Create a web page
Security Standard 16 (Chapter 22): The Legislative Process
Exercise 1. _____Review identity theft laws
Exercise 2. _____Develop legislation on identity theft
Exercise 3. _____Present proposals, issue press release
APPENDIX B
CHECKLIST OF TEAM PREREQUISITES
_____ Elect, select, or seek volunteer employees who will comprise the project team.
_____ Select a minimum of three and a maximum of five employees for team membership.
_____ Include at least one manager from the department being secured.
_____
Select long-tenured employees, those most familiar with departmental jobs.
_____ Select team members able to meet consistently each week throughout the project.
_____ Choose team members from the same or interrelated departments.
_____ Choose as team members employees who hold different job positions within the department.
APPENDIX C
STRUCTURED AND FORMAL BRAINSTORMING: STEP-BY-STEP INSTRUCTIONS
The quality management literatures use a common definition with standardized instructions for conducting brainstorming, sometimes called “structured” or “formal” brainstorming. The following paraphrased definition and instructions are borrowed, in parts, from several different quality management authorities.1
DEFINITION OF FORMAL BRAINSTORMING
Brainstorming: (1) is a problem-solving method (2) used to generate ideas by (3) using the creative process of employees working together as a team (4) whereby each team member capitalizes on the synergy created by the group process, for the goal of (5) developing a large list of specific ideas.
Brainstorming is used to investigate, analyze, and identify causes and also solutions to problems. To be effective, brainstorming requires disciplined participation in a process that follows a particular structure, which the quality management literature refers to as “structured” and “formal.”
The benefits of brainstorming are that a large list of ideas can be generated in a short time period by a team of members who are involved in this process. The process also promotes group participation, cohesion, and unity.
STEP-BY-STEP INSTRUCTIONS
Use these structured guidelines for your brainstorming session:
Create a team, or teams, of three to five employees, including at least one manager. The ideal group size is five.
Use a round or rectangular table so that each team member will face all others, an arrangement important for visual and direct communications.
The team selects a recorder: someone who will later print the results of brainstorming.
Use a large flip chart located near the table. At the top of the flip chart, clearly and concisely print a heading that briefly defines the team’s task. Exhibit C.1 shows a formal brainstorming task statement taken from an actual exercise.
Allow 10 to 15 minutes for “think” time. During this time, team members independently generate their own lists of ideas about solving the problem in the task statement. This is also “quiet” time during which there is to be no discussion.
Members write each idea on a Post-it note, using one Post-it for each idea.
After the personal think time, use the round robin approach to generate a larger number of ideas: Each person, one at a time around the table, states one idea from only one Post-it note. There is no discussion of ideas during the round robin listing of ideas: This is the “discipline” required of structured and formal brainstorming.
As each person states an idea, the recorder numbers and then clearly prints this idea on the flip chart. The team will be working from this list.
As the round robin proceeds, each team member jots down on a new Post-it note any new ideas that are triggered as others state their ideas. This is called the “idea generating” phase and the synergy of brainstorming.
Permit no evaluation of ideas during the round robin. The round robin is the team’s think time.
Give everyone an equal chance to participate, in turn.
Pass when you have used up your Post-it notes of ideas.
The recorder continues to keep the ideas visible by using the large flip chart sheets.
When all team members have “passed,” the round robin is completed.
Now it’s time to discuss. Follow these guidelines for discussion:
Make sure that everyone understands each item on the list.
Be clear and specific about each item.
Eliminate duplicate items.
Combine similar or common items.
To summarize, the structured rules for disciplined and formal brainstorming are:
Start with 10 to 15 minutes of “think” time.
Contribute in turn.
Allow one idea per person per turn.
You may pass.
Do not explain ideas.
Do not criticize others’ ideas.
Aim for quantity.
EXHIBIT C.1 A Brainstorming Task Statement
The following statement was taken from the heading of a flip chart used in an actual brainstorming session. Notice that the statement spells out precisely the task to be performed.
“Determine the Factors to Be Included in a Bioterrorism Contingency Plan for the University Auditorium.”
EXHIBIT C.2 A Brainstorming List
Taken from an actual case, the task statement was:
“Determine All Sources of Personal Identities Coming into the Automobile Leasing Department.”
The following list was created from this task statement: Phone
E-mail
U.S. mail
Interoffice mail
In-person application
APPENDIX D
CAUSE-AND-EFFECT ANALYSIS: STEP-BY-STEP INSTRUCTIONS
Cause-and-effect analysis builds on and organizes the ideas generated in brainstorming. The Business Information Security Program (BISP) adapts the cause-and-effect analysis method from the management sciences to organize the list of identities generated in brainstorming sessions.
Cause-and-effect analysis uses the quality management fishbone framework.
According to this quality management theory, the source of all management problems can be attributed to four Ms: manpower, methods, machine, and materials.
In the context of the BISP model, manpower refers to people; methods are the work processes, policies, or procedures; the machines refer to all types of equipment and represents property; and material also may be property, in the form of documents, application forms, and any other products used to perform the job tasks.
As an example, exercises in Chapter 8 identify the incoming sources of identities into a department. If documents containing personal information are hand delivered, “hand delivery” would be a source categorized under manpower, and if personal information is also delivered through a phone conversation, the source term “telephone” would be categorized and listed under the heading “machines,” and so on.
The cause-and-effect fishbone four-M framework is used throughout for problem-solving exercises. The items shown on the fishbones in Exhibits D.1 and D.2 were borrowed from the flip chart of one company (where identities were stolen) to illustrate how an item can be categorized under each of the four Ms. For this particular exercise, the team was determining “why” identities might have been stolen from the department. The team’s task statement was, simply, “Why Identities Are Stolen.”
EXHIBIT D.1 Cause-and-Effect Analysis for Incoming Identities
Note: Item examples on fishbone frame selected from an actual company where identities had been stolen.
EXHIBIT D.2 Cause-and-Effect Analysis of Sources of SSN Thefts
Note: SSNs refer to Social Security numbers; several items selected from an actual case.
APPENDIX E
THE SECURITY FOCUS GROUP INTERVIEW
Some of the exercises in these chapters may benefit from information known to departmental employees who are not members of the employee-manager team. A focus “group” interview is ideal for generating such information because focus interviews are semistructured and efficient, and several employees can participate at one time. Focus group interviews are idea-generating processes used typically to gather information from customers about the design or utility of a product or service. For identity security, the Business Information Security Program adapts and employs the focus group interview for use with employees to elicit information about which job tasks might require knowledge of or have access to personal identities.
A job’s title may suggest the job is a position o
f security, but job titles do not fully describe jobs. The focus group interview involves several employees in the same department and where work processes may be interrelated. Together, these individuals help to identify job positions that may frequently or infrequently use personal identities. Throughout, the center of attention is on the job and not the person who holds the job—it is the job’s process that is to be secured.
Focus group interviews, like brainstorming, follow a formal structure and also build on the synergy of group members. Use these instructions to conduct the focus group interview.
Elect a team member who will serve as the “moderator.” The moderator’s task is to keep the focus on the goal: to generate information about jobs within the department that use personal identities.
Elect a second team member to record responses.
As a team, identify and invite up to eight other randomly selected employees to participate in the focus group interview. Select these employees from different ranks and job positions to obtain information on a cross section of jobs.
Arrange the table seating so that the employees and team members face one another.
The moderator directs the discussion, but neither the moderator nor the team members express their views or make judgments about a job.
Preventing Identity Theft in Your Business Page 20