Layers of Responsibility

Senior management and other levels of management understand the vision of the company, the business goals, and the objectives. The next layer down is the functional management, whose members understand how their individual departments work, what roles individuals play within the company, and how security affects their department directly. The next layers are operational managers and staff. These layers are closer to the actual operations of the company. They know detailed information about the technical and procedural requirements, the systems, and how the systems are used. The employees at these layers understand how security mechanisms integrate into systems, how to configure them, and how they affect daily productivity. Every layer offers different insight into what type of role security plays within an organization, and each should have input into the best security practices, procedures, and chosen controls to ensure the agreed upon security level provides the necessary amount of protection without negatively affecting the company’s productivity.

Although each layer is important to the overall security of an organization, some specific roles must be clearly defined. Individuals who work in smaller environments (where everyone must wear several hats) may get overwhelmed with the number of roles presented next. Many commercial businesses do not have this level of structure in their security teams, but many government agencies and military units do. What you need to understand are the responsibilities that must be assigned, and whether they are assigned to just a few people or to a large security team. These roles are the data owner, data custodian, system owner, security administrator, security analyst, application owner, supervisor (user manager), change control analyst, data analyst, process owner, solution provider, user, product line manager, and the guy who gets everyone coffee.

Who’s Involved?

I don’t want to be involved. I have heard that it is a lot of work.

Response: Yes, indeed. It will require many in the organization to stretch their understanding and responsibilities.

Many companies, and security professionals, are struggling with what security programs and governance really are and how responsibilities should be assigned throughout the organization. Identifying roles and responsibilities should happen very quickly when developing a security program, so we will discuss common roles and entities in corporations and their responsibilities as they pertain to asset protection.

The Board of Directors

Hey, Enron was successful for many years. What’s wrong with their approach?

The board of directors is a group of individuals who are elected by the shareholders of a corporation to oversee the fulfillment of the corporation’s charter. The goal of the board is to ensure the shareholders’ interests are being protected and that the corporation is being run properly. They are supposed to be unbiased and independent individuals who oversee the executive staff’s performance in running the company.

For many years, too many people who held these positions either looked the other way regarding corporate fraud and mismanagement or depended too much on executive management’s feedback instead of finding out the truth about their company’s health themselves. We know this because of all of the corporate scandals uncovered in 2002 (Enron, WorldCom, Global Crossing, and so on). The boards of directors of these corporations were responsible for knowing about these types of fraudulent activities and putting a stop to them to protect shareholders. Many things caused the directors not to play the role they should have. Some were intentional, some not. These scandals forced the U.S. government and the Securities and Exchange Commission (SEC) to place more requirements, and potential penalties, on the boards of directors of publicly traded companies. This is why many companies today are having a harder time finding candidates to fulfill these roles—personal liability for a part-time job is a real downer.

Independence is important if the board members are going to truly work for the benefit of the shareholders. This means the board members should not have immediate family that are employees of the company, the board members should not receive financial benefits from the company that could cloud their judgment or create conflicts of interests, and that no other activities should cause the board members to act other than as champions of the company’s shareholders. This is especially true if the company must comply with the Sarbanes-Oxley Act. Under this Act, the board of directors can be held personally responsible if the corporation does not properly maintain an internal corporate governance framework, and/or if financials reported to the SEC are incorrect.

Principles of Federal Prosecution of Business Organizations The Department of Justice provides the following guidelines for attorneys when attempting to prosecute corporate wrongdoings: “Do the corporation’s directors exercise independent review over proposed corporate actions rather than unquestioningly ratifying officers’ recommendations; are the directors provided with information sufficient to enable the exercise of independent judgment; are internal audit functions conducted at a level sufficient to ensure their independence and accuracy; and have the directors established an information and reporting system in the organization reasonably designed to provide management and the board of directors with timely and accurate information sufficient to allow them to reach an informed decision regarding the organization’s compliance with the law.” More information can be found at www.usdoj.gov/dag/cftf/corporate_guidelines.htm.

Executive Management

I am very important, but I am missing a “C.”

Response: Then you are not so important.

This motley crew is made up of individuals whose titles start with a “C.” The Chief Executive Officer (CEO) has the day-to-day management responsibilities of an organization. This person is often the chairman of the board of directors and is the highest ranking officer in the company. This role is for the person who oversees the company’s finances, strategic planning, and operations from a high level. The CEO is usually seen as the visionary for the company and is responsible for developing and modifying the company’s business plan. They set budgets, form partnerships, decide on what markets to enter, what product lines to develop, how the company will differentiate itself, and so on. This role’s overall responsibility is to ensure that the company grows and thrives.

The Chief Financial Officer (CFO) is responsible for the corporation’s account and financial activities, and the overall financial structure of the organization. This person is responsible for determining what the company’s financial needs will be and how to finance those needs. The CFO must create and maintain the company’s capital structure, which is the proper mix of equity, credit, cash, and debt financing. This person oversees forecasting and budgeting and the processes of submitting quarterly and annual financial statements to the SEC and stakeholders.

