Preventing Identity Theft in Your Business
Page 21
The team is to emphasize that the focus is on the job and not the person who holds the job; it is the “job process” that eventually is to be secured, using the information elicited in this group interview.
The moderator may use the following open-ended questions: “What is the job’s specific purpose?”
“Is personal information required to perform the job?”
“What types of personal information are used to perform job tasks?”
Encourage participation by all focus group employees.
The recorder uses a flip chart to list job positions as identified by the focus group members.
Conduct the focus group interview in one hour or less.
APPENDIX F
THE SECURITY JOB DESCRIPTION
THE INFORMATION SECURITY RESEARCH INSTITUTE, LLC
Job Title COMPUTER FORENSIC ANALYST
Department Business Information Security
Reports To Director
Grade 10
Exempt ___Yes ___No
Pay Range 12
Date December 18, 2004
__________________________________________________
THIS JOB POSITION IS SECURITY-SENSITIVE ______YES ______NO
Purpose of the Job
Describe why this job exists.
Plan, coordinate, and implement security measures for the Business Information Security Program’s four assets—(1) people, (2) processes, (3) proprietary information, and (4) property—to prevent unauthorized access, modification, destruction, theft, and disclosure of employee, customer, or business identifying information.
Essential Functions
List the essential duties required for this job as identified in the job analysis.
Secure computer databases.
Detect security intrusions.
Perform process risk assessments.
Analyze security requirements.
Regulate access to proprietary information.
Monitor use of information files.
Security-Related Essential Functions
Secure computer databases.
Detect security intrusions.
Regulate access to proprietary information.
Monitor use of information files.
Other Duties
What other important duties are performed occasionally, as identified in the job analysis?
Conceal confidential information using encryption technology.
Modify security procedures to incorporate new methods.
Review violations of security procedures.
Coordinate the Business Information Security Program with outside vendors.
THE SECURITY JOB DESCRIPTION
Knowledge, Skills, and Abilities
List the knowledge, skills, and abilities identified in the job analysis and any licenses or certifications required to perform the job tasks.
Computer hardware and software certification: knowledge of circuit boards, processors, chips, electronic equipment, and hardware and software applications
Knowledge of identity theft and identity crimes, and network modus operandi
Knowledge of relevant security equipment and strategies to protect people, processes, proprietary information, and property
Ability to communicate effectively
Ability to analyze security requirements
Ability to install security programs to meet specifications
Ability to determine what kinds of equipment are needed for security
Knowledge of quality management problem-solving tools
Knowledge of information process risk assessment procedures
Knowledge of personnel selection for security practices
Work Context
Here describe the working conditions of the job.
This job requires working indoors in environmentally controlled conditions; requires sitting, standing, and reaching and the use of hands to handle and control tools and equipment. The job requires the worker to coordinate or lead others in implementing security precautions and safeguards. The job tasks require high accuracy and exactness and the confidentiality of security-integrated mechanisms.
Work Values
What work values are required for this job?
The job position requires honesty, trustworthiness, confidentiality, interpersonal skills, and self-motivated initiative to perform independent or team-related job tasks that involve confidential personal and business identifying information. This job is results-oriented and allows employees to use their strongest abilities, giving them a feeling of achievement.
APPENDIX G
INDUSTRIAL AND ORGANIZATIONAL SPECIALISTS IN TEST DEVELOPMENT AND VALIDATION
Dr. Herman Aquinis
University of Colorado Business School
CB 165
PO Box 173364
Denver, Colorado 80217-3364
Dr. José Cortina
George Mason University
MSN 3F5
4400 University Drive
Fairfax, VA 22030-1182
Drs. Joyce & Robert Hogan
Hogan Assessment Systems
2622 E. 21st Street
Tulsa, OK 74114
Dr. Michael McDaniel
Virginia Commonwealth University
School of Business
12305 Collinstone Place
Glen Allen, VA 23059-7121
Dr. Paul Muchinsky
University of North Carolina—Greensboro
Business Administration
PO Box 26165
Greensboro, NC 27402-6165
Dr. Frank Schmidt
Tippie College of Business
University of Iowa
Iowa City, IA 52242
Dr. Neal Schmitt
Department of Psychology
Michigan State University
East Lansing, MI 48824-1117
Dr. Robert Tett
University of Tulsa
600 South College Avenue
Tulsa, OK 74104-3126
Dr. Judith Collins
School of Criminal Justice
Michigan State University
East Lansing, MI 48824-1118
APPENDIX H
ONE COMPANY’S SHORT- AND LONG-TERM STRATEGIC PLAN
The following example is a strategic plan developed by employees in one department of a large automobile manufacturing corporation. The team used the cause-and-effect analysis fishbone four-M model to identify the incoming sources into the department of both employee and customer Social Security numbers.
