Yesterday a client rescheduled a meeting because "the State" showed up to audit their medical operations.  The State of Ohio regulators conducts spot visits in this industry on a spontaneous basis.  When they come in, typically unannounced, everything stops so that they can conduct their spot audit.

"Hi, I'm from the <FTC/HHS/DHS/ETC> and I need to see your log files and your patch management reports ... "

Do you think information security and privacy compliance will ever get to that point?

I am going to present this to senior management team that has already informed me they don't want to hear that message.

This isn't the first time Jacadis has encountered such a situation.

Why should senior management be involved in security decisions?

At some level security decisions are really risk management decisions and not just technical, information security decisions.  Even the strongest technical team can't know the risks, obligations, contracts and mission priorities that senior management brings to the table. 

Sorry, managers but this isn't just geeky stuff.

Here is a quick list of five questions that my client's technical team needs senior management input, involvement and or leadership on:

1. Are we obligated by law or contract to HIPAA?
2. Are we obligated to PCI?  Are we exposed in the way we handle crtedit card data?
3. How long can your business operate with reduced computer facilities?  Which facilities are most important to the mission?
4. How will we respond to illegal activity on our network? Attacks from outside? In the event of a breach?
5. What are our employees permitted to do with social media outside of work hours on their own computers?

Are you putting your technical team in a spot where you expect them to protect your business but don't share with them critical information or involve yourself in their decision making process?  If you are in a business that is data driven (and which business today isn't) your lack of involvement will likely ensure a high technical team turnover, raise the possibility that you will have security issues interfere with your business, decrease the resiliency of your business and potentially put at risk vendor and client relationship while also opening your business (and perhaps yourself personally) to legal and regulatory liability.

• While 67% can access non-work-related websites only 44% of employers agree.
• While 52% of workers say they can store personal data on the company network only 37% of employers agree.

Do you have that same perception gap in your company?

As an employer it may mean behaviors you don't want, non-productive sites visited during work time or worse, malware introduced into the company network. As an employer, it may also mean extra storage costs or extremely awkward moments during terminations (can I have my data back?!).

As an employee, it may mean a disciplinary action for what you think is approved or allowed behavior.  And more importantly it might mean loss of personal data an information if you lose or leave your job (or the company closes).

It is in the best interests of both sides of this divide to close the gap.

• Communicate with friends
• Search for employees
• Plan and record my workouts
• Plan travel
• Maps
• Look up recipes
• Bank
• Invest
• Pay bills
• Stay informed
• Monitor boys homework
• Write and publish

The test was conducted on one of those warm sunny days we had before Thanksgiving.  We aren't supposed to get much snow tomorrow but you never know here in Ohio.  Had the part failure not been found until it was actually needed the 48 hour shipping wait could have been catastrophic.

Our client did two things right:

1.  They created a policy calendar.  Policies should be formal statements of value supported by the routines  (processes) that must be followed to meet the stated value. Most of the time though policies are dead documents that state something a client would like to do but doesn't get around to doing.  My client's policy calendar lets them manage the normal routines of their "HIPAA year" which operationalizes their compliance.

2.   They actually tested the process.  The IT Director didn't take no for an answer as maintenance continued to put his test request off. 

How are you doing?

Have you operationalized your HIPAA program?

Have you tested your generator, your back up processes and your contingency operations plan?

Tablets are fast becoming a useful tool in business and our everyday lives.  More and more businesses are buying tablets to help streamline workflow and bee more efficient.  More and more people are buying tablets for personal use because of their small size, ease of use and their multi-functionality versus a laptop. 

Tablets bought in the United States:  
                                    
               2010 – 19.5 million
               2011 – 54.8 million (proj)
               2012 – 103.4 million (proj)
               2013 – 154.2 million (proj)
               2014 -  208.0 million (proj)

Millions of tablets doing work once done behind walls creates a more mobile and more productive (maybe) workforce but it also creates a more vulnerable information system.

Are you finding tablets are a useful addition to your business and personal life? 

What are you doing to protect your tablet and the information on it? 

Make sure that is a part of your decision to move your work and personal computing to a tablet form factor.

We are currently looking for a hands on IT Project Manager with the capability and motivation to grow our services team along with their career.  This is the posting we'll be placing formally on Monday. 

Is this you?

• Do you have a mix of IT technical knowledge combined with strong communication oand organizational skills plus a desire to move out of the day to day technical detals and into a management role?
• Does the thought of building something alongside a high performing team excite you more than the thought of maintaining something built by others before you?
• Are you that unique individual who can work with technology, communicate with others regardless of their IT skill, manage multiple personality types and projects and balance business performance and quality?
• Are you PMP certified or headed down that road?
• Does your work style embrace best  for project management processes, tools and techniques?
• Are you driven to solve tough problems and satisfy customers at all costs?

