Preventing Identity Theft in Your Business
Page 22
ILLUSTRATING THE PARETO DIAGRAM
To construct a Pareto diagram (Exhibit J.1), use a columnar pad to list the item to be secured and the locations in the process in which this item is susceptible to theft. Locations refer to the job tasks and/or the job positions that perform the tasks. Using the preceding example, in column 1 and on line 1 write “U.S. mail document.” In columns 2 through 4, write down each of the four points in the process where the document or information from the document may not be secure: (2) delivery position (do not use names, only names of job tasks or job positions), (3) job task #1 (job position #1), (4) job task/position #2, and so on. Now place a check mark in each of the four columns, because, as described, each of the locations where the job task is performed is potentially unsecured.
Next, select another item that was identified in the brainstorming, built on in the cause-and-effect analysis, and visualized in the flow chart analysis. Perhaps, for example, the document containing employee or customer identities comes into the department as a fax copy. Again in column 1 and now in row 2, write “fax copy.” Does the fax copy go to job task/position #1? If so, place a check mark in the third column, and so on.
For purposes of quality control, Pareto analysis can involve statistical analysis. For purposes of information process security, the statistics simply involve computing frequencies—the numbers of problems identified for each of the items in column 1. The items are to be ordered according to the highest frequency, that is, the locations having the most check marks. The last step is to prepare a bar chart to graphically illustrate this frequency distribution. (See Exhibits J.1 and J.2.)
EXHIBIT J.1 Frequencies for Pareto Analysis
Source to Be Secured Delivery Position Task/Position #1 Task/Position #2 F
U.S. mail document X X X 3
Fax document X X 2
Note: X = Locations where a type of document is to be secured. For example, for documents that come into a department by U.S. mail, security may be necessary at three locations: the delivery desk, a sorting desk, and another desk where tasks may be performed on one type of document.
F = Frequencies or total number of locations (where job tasks are performed) to be secured.
EXHIBIT J.2 Bar Chart for Pareto Frequencies
Key: 1 = U.S. mail document, 2 = fax, etc.
Note: Display the locations in the order of descending frequencies. On the graph, for example, for documents that come into a department by way of U.S. mail, three locations require security, and for fax documents, two locations require security.
APPENDIX K
FORERUNNERS IN THE SUPPORT OF IDENTITY THEFT LEGISLATION
U.S. SENATORS
U.S. Senator Barbara Allen, R-Kansas
E-mail: allen@senate.state.ks.us
U.S. Senator Joseph R. Biden, D-Delaware
E-mail: senator@biden.senate.gov
U.S. Senator Maria Cantwell, D-Washington
E-mail: Online form at http://cantwell.senate.gov/contact/index.html
U.S. Senator Mike DeWine, R-Ohio
E-mail: Online form at http://www.senate.gov/~dewine/
U.S. Senator Richard J. Durbin, D-Illinois
E-mail: dick@durbin.senate.gov
U.S. Senator Dianne Feinstein, D-California
E-mail: Online form at www.senate.gov/~feinstein/email.html
U.S. Senator Charles “Chuck” Grassley, R-Iowa
E-mail: chuck_grassley@grassley.senate.gov
U.S. Senator Judd Greg, R-New Hampshire
E-mail: mailbox@greg.senate.gov
U.S. Senator Orrin Hatch, R-Utah
E-mail: Online form at www.senate.gov/~hatch/email_form.htm
U.S. Senator Herbert Kohl, D-Wisconsin
E-mail: senator_kohl@kohl.senate.gov
U. S. Senator Jon Kyl, R-Arizona
E-mail: Online form at www.senate.gov/~kyl/con_form.htm
U.S. Senator Mitch McConnell, R-Kentucky
E-mail: senator@mcconnell.senate.gov
U.S. Senator Jeff Sessions, R-Alabama
E-mail: senator@sessions.senate.gov
U.S. Senator Arlen Specter, R-Pennsylvania
E-mail: Online email form at www.senate.gov/~specter/webform.htm
U.S. Senate Committee on the Judiciary
Subcommittee on Technology, Terrorism, and Government Information
224 Dirksen Senate Office Building
Washington, DC 20510
Majority Office Phone: (202) 224-5225
Majority Office Fax: (202) 224-9102
Republican Office Phone: (202) 224-6791
Republican Office Fax: (202) 228-0542
Web site: http://judiciary.senate.gov/
STATE OFFICIALS
Governor Jeb Bush
State of Florida
E-mail: Online form at www.state.fl.us/eog/govmailform.html or jeb.bush@myflorida.com