Strategic Timeline for Securing the Four M’s
Short versus Long Term Target Date for Completion
Machines/Equipment
1. Move printer to inner office. short immediate
2. Move fax to inner office. short immediate
3. Retrieve faxes when received. short immediate
4. Wait at fax until document has been sent. short immediate
5. Do not leave originals in fax machine. short immediate
6. Lock computer screen when leaving desk. short immediate
7. Lock file cabinets at all times. short immediate
8. Make sure documents are shredded before walking away from shredder. short immediate
Materials
9. Produce only necessary documents. short immediate
10. Do not leave documents on desktop. short immediate
Methods
11. Do not leave identifying information on voice mail messages. short immediate
12. Change password often. short immediate
Manpower
13. Train all employees on above procedures. short week 1
14. Evaluate performance on above procedures. short/long month 1, 2 annual reviews
APPENDIX I
THE INFORMATION PROCESS: DEFINITION, DESCRIPTION, AND ILLUSTRATION
DEFINING THE INFORMATION PROCESS
Processes refer to the input-throughput-output of information that identifies employees or c
ustomers as this information is processed in a department, that is, the sequential job tasks processed while performing a job. Customer and employee information, or personal identities, are assets that can be secured by securing the information processes—the sequence of job tasks performed on the information (identities).
A process, for example, may be the sequence of tasks required to fill work orders or medical prescriptions, to conduct financial audits, to prepare employee payroll checks, to process credit card applications, or to open retail accounts for on-credit purchases. In each of these instances, the job tasks require names, addresses, Social Security numbers, and other personal information. Without these items of identifying information, there would be no job tasks to perform: The jobs exist to process them.
DESCRIBING AN INFORMATION PROCESS
This example (taken in part from Chapter 8) of an automobile leasing process is taken from an actual case in which corporate managers in a large automobile manufacturing plant lease automobiles for their own personal use. In this international corporation with hundreds of thousands of employees worldwide, as many as 100 or more of these and similar applications are processed daily.
The process begins when an application from a manager for the lease of an automobile comes into the leasing department through company mail, U.S. mail, e-mail, fax, or telephone; sometimes the application is personally hand delivered by the manager. The information on the application is then verified against company records to confirm that the applicant is indeed a company manager. A third step requires the verification of information (the identities) against the state’s driver’s license records to rule out disqualifying driving violations, which would stop the processing of the application. Subsequent job tasks related to the leasing of the auto are performed in different job positions. Finally, when all information is verified, the document continues to the last job tasks leading to the approval of the leased automobile to the manager.
Throughout the process, the identifying information of the manager seeking the automobile lease is handled in a series of sequentially ordered tasks linked to one another to form the work process. The application eventually is filed for renewal, and the process repeats, or discontinues—the name, Social Security number, and all other pieces of identifying information have been verified, acted on, and completed.
Throughout the many steps in this process, information can be compromised, either internally, by the relatively few dishonest employees who steal from the majority of upstanding employees and company customers, or externally, by company contractors, service providers, or others, such as, in the example, the state driver’s license bureau. However, information work processes can be secured. To illustrate, the example continues (below) the case involving the automobile leasing department in which a team of managers and volunteer employees conducted an information process risk analysis. The solutions from this analysis were subsequently implemented and enforced by all of the employees in the leasing department.
ILLUSTRATING THE INFORMATION PROCESS RISK ASSESSMENT
Here is the background on how the team secured the leasing process. A manager wishing to lease an auto submits to the leasing department an application containing the following information: Social Security number (to verify employment), driver’s license number (to verify driving record), date of birth (to verify the applicant), and home address (for verification and future correspondence). The manager submits the application to the leasing department through company mail, U.S. mail, e-mail, fax, telephone, or by personal delivery. The process itself—the sequence of job tasks—begins with the receipt of the application into the department. The information process risk assessment follows these job tasks.
