Cartoons Pose A Security Risk at Heathrow Airport

Are Your Controls Out of Control?

Brad Jayakody with his dreaded Transformers T-Shirt donned. Picture Source

Apparently, you cannot get on an airplane these days, if you’re sporting the wrong T-Shirt.

Remember the good old days, when we used to get dressed up to fly? It was considered a special event, and we would all get excited to don our best suits and dresses, as if we were going to church. Airport security had nothing to do with it back then, it was a cultural norm.

Well, those days are gone. Not only has this generation dumbed down their apparel when taking to the friendly skies, I’ve been on plane rides where people are wearing clothes they should not have even bought! But, that’s what’s great about a free world. Assumedly, you are free to express yourself in any way you see fit, even if it involves clothes that are 6 sizes to large or small for you.

That is, unless of course, you plan to fly anywhere. Brad Jayakody, from Bayswater, central London, had a different experience. He had to make a detour to the changing room before heading to the gate for boarding, at Heathrow’s Terminal 5.

Ah, but our dear Brad was not trying to board the plane with an obscene thong, an African lip plate, or an exposed Prince Albert piercing. Mr. Jayakody was sporting the dreaded Transformers T-Shirt, with the lead robot Optimus Prime wielding his offensive laser canon. Let me remind everybody -- this is a cartoon robot holding a futuristic weapon created out of somebody’s imagination.

According to the BBC News, Brads gait to the gate was interrupted by airport officials, who sternly asserted, “We won't be able to let you through because your T-shirt has got a gun on it.” And, after Brad questioned the official, his supervisor came over to reinforce the absurdity with this comment, “Sorry we can't let you through and you've a gun on your T-shirt.”

Okay, I’m sorry, but this is pretty ridiculous. I appreciate the airport’s zeal in dealing with the very real threat of airplane assisted terrorism that we all have to deal with in today’s times. However, detaining somebody because they have a T-shirt that depicts a cartoon robot holding a imaginary weapon, is going a little too far. This is an example of what I call Over-Control. Over-Control happens when you get so caught up in the frenzy of creating controls, that you forget about the real risk involved.

Brad’s response to this whole thing was so simple, yet so elucidative. He states, “I was just looking for someone with a bit of common sense.” I wish I had a nickel for every time I said that to myself.

Over-control is a very costly problem that routinely finds its way into compliance programs. Think about all the accelerated SOX filers who went through the process the first time around. I don’t know about your experience in your company, but I witnessed companies go way overboard with their controls. This was propelled by a combination of the prevalent guidance at the time ( AS2 ), and the intense fear of companies that didn’t want to end up like Enron.

That’s why I really like the new SOX guidance coming out of the FASB ( AS5 ), which supersedes the old guidance. Fortunately, with AS5 comes an infusion of common sense. AS5 urges companies to take a top-down, risk-based approach to building your controls. This equates to less controls which focus on the highest exposures. In the AS2 days, everything was controlled for multiple times. The new guidance makes much more sense.

I encourage you to re-address your controls, not only for your SOX program, but for all your compliance programs. Over-Control is a condition that easily manifests itself, and ironically can get “out of control!” To do this, take a conscious step back to reassess your real risks -- probability and impact -- and build controls that are adequate but not overboard. Then test your controls to make sure they’re effective ( you don’t want under-control ), then move on. Once your risk is properly mitigated, just stop.

In the end, Brad just changed his T-shirt, and boarded the plane. It’s not a big deal, but did this make sense? Do your controls make sense?

Adding Privacy to your Control Program

An Introduction to GAPP and How to Leverage In Privacy Control

Earlier this month, I wrote an article for Quest Software entitled, “Solving for Data Privacy”, which was a piece targeted at IT people that introduced some concepts around how to architect a solution for controlling data privacy. The article was inspired from a previous webcast that I saw on GAPP ( Generally Accepted Privacy Principles ). This is a new set of principles from the same people that brought us the more popular GAAP ( Generally Accepted Accounting Principles ), the American Institute of Certified Public Accountants (AICPA ) and its Canadian counterpart, the Canadian Institute of Chartered Accountants ( CICA ).

The new GAPP rules were created in response to the growing concern around data breaches in our country, and in the rest of the world. As I mentioned in my Quest article, an informal poll was taken while the webcast was going on, and nearly 50% of the respondents affirmed that their company had experienced a data breach in the last two years. This is astonishing. I assumed the number would be high, but to be honest, not this high. I think it’s important for companies to start taking data privacy a little more seriously.

The GAPP Framework contains 66 principles across 10 different categories. From the GAPP website, located at http://infotech.aicpa.org/Resources/Privacy/Generally+Accepted+Privacy+Principles/, here are the categories, and their intent.