Attorney General Roy Cooper
State of North Carolina
North Carolina Attorney General’s Office
E-mail: agjus@mail.jus.state.nc.us
Attorney General Drew Edmondson
State of Oklahoma
E-mail: Online form at www.oag.state.ok.us/feedback.nsf/feedback
Attorney General Christine O. Gregoire
State of Washington
E-mail: ago@atg.wa.gov
Attorney General Bill Lockyer
State of California
Web site: http://caag.state.ca.us/ag/lockyer.htm
Attorney General Bill Pryor
State of Alabama
Web site: www.ago.state.al.us/
Senator Pam Redfield, Nebraska
E-mail: predfield@unicam.state.ne.us
Attorney General Ken Salazar
State of Colorado
E-mail: attorney.general@state.co.us
Jim Tedisco, Assemblyman
New York State Assembly
E-mail: Online form at http://assembly.state.ny.us/mem/?ad=103&sh=con
State Attorney Jeff Tomczak
State of Illinois
E-mail: StatesAttorney@willcountyillinois.com
Stephen P. Weber, CPA
Will County, Illinois, Auditor
E-mail: sweber@willcountyillinois.com
OTHERS
Nedra Pickler, Associated Press Writer
E-mail: npickler@ap.org
Richard M. Stana
Director, Justice Issues
The United States General Accounting Office
Web site: www.gao.gov
Frank Torres, III
Legislative Counsel
Consumers Union (Washington, DC office)
E-mail: Torrfr@consumers.org
NOTES
Chapter 1
1. Committee on the Judiciary, House of Representatives, Joint Hearing, 107th Congress, Second Session, Risk to Homeland Security from Identity Fraud and Identity Theft (Washington, DC: U.S. Government Printing Office, June 25, 2002); J. Hudson, ATM Skimming Funding Terrorists (West Linn, OR: American Criminal Investigators Network, April 14, 2004); Dennis Lormel, “Combating Terror Financing in America,” Special Policy Forum Report No. 867, Policywatch (Washington, DC: The Washington Institute, April 27, 2004); “Identity Theft Grows as Tool of Criminal, Terrorist Laundering,” Moneylaundering.com (June 2004), www.moneylaundering.com/ArticleDisplay.aspx?id=2955; P. O’Carroll, “The Homeland Security and Terrorism Threat from Document Fraud, Identity Theft and Social Security Number Misuse,” Congressional Testimony, U.S. Senate, Committee on Finance (Washington, DC: Office of the Inspector General, Social Security Administration, September 9, 2003); Department of the Treasury, “Treasury and Federal Financial Regulators Issue Final Patriot Act Regulations on Customer Identification,” Press Release JS-335 (Washington, DC: Office of Public Affairs, April 30, 2003).
2. U.S. Department of Justice, Al Qaeda Training Manual, February 23, 2004, www.usdoj.gov/ag/trainingmanual.htm.
3. R. Pear, “Thousands Are Getting IDs Illegally,” New York Times N
ews Service, May 20, 2002, cached: www.dallasnews.com/latestnews/stories/052002dnnatsocial.11b8f.html.
Chapter 2
1. Judith M. Collins and Tracy McGinley, “Identity Theft Victims and the Process of Healing,” Manuscript (2001), Michigan State University–Business Identity Theft Partnerships for Prevention, 540 Baker Hall, East Lansing, MI 48824-1118, available from Judith Collins, judithc@msu.edu or idtheft@msu.edu.
2. J.M. Collins and S.K. Hoffman, “Identity Theft: Predator Profiles. Based on 1,037 Actual Cases,” Manuscript (2003), Michigan State University–Business Identity Theft Partnerships for Prevention, East Lansing, MI 48824-1118, available from Judith Collins, judithc@msu.edu or idtheft@msu.edu; Seth Stern, “Tougher Penalties for Identity Theft Win Approval from House Committee,” Congressional Quarterly–Legal Affairs (May 12, 2004); Thomas Claburn, “Feds Want Tougher Penalties for Insider Identity Theft,” InformationWeek (May 24, 2004), www.informationweek.com/shared/printableArticle.jhtml?articleID=20900519; U.S. Senate, 108th Congress, Second Session, H.R. 1731, “An Act,” Section 1028A(c) (Washington, DC: U.S. Government Printing Office, June 24, 2005); United States Secret Service and CERT Coordination Center (CERT/CC) of Carnegie Mellon University, “Survey of Network Security and Insider Threats” (2003/2004) available at www.survey.cert.org/InsiderThreat; Collins and McGinley, “Identity Theft Victims;” R. Pear, “Thousands Are Getting IDs illegally,” New York Times News Service (May 20, 2002) cached: http://www.dallasnews.com/lastestnews/stories/052002dnnatsocial.11b8f.html; R. Richardson, Computer Security Institute/Federal Bureau of Investigation Computer Crime and Security Survey, Computer Security Institute (2003), available from rrichardson@cmp.com.
