How run books or work instruction procedures makes your IT team more efficiency and can save face!

I was semi-impressed yesterday when I visited a global retail chain, signed up for a new credit card and they handed me back the application form for me to destroy.  Retail stores that manage payment card information must abide by strict rules governed by PCI — the Payment Card Industry standard developed to protect card information.

The form that I filled out had Personal Information (PI) and not payment card information, so therefore would not fall under the PCI purview.

I asked the retail clerk processing my information what would happened if I left the form behind – in an attempt to better understand the security process.  The retail clerk told me that they place remaining forms in the bin behind her and that a disposition company destroys everything in the bin.  They receive a certificate from the said company once the data is destroyed for proof.

Good start.  The company could have taken this protection process a step further by having a more secure bin with a cover and a lock instead of using a standard looking waste paper basket.  Still, one giant leap for better InfoSec Data Protection.

201 CMR is here to stay, at least until H.R. 2221 gets passed

How is your company doing so far with meeting the Massachusetts regulation for the protection for PI?  If you are outside the Commonwealth and do not store Mass. residence PI, are you doing anything to protect your state’s residents PI?

jay.martin@cppit.com – ITIL, CISM, ISMAS – www.cppit.com

In regards to cost reduction, Gartner research suggests that many CIOs turn to ITIL standardization to hold the line.  While new technology purchases and hiring may be on hold (or shrinking), what  do you do to improve IT efficiencies and to stay ahead of the compliance curve?

Do me a favor, go to www.youtube.com and do a search on “Peter Schiff was right”.  Here’s a guy who was (and still is) a counterculture voice amongst the mainstream financial thinking.  You may be asking, “But Jay, what does this have to do with me running my IT organization more efficiently, maintaining Service Levels and cutting costs in these tough economic times?”  Besides melting down your old scrap PCs for the gold, that’s a good question.

An IT Manager recently told me that his company’s virtualization environment has brought them lots of freedom, but lots of headaches.  His complaint was that due to the flexibility allotted, anyone could fire up a virtual environment at any time, without word or warning and without his staff being aware.  Change Management disciplines out the window.  Now they have a hiring freeze and are dealing with the latest “priority” project they weren’t prepared for.  If the above mentioned IT Manager in 2006, had delayed the deployment of his companies new hardware chassis, virtualization software and SAN for the sake of putting in some standards, procedures and good practices, he probably would have been chastised as my friend Peter Schiff did.

Within the past decade we have let organizational and cultural mediocrity exist because we believed that by placing total faith in the purchase of technology that our IT organizations would make the business we support more efficient, nimble and compliant.  And it may have plugged some holes in the dam for a while. 

But as corporations cut back on spending, IT organizations need to rethink the same old philosophies that got us all here in the first place.  Using the old Einstein standby adage that a solution to a problem cannot be solved at the same level that it was created, CIOs and IT management need revolutionary thinking. 

As capital budgets are getting slashed, your best opportunity at becoming more efficient and compliant may be the things you overlooked (or avoided) over the past few years.  That is looking internally and improving IT efficiencies by updating your people skills via training and improving your processes through good practices.  Peter Schiff was right, and so am I. 

Let me know if CPP can help you start your own cost savings revolution.

 Posted by:  Jay Martin

Compliance Process Partners — www.cppit.com

Important update.  The amended or revised 201 CMR 17.00 has softened the requirement for third-parties you do business with and that have access to personal data.  The original regulation slated for a May 1, 2009 compliance date stated that businesses would require “certification that such service provider has a written, comprehensive information security program that is in compliance with the provisions of these regulations”.

The revised regulation scheduled for January 2010 now states that businesses should ensure that third-parties are taking all reasonable security measures — at least as stringent as those provided in the 201 CMR 17.00 regulation — in protecting personal information.

Ensure?  How are you going to “ensure” that your third-parties are protecting themselves? 