1. Management -The first principle of the Generally Accepted Privacy Principles (GAPP) is Management. This principle requires that the entity define, document, communicate, and assign accountability for its privacy polices and procedures.
2. Notice - The second principle of the Generally Accepted Privacy Principles (GAPP) is Notice. This principle requires that the entity provide notice about its privacy policies and procedures and identify the purpose for which personal information is collected, used, retained, and disclosed.
3. Choice and Consent - The third principle of the Generally Accepted Privacy Principles (GAPP) is Choice and Consent. This principle requires that the entity describe the choices available to the individual and obtain implicit or explicit consent with respect to the collection, use, and disclosure of personal information.
4. Collection - The fourth principle of the Generally Accepted Privacy Principles (GAPP) is Collection. This principle requires that the entity collect personal information only for the purposes identified in the notice.
5. Use and Retention - The fifth principle of the Generally Accepted Privacy Principles (GAPP) is Use and Retention. This principle requires that the entity limit the use of personal information to the purpose identified in the notice and for which the individual has provided implicit or explicit consent.
6. Access - The sixth principle of the Generally Accepted Privacy Principles (GAPP) is Access. This principle requires that the entity provide individuals with access to their personal information for review and update.
7. Disclosure to 3rd Parties - The seventh principle of the Generally Accepted Privacy Principles (GAPP) is Disclosure to Third Parties. This principle requires that the entity disclose personal information to third parties only for the purposes identified in the notice and only with the implicit or explicit consent of the individual.
8. Security for Privacy - The eighth principle of the Generally Accepted Privacy Principles (GAPP) is Security for Privacy. This principle requires that the entity protect personal information against unauthorized access (both physical and logical).
9. Quality - The ninth principle of the Generally Accepted Privacy Principles (GAPP) is Quality. This principle requires that the entity maintain accurate, complete, and relevant personal information for the purposes identified in the notice.
10. Monitoring and Enforcement - The tenth principle of the Generally Accepted Privacy Principles (GAPP) is Monitoring and Enforcement. This principle requires that the entity monitor compliance with its privacy policies and procedures and have procedures to address privacy-related inquiries and disputes.

If you have any familiarity with compliance programs, these categories shouldn’t come as a big surprise. Your data privacy control program will be very similar to the rest of your compliance programs. In fact, when constructing your privacy program, think about how you can leverage it into the other compliance programs ( i.e. SOX ) that you have today.

Step # 1: Start by Reinforcing your Policies and Procedures

You probably have some policies and procedures already built to comply with other regulations. This is a great place to start. Go through your policies and procedures, to determine where sensitive data is collected. Then, fill in the gaps from a holistic point of view. Every place that sensitive data is collected should be documented.

Step # 2: Build in Notice, Consent, and Retention Guidelines

Next, fortify your data privacy practices. Now that all the entry points have been identified, ensure that proper notice is given, and consent is obtained, whenever sensitive personal information is collected. This can be a work in progress until the entire program is instantiated. For instance, you can start with just the framework of a notice, then flush things out as the program execution unfolds.

Step # 3: Reinforce your Data Systems

This is the Achilles heel of most privacy programs. You must be absolutely sure that there are no weaknesses in the protection of your private data. This involves physical data ( i.e. records in file cabinets ), however the biggest vulnerabilities lie in your logical data systems. Ensure access control is adequately addressed, and that preventive controls are in place to deny access to intruders. Although corrective controls (controls that are put in place after the incident has occurred) are good, preventive controls are a must. Once the data has been breached, most of the damage has already occurred. Also, keep in mind that 80% of your risk will come from inside your own company. Although protecting your data from hackers is important, focus most of your energy on avoiding inside jobs.

Step # 4; Update Your Compliance Control Plan

You do have a compliance control plan, right? Since you’re reading this, I’m going to give you the benefit of the doubt. Item 10 above, Monitoring and Enforcement, is absolutely critical. Once you baseline your compliance program, you need to monitor it to make sure it’s staying under control. Data privacy controls are no exception. These should be folded in with the rest of your continuous monitoring.

Data privacy is a serious issue these days. The FTC settled 14 cases with companies that have insufficient data privacy practices. In almost all cases, the result was a mandatory, bi-annual security audit for the next 10 to 20 years. Don’t let this be you. Start setting up your privacy control program today.

Survive an IT Strategy Audit

3 Steps to Organize your IT Department for Audit Success

If your internal auditors showed up today to take a look at your IT strategy would you be prepared? Do you know for sure how your company’s investment in IT is benefiting your company? If you answered, “No” to any of these questions, then you may not be organized for success. In this article, I’ll give you some practical advice that you can apply today, to structure your IT organization in a way that not only makes your company more effective, but also makes it easier to audit.

Earlier this month, Compliance Week’s columnist Dan Swanson ran a great article on Auditing a Company’s IT Strategies ( access required ). He suggests that smarter companies leverage their internal auditors, to assess their company’s investment in IT. According to Dan, there are two distinct elements to most IT investment audits:

1. How the IT management process is scoped, designed, and implemented
2. How the IT management process then operates, including an assessment of how well the business priorities are being met.

He then goes on to suggest a set of questions an internal auditor should ask, to complete this assessment. I won’t go over all the questions in this article, but what I will do is suggest a way of organizing your IT function, so that the audit process is much cleaner.