Threats to security could come from each of the incoming sources. The manager-employee team first conducted brainstorming and cause-and-effect analysis to identify all of the potential incoming sources; they then used flow-charting to visually trace the flow of personal information through the department, following the job tasks—the standard, sequentially ordered tasks that are performed using the application. This flow of information can be thought of as the input-throughput-output of a document containing personal identities (or any other proprietary document, application, or other paper or digital form containing information). See Exhibit I.1 for common flow chart symbols. Exhibit I.2 shows the flow of information that routinely comes into the Leasing Department’s Vehicle Inventory Unit. Note the key the team created to interpret the flow chart.
After the information process was visually charted, the project team analyzed each step in the process beginning at the point at which applications (information) arrive into the department. At each point on the flow chart, the team conducted brainstorming to generate all possible ways that identities could be comprised at that location or job position. (Recall here the importance of maintaining the focus on the process, not the person performing the process.) The team was seeking to identify any possible weak linkages in the application process where an identity theft could occur. After the team members identified all possible susceptibilities to threat at each point in the information process, they again used brainstorming together with cause-and-effect analysis to generate a large number of options for management consideration to secure the weak points in the information process.
EXHIBIT I.1 Common Flow Chart Symbols
Here are some of the things the team recommended to management to secure the first point in the information process, the entry of information into the department. For the mailroom, the recommended security solutions were to (a) secure from passersby the otherwise relatively open mailroom by simply closing the door, (b) require the use of access keys by departmental employees, (c) route (address) mail deliveries of lease applications to specific mailboxes for (d) routine retrieval by specified job positions. These simple and inexpensive security precautions served dual purposes: They tightened the perimeter of the mailroom, thereby securing it from outside access, and they limited access to managers’ identifying information to specific job positions of security.
EXHIBIT I.2 Flow Chart Tracing the Route of a Fax Document through a Department—Each Location and Transfer Path Can Be Secured
Source: Fax
Dept: Vehicle Inventory
Team Members: Frank, Martin, Janet, Marilyn, Peggy, Marlin
Desks: 1 = Manager/Supervisor
2 = CVMS Coordinator
3 = D&B Coordinator
4 = Authorization Code Coordinator
Additionally, the fax machine was relocated to a more secure area, and incoming fax applications were assigned to specific job positions designated as position of security. E-mail lease applications were secured by simple policies to change the positions of desks or of computers on the desks, to protect the privacy of the screens showing confidential information, and the usual computer security mechanisms (e.g., virus protection, firewalls, spyware controls) were installed and routinely updated by the computer department. Using the quality-to-security tools, the project team conducted this information process risk assessment at each step of lease application and subsequently secured the entire process.
A KEY POINT
This actual case illustrates how important it is that the project team be composed of a cross-section of employees holding different job positions within the department: A single process, such as the above processing of an application through the leasing application department, may cut across several job positions. The key point is that employees closest to this process are those who perform the job tasks and therefore are also the employees who are the most knowledgeable about the sequence of tasks. These individuals also are in the best positions to identify weaknesses in the process and solutions to correct them.
APPENDIX J
THE PARETO ANALYSIS: DEFINITION, DESCRIPTION, AND ILLUSTRATION
DEFINING PARETO ANALYSIS
Pareto analysis is a problem-solving method developed in 1986 by Taguchi, a pioneer in the quality control movement, and adapte
d by the Business Information Security Program (BISP) for controlling security. Pareto analysis prioritizes problems identified in cause-and-effect analysis in their order of importance. The Pareto diagram is a simple bar chart that lists the frequencies of potential threats of a problem. For purposes of information process security, the place in the process having the most potential threats is also the most important problem and the first in order of priority to be secured.
DESCRIBING PARETO ANALYSIS
Consider a document that arrives at a company by the U.S. mail. The document is (1) delivered to the company mailroom, (2) sorted, (3) picked up by a mail clerk, (4) delivered to a departmental mailbox, and (5) retrieved by an employee or delivered to some job position where one or more job tasks are performed on the document. Examples of such tasks may be entering information into a company database or verifying information on the document. Typically, several job positions may perform several job tasks involving either paper or digital processing of incoming financial and other applications and documents. In this brief scenario, there are at least four susceptible points where the identity of an employee or customer could be compromised: (1) from the incoming company mailbox by anyone passing by, (2) by a mail clerk or someone impersonating a mail clerk, (3) by anyone who might see the document lying on a desk or displayed on a computer screen, or (4) by someone in the input-throughput-output chain of job positions where sequential tasks are performed on the document. This information process has, in great part, already been secured by securing the people front. However, to secure the process, information security requires a two-pronged approach—people and process security.