Here’s what I recommend, and I suggest you follow my advice.  Send each of your third-parties (whether they do business in the Commonwealth or not) the 201 CMR 17.00 Audit Compliance Checklist that I provided a link for in my first blog on this very subject (see below).  Take the checklist and add a signature page and have your third-parties sign it.  If they don’t fully comply, have them put together a letter that outlines their security improvement plan with dates and have them sign that. 

If your third-party is not willing to go the extra mile, you’ll have not choice but to move on.  The eventual financial risks and public image drubbing may be too high.  Are you willing to chance it?

Let me know your thoughts.

201 CMR 17.00 — Massachusetts’ New Privacy Law Sets Strict Standards for the Protection of Personal Information

Most of the clients that we work with are just starting to breathe a little more easy having put the appopriate compliance measures in place to statisfy the last regulation that was mandated.  SOX, PCI, state-specific data privacy acts, HIPAA, GBLA.  The undertone to all of these regulations is confidentiality, availability, and integrity and includes minimizing the risk of exposing data that is personal and confidential and assuring that data is not compromised  maliciously or otherwise.  I suspect that the latest financial failures and alleged Ponzi scheme on Wall Street will lead to yet more stringent guidance on data risk reduction and another round of IT measures will be required. 

As the custodians of the data, IT can and should continue to get better at mitigating risk and safeguarding data.  But it is important to note that assuring data integrity, availability and confidentiality will not take the place of the personal integrity and transparency that cannot be enforced through technology.  What are your thoughts?

In the attached article I provide some sound advice in order for you organization to be better prepared for a disaster and for you to sleep more soundly at night.

Clear Desk Policy – Where Security and IT Service Continuity Meet – Part 1

Would your company be prepared if faced with a catastrophic event like the one below? This my true story…

In May 2008, while visiting one of my clients in Greeley, Colorado, their headquarters and primary computing site was struck by a massive tornado (click here to see the youtube clip of the actual tornado). I was in a conference room on the top floor of the building when we were abruptly interrupted and instructed to immediately head for the stairwell located in the center of the building wing. As I left the conference room, I viewed the outline of the tornado which appeared in the distance. Born and raised in the Boston area, the only Tornados I’ve witnessed are on T.V. or youtube, so I wasn’t too hard on myself when I was called from my trance-like state, “Jay, this way” (i.e. deer in headlights). Cramming into the stairwell, the next 20 to 30 minutes were nothing short of intense, if not down-right horrific as the building walls and stairs shook violently and sounded as if a large locomotive had hit the building. People were crying, shaking and wondering if they would ever see their loved ones again.

Then we felt it, a strange stream of cool air blowing down the stairwell. We’d later come to realize that the cool air was due to a section of the roof being blown off and settling some 300 feet away from the building. When the “all clear” sounded, we were instructed to return to the top floor, collect our belongings and evacuate the building due to a gas leak caused by the tornado. Windows were blown out and chairs, file cabinets and papers were strewn all over the office. Papers were not just contained within the building but thrown all over the parking lot and adjacent property owned by an insurance company that was also in the direct patch of the tornado.

I heard a story that during the 1992 London Bombings, sensitive and confidential financial documents were found miles away from the blast site. Seeing that this tornado picked automobiles up and tossed them 15 feet away, I wondered how far my client’s paper trail would go.

A Clear Desk Policy dictates that all personnel clear their desks and file documents appropriately based on their Information Sensitivity Policy. The Clear Desk Policy is typically written for a companies security program, but concerns about critical documents not having a copy (digital equivalent or otherwise) should be a concern for business continuity as well.

So, would your company be prepared? Do you have a clear desk policy? If so, does it only mandate that documents be cleared at the end of the day?

In my next blog, I’ll give you some practical ways to insure that your documents don’t end up in China (unless of course you are reading this from China).

Posted by: Jay Martin

Compliance Process Partners — www.cppit.com

jay.martin@cppit.com