3. The Identity Theft Resource Center is an online resource for victims of identity theft and can be found at www.idtheftcenter.org. The postal address is PO Box 26833, San Diego, CA 92196. Michigan State University–Business Identity Theft Partnerships for Prevention, 540 Baker Hall, Michigan State University, East Lansing, MI 48828-1118. Michigan State University Identity Theft Crime and Research Laboratory, 116 Baker Hall, Michigan State University, East Lansing, MI 48824-1118, idtheft@msu.edu, www.cj.msu.edu/~outreach/identity.
4. The Federal Trade Commission’s identity theft help site is located at www.consumer.gov/idtheft/.
5. Tim McDonald, “Global Internet Banking Scam Closed, Investigators Say” (April 13, 2001), reported in www.newsfactor.com/perl/story/?id=8951.
6. Liz Flynn, “New Identity Theft Scam,” Southeast NewsLeader (Savannah, Georgia); (April 21, 2004), www.wtoctv.com/global/story.asp?s=1804798&ClientType=Printable.
7. “Ford Credit Warns Customers to Be Aware of Identity Theft” (May 16, 2002), www.freep.com/news/statewire/sw55929_20020516.htm.
8. “Oakland Briefs: Stolen Computer, Data Worries EDS” (May 20, 2002), http://detnews.com/2002/oakland/0204/26/d04-475315.
9. John Branton, “Stamping Out Mail Theft” (April 22, 2004), www.columbian.com/04222004/neighbor/137598.html.
Chapter 3
1. Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, 104th Congress (Washington, DC: U.S. Government Printing Office, August 21, 1996), www.hhs.gov/ocr/hipaa/.
Chapter 4
1. J.M. Collins and S.K. Hoffman, “Identity Theft: Predator Profiles: Based on 1,037 Actual Cases” manuscript (2003), Michigan State University–Business Identity Theft Partnerships for Prevention, East Lansing, MI 48824-1118, available from Judith Collins, judithc@msu.edu or idtheft@msu.edu); Richard Girgenti, “KPMG Fraud Survey” (2003), contact: www.kpmg.com; Brian Burke, “IDC’s Enterprise Security Survey,” R104-14400 (December 2003), report available at www.mindbvranch.com/listing/product/R104-14400.html; interview with Howard Beales, III, reported by Margaret Kane, “Insiders Pose ID Theft Threat” (January 23, 2003), CNET News.com, available at www.cnet.com; Vericept, Webinar presentation, “Protecting Your Information and Reputation” (July 2003), discussion of Trans Union Report, www.vericept.com; R. Pear, “Thousands Are Getting IDs illegally,” New York Times News Service, May 20, 2002, cached: http://www.dallasnews.com/lastestnews/stories/052002dnnatsocial.11b8f.html; R. Richardson, Computer Security Institute/Federal Bureau of Investigation Computer Crime and Security Survey, Computer Security Institute (2003), available from rrichardson@cmp.com.
2. Victim’s Report (2003), Identity Theft Crime and Research Laboratory, School of Criminal Justice, Michigan State University, Baker Hall, East Lansing, MI 48824–1118, available at idtheft@msu.edu.
3. Ibid.
4. Ibid.
5. The Gramm-Leach-Bliley Act gives authority to eight federal agencies and the states to administer and enforce the Financial Privacy Rule (www.ftc.gov/privacy/privacyinitiatives/financial_rule.html) and the Safeguards Rule. These two regulations apply to “financial institutions,” which include not only banks, securities firms, and insurance companies, but also companies providing many other types of financial products and services to consumers. See www.ftc.gov/privacy/gloats/. Under the GLB Act, the Safeguards Rule, enforced by the Federal Trade Commission, requires financial institutions to have a security plan to protect the confidentiality and integrity of personal consumer information. See www.ftc.gov/privacy/privacyinitiatives/.
6. U.S. Senator Dianne Feinstein, www.feinstein.senate.gov/IDTheft.htm.
7. The Equal Employment Opportunity Commission Uniform Guidelines on fairness in personnel practices can be found online at www.eeoc.gov/policy/regs/ind; Title VII of the Civil Rights Act of 1964 (Public Law 88-352), amended by the Civil Rights Act of 1991 (Public Law 102-166) prohibiting employment discrimination, is enforced by the Equal Employment Opportunity Commission.