Step # 1: Have an Attitude of Partnership with IT

The first step is making sure you have the right attitude about how IT will engage. This is foundational, and usually done wrong in an organization. Although IT’s role in the organization is to support the other business functions, this should not be interpreted as a “subcontracting” role. Rather, it’s much better to view IT as a “partner” with the other business functions, helping the business as a whole support the corporate strategy. For instance, the CIO should report directly to the CEO, and be on par with the CFO, COO, and all other C-Level staff.

This concept should flow down the organization. In my view, the best way for IT to support your organization is from a predominantly decentralized architecture. Have your IT clearly segmented by the business functions important to your company’s success; Finance IT, Operations IT, Marketing / Sales IT, Product Development IT, etc. An advanced strategy for a larger company would even include an Audit IT department.

Of course at some point there needs to be a point of centralization to avoid duplication of effort, and take advantage of consolidated economy of scale, however the instant that centralization even slightly impacts productivity in the business function, is the exact point where centralization efforts should be reeled in.

Step # 2 : Align IT Priorities with Business Priorities

With the proper organization, your IT project prioritization process is completely transparent to your business function. Of course, your company’s process for managing business priorities must be intact, but as long as that is in place, your IT function simply folds in. For instance, sales and marketing should be organized to the point where projects are executed in a structured manner, supporting the company’s goals while staying within time and budgetary constraints. What I’m suggesting, is that since your sales and marketing IT function is strongly aligned to the business function, the sales and marketing group should take the IT support of each project into consideration, when setting the priority on projects to be executed. Therefore, the IT cost estimates on any project are broken down into two components; labor and materials ( i.e. hardware ). Labor in this case is extremely straight forward – you know how many people are in your group, so just extend that out to the expected term of the proposed project. Materials ( i.e. database license, third party software, etc. ) can then be negotiated with the centralized Corporate IT function ( see below ).

Do not make the mistake of thinking this is inefficient organization, and move to a more “pooled resource” architecture. This is too much centralization, and will definitely come back to hurt you. It’s important to keep your IT resources focused on the priorities and goals of your business function.

Step # 3: Centralize the Rest – Lightweight but Effective

With the majority of the management and control of your IT investment deferred to your business functions, the only group left to reconcile is your centralized Corporate IT function. This will be your most challenging task. As mentioned earlier, your Corporate IT function needs to be at a delicate point between under-centralization and over-centralization.

Under-centralization would be characterized by unnecessary duplication within the company because teams are not talking to each other. This condition can explode to number of corporate deficiencies, such as too many resources, and / or too many controls.

Over-centralization, as stated above, would be characterized be any decrease in business function productivity. Of course quantitative measures are the best indicators of business function decrease, but even if these are not in place, some qualitative analysis can be done in the business function, to determine if over-centralization has taken place. Symptoms include frustration when it takes so long to get something “simple” done, and an unwillingness to partner with IT because it’s perceived as being cumbersome. In somewhat extreme cases, you will see shadow IT pop up.

The only exception to this rule is when there are clear regulatory concerns. For instance, the business might not like the fact that you are required to scramble credit card numbers in the database; however this is a privacy issue that must be complied with. Be careful not to get too crazy with this “loophole” of sorts. I’ve seen IT departments hide behind policies like this, to push any agenda that want pushed through. Whenever a non-business related constraint is put on a project, make sure there’s a very clear regulatory reason why it’s there.

Auditing your investment in IT and its overall strategy indicates that your company is responsible and mature in its thinking. The foundation of a successful IT strategy, is the way IT is organized in the company. Making sure you partner with IT and maintain a predominantly decentralized structure, will pay off in dividends when it comes to surviving this kind of audit. Take a serious look at the way your IT is organized today, and if necessary start moving things around.

Sex, Drugs, and Corporate Scandal

Broadcom Co-Founder Comes Down from a Great High

Broadcom Co-Founder Henry Hicholas. Picture Source

Broadcom Co-Founder Henry Nicholas is in the soup this month, as he finds himself facing an indictment involving both drugs and corporate scandal.

According to CIO.com, Nicholas allegedly had a warehouse for 9 years where he inventoried a wide variety of popular drugs, including but not limited to ecstasy, methamphetamine and cocaine. I’m guessing he employed a FIFO ( First In, First Out ) method of inventory accounting, but those details are not available at the present moment.

According the indictment, he put ecstacy in the executives’ drinks, hired prostitutes and offered them their drug(s) of choice, and smoked so much marijuana on a plane ride to Vegas that the pilot had to don an oxygen mask! Wow, that’s flying high!

As if that wasn’t enough, he’s also being charged with the ever so popular options back-dating charges. This seems to be the charge of choice these days among founders, CEOs, CFOs, and other C-Level staff. Not to be outdone, Nicholas sets a new record by having to restate $2.2 Billion in compensation charges.

See, even techie-geek leaders can party like a rock star. Unfortunately, they can also get busted like a rock star.

Silicon Valley Slip-Up

Seek First to Understand

I can't belive this came from a newspaper that's in my neck of the woods. Nestled in the heart of Silicon Valley is the Mountain View Wal-Mart, and this incident is unbelievable:

Picture Source

How in the world do you mistake a burrito for a baby? It's everybody's responsibility to do at least a little investigation before escalating. Make sure the people in your company know this.