We are looking for that special person to join us as our Services Delivery Manager.   You’ll join us as the coordinator of a 5 person services team, manage all of our project delivery and then as the company grows you’ll grow alongside it professionally as we continue to build that team.

Download Services Delivery Manager 2011

The employee analyst will ideally be a generalist with any alphabet soup acronyms (PCI DSS, HIPAA, GLBA, ISO, etc.) being a bonus. 

The independents we are looking for will ideally have some HIPAA or healthcare security in their backgrounds in addition to the security and consulting skills we list in the job description. 

Please email me directly with questions.  If you wish to apply send a cover letter and resume to me directly as well. 

Download Security Analyst 2011

In the forward is a statement that jumped out at me:

Information security exists for two distinct purposes: to enable an entity (a person, business, or government) to protect their own secrets, and to enable an entity to protect another entity’s secrets. The former will occur naturally—one is naturally incented to protect one’s own secrets. The latter, however, does not—it is an externality. As such, it is sometimes necessary to create regulatory bodies to ensure that these secrets are adequately protected.

I have to comment (and that scares me because I am two pages in to a 36 page report).

The assertion is that we are "naturally incented to protect one's own secrets". 

I generally think that is true in the context of real life and the physical world.  I hide the Christmas gifts from my kids and the new kettlebells I purchased from my wife.  My neighbors don't know my credit card numbers, my social security number or the result of my latest physical.  We don't talk about our crazy uncle.  Everyone has those kinds of secrets and is inclined to protect them.

In the business world we have similar secrets.  Our new marketing campaign.  The new untapped market niche one of the sales people discovered.  Our secret sauce.  Customer lists.  Bank account information.  Sales commission agreements between the company and each salesperson.  Business people ARE inclined to protect those kinds of secrets.

In the personal and the business examples above the secrets are physical secrets or "secrets of the mind".  The moment we digitize those secrets though I think the inclination changes.  There is a desire to protect them but the inclination to protect is twarted by a lack of awareness about how well protected these secrets are and about what might attack them or the system they are "safely" stored on.

Said differently, the unaware business owner just might be inclined to want to protect his "own secrets" but most likely doesn't realize they are exposed.

Several years ago we had a prospective client come calling.  They had been breached. It wasn't a legally reportable breach as no personally identifiable information was involved.  It was a mess, however.  No logs to allow much of an investigation.  The weakness in the soon to be our client's systems was human error.  They had simply not attended to the necessary effort needed to secure the system.  In non-technical terms they had built a building but not put a lock on it or watched the door.   Their losses were intangibles.  Source code to a custom app was taken.  Code in production on their servers was contaminated.  Nothing was backed up so work had to be redone to get them back to a pre-breakin state.

Physically when I first visited their facility I entered from an outside door inta an empty locked room.  In that room, with double locked doors and a camera is a phone.  Instructions clearly stat to call your appointment from the phone and then they will come to get you.  We've assessed the environment since we first met as a an outcome of the breach and the system, though primative works.

They understand the physical and lock it down pretty well.  In the physcial sense they are inclined to "protect their secrets" (or at least their physical property).  But until that breach occured they didn't understand that the hard work invested in their custom code, the code itself and "secrets" kept in databases on their servers were every bit as exposed as if a customer list or some other printed form was sitting unattended in that entry room or outside the front door.

When it came to their virtual goods, the electronic equivalance of that secure room, locked down and monitored, didn't exist.

Why? Were they not "naturally incented to protect one's own secrets'?" 

I think they were inclined to protect their own secrets.  After some education they now have the electronic equivalance of that secure room.

The issue for them and I think for many, if not most, business owners, even in technology fields, is that there is a lack of awareness of what is at risk, where weakness lie and what might be attacking those weaknesses.

I believe it is an imperative for a business owner or executive to understand the context of their business. If much of their business occurs electronically then understanding the context of that environment is an imperative.  Only through that awareness and understanding can your inclination to protect your secrets be real.

Are you naturally inclined to protect your business secrets?

Are you aware of how those electronic secrets are protected?

Are you aware of weaknesses in your system security that would allow an attacker an entry point?

Are you aware of who the attacker might be? Or what they might want?

Have you assessed your security posture?

Again, are you naturally inclined to protect your business secrets?

But in today's fluid world your information assets are many other places.  Do you know where your data flows?

As you work with your IT department use this quick check list to make sure you are talking about all the places your company information is located and make certain you have plans in place to maintain confidentiality, integrity and availabilty of that information as well as the information on your company network.

Do you allow employee's personal devices such as cell phones, smart phones, tablets, USB drives and other devices to connect to your company computers?  Do employees work with company information on those personal tools?  Do they receive voice mails on them? Email? Other information?

Do employees that telecommute work from home on company laptops? or do they use their home computer? home fax? home printer?

Are you sharing or storing information through online services such as Sharefile or Dropbox? 

Are employees taking paper files home?

Are you sharing data and information with service providers in your suppply chain?

Where else might your information and data flow?