Chapter 5
1. The Fair Credit Reporting Act can be found at www.ftc.gov/os/statutes/fcra.htm; Federal Trade Commission, Financial Privacy Rule, www.ftc.gov/privacy/privacyinitiatives/financial_rule.html; financial institutions are regulated by numerous Federal Bank Regulatory agencies, including the U.S. Treasury’s Office of the Comptroller of the Currency, Treasury (OCC), the Federal Reserve System’s Board of Governors, Federal Deposit Insurance Corporation (FDIC), and the Office of Thrift Supervision, Treasury (OTS), collectively called the Federal Agencies; the Health Insurance Portability and Accountability Act can be found at www.hhs.gov/ocr/hipaa; the Safeguards Rule can be found at www.ftc.gov/privacy/gloats/.
2. Ibid.
3. Federal Trade Commission, Financial Privacy Rule.
Chapter 7
1. J.M. Collins and S.K. Hoffman, “Identity Theft: Predator Profiles. Based on 1,037 Actual Cases,” Manuscript (2003), Michigan State University–Business Identity Theft Partnerships for Prevention, East Lansing, MI 48824-1118, available from Judith Collins, judithc@msu.edu or idtheft@msu.edu; Richard Girgenti, “KPMG Fraud Survey” (2003), contact: www.kpmg.com; Brian Burke, “IDC’s Enterprise Security Survey,” R104-14400 (December 2003), available at www.mindbvranch.com/listing/product/R104-14400.html; interview with Howard Beales, III, reported by Margaret Kane, “Insiders Pose ID Theft Threat” (January 23, 2003), CNET News.com, available at www.cnet.com; Vericept, Webinar presentation, “Protecting Your Information and Reputation” (July 2003), discussion of Trans Union Report, available at www.vericept.com. The Equal Employment Opportunity Commission Uniform Guidelines on fairness in personnel practices can be found online at http://www.eeoc.gov/policy/regs/index.html; R. Pear, “Thousands Are Getting IDs illegally,” New York Times News Service, May 20, 2002, cached: http://www.dallasnews.com/lastestnews/stories/052002dnnatsocial.11b8f.html; R. Richardson, Computer Security Institute/Federal Bureau of Investigation Computer Crime and Security Survey, Computer Security Institute (2003), available from rrichardson@cmp.com.
2. Title VII of the Civil Rights Act of 1964 (Public Law 88-352), amended by the Civil Rights Act of 1991 (Public Law 102-166) prohibiting employment discrimination, is enforced by the Equal Employment Opportunity Commission (EEOC), www.eeoc.gov/policy/regs/index.html.
Chapter 8
1. The
se references describe the background and development of the quality management tools (formal brainstorming, cause-and-effect analysis, flow-charting, and Pareto analysis) that, in this book, are adapted to security management and used to complete the exercises throughout: Mary Walton, The Deming Management Method (New York: The Putnam Publishing Group, 1986); H. Gitlow, Planning for Quality, Productivity, and Competitive Position (Homewood, IL: Dow Jones-Irwin, 1990); H. Gitlow, S. Gitlow, A. Oppenheim, and R. Oppenheim, Tools and Methods for the Improvement of Quality (Homewood, IL: Dow Jones-Irwin, 1989); K. Isakawa, Guide to Quality Control (Hong Kong: Asian Productivity Organization, Nordica International Limited (1976, available in the United States from UNIPUB, New York); J.M. Juran, Quality Control Handbook, 3rd ed. (New York: McGraw-Hill, 1979); Amitava Mitra, Fundamentals of Quality Control and Improvement (New York: Macmillan, 1993) (note: requires knowledge of statistics).
Chapter 9
1. The Equal Employment Opportunity Commission Uniform Guidelines on fairness in personnel practices can be found at www.eeoc.gov/policy/regs/index.html.
Chapter 11
1. Test fairness means the test must not discriminate among subgroups: gender, race, ethnicity, and others.
2. K. Geisinger, “Review of the Wonderlic Personnel Test and Scholastic Level Exam,” in Barbara S. Plake, James C. Impara, and Linda L. Murphy, eds., The Fourteenth Mental Measurements Yearbook, pp. 1359–1363 (Lincoln, NE: The Buros Institute of Mental Measurements, University of Nebraska-Lincoln, 2001); F. L. Schmidt, “Review of the Wonderlic Personnel Test,” in J.V. Mitchell Jr., ed., The Ninth Mental Measurements Yearbook, pp. 1755–1757 (Lincoln, NE: Buros Institute of Mental Measurements, University of Nebraska-Lincoln, 1985).