The CFO and CEO are responsible for informing stakeholders (creditors, analysts, employees, management, investors) of the firm’s financial condition and health. After the corporate debacles uncovered in 2002, the U.S. government and the SEC started doling out stiff penalties to people who held these roles and abused them, as shown in the following:

• January 2004 – Ex-Enron chief financial officer Andrew Fastow was given a ten-year prison sentence for his accounting scandals, which was a reduced term because he cooperated with prosecutors.

• June 2005 – John Rigas, the CEO of Adelphia Communications Corp., was sentenced to 15 years in prison for his role in the looting and debt-hiding scandal that pummeled the company into bankruptcy. His son, who also held an executive position, was sentenced to 20 years.

• July 2005 – Ex-WorldCom chief executive officer Bernard Ebbers was sentenced to 25 years in prison for his role in orchestrating the biggest corporate fraud in the nation’s history.

• August 2005 – Former WorldCom chief financial officer Scott Sullivan was sentenced to five years in prison for his role in engineering the $11 billion accounting fraud that led to the bankruptcy of the telecommunications powerhouse.

• December 2005 – The former chief executive officer of HealthSouth Corp. was sentenced to five years in prison for his part in the $2.7 billion scandal.

These are only the big ones that made it into all the headlines. Other CEOs and CFOs have also received punishments for “creative accounting” and fraudulent activities.

Figure 3-12 shows us how the board members are responsible for setting the organization’s strategy and risk appetite (how much risk the company should take on). The board is also responsible for receiving information from executives, as well as the assurance (auditing committee). With these inputs, the board is supposed to ensure that the company is running properly, thus protecting shareholders’ interests. Also notice that the business unit owners are the risk owners, not the security department. Too many companies are not extending the responsibility of risk out to the business units, which is why the CISO position is commonly referred to as the sacrificial lamb.

The Chief Information Officer

On a lower rung of the food chain is the Chief Information Officer (CIO). This individual can report to the CEO or CFO, depending upon the corporate structure, and is responsible for the strategic use and management of information systems and technology within the organization. Over time, this position has become more strategic and less operational in many organizations. CIOs oversee and are responsible for the day-in-day-out technology operations of a company, but because organizations are so dependent upon technology, they are being asked to sit at the big boy’s corporate table more and more.

CIO responsibilities have extended to working with the CEO (and other management) on business-process management, revenue generation, and how business strategy can be accomplished with the company’s underlying technology. This person usually should have one foot in techno-land and one foot in business-land to be effective, because he is bridging two very different worlds.

The CEO sets the stage for the protection of company assets and is ultimately responsible for the success of the company security program. Direction should be coming down from the CEO and there should be clear lines of communication between the board of directors, the C-level staff, and mid-management. In SOX, the CEO and CFO have outlined responsibilities and penalties they can be personally liable for if those responsibilities are not carried out. The SEC wanted to make sure these roles cannot just allow their companies to absorb fines if they misbehave. Under this law they can personally be fined millions of dollars and/or go to jail. Such things always make them perk up during meetings.

The Chief Privacy Officer

The Chief Privacy Officer (CPO) is a newer position, created mainly because of the increasing demands on organizations to protect a long laundry list of different types of data. This role is responsible for ensuring that customer, company, and employee data are kept safe, which keeps the company out of criminal and civil courts and hopefully out of the headlines. This person is usually an attorney and is directly involved with setting policies on how data are collected, protected, and given out to third parties. The CPO often reports to the Chief Security Officer.

It is important that the company understand the privacy, legal, and regulatory requirements the organization must comply with. With this knowledge, you can then develop the organization’s policies, standards, procedures, controls, and contract agreements to see if privacy requirements are being properly met. Remember also that organizations are responsible for knowing how their suppliers, partners, and other third parties are protecting this sensitive information. Many times, companies will need to review these other parties (which have copies of data needing protection).

Some companies have carried out risk assessments without including the penalties and ramifications they would be forced to deal with if they did not properly protect the information they are responsible for. Without including these liabilities, risk cannot be properly assessed.

The organization should document how privacy data are collected, used, disclosed, archived, and destroyed. Employees should be held accountable for not following the organization’s standards on how to handle this type of information.

Since properly protecting sensitive data is so critical to organizations today, these requirements should be baked into many different business processes, such as purchasing and/or developing software that will house sensitive data, establishing IT communication mechanisms, and implementing and configuring security products. In each of these examples, the question of “What type of data will be stored or transmitted through this?” should be asked to ensure that the right level of protection is being provided.

International Requirements If the organization is exchanging data with European entities, it may need to adhere to the Safe Harbor requirements. Europe has always had tighter control over protecting privacy information than the U.S and other parts of the world. So in the past when U.S. and European companies needed to exchange data, there was confusion and interruption of business because the lawyers had to get involved to figure out how to work within the structures of the differing laws. To clear up this mess, a “safe harbor” framework was created, which outlines how any entity that is going to move privacy data to and from Europe must go about protecting it. U.S. companies that deal with European entities can become certified against this rule base so that data transfer can happen more quickly and easily. More information can be found at www.export.gov/safeharbor/sh_overview.html. Global organizations that move data across other country boundaries must also be aware of and follow the Organisation for Economic Co-operation and Development (OECD) Guidelines and transborder information flow rules. Almost every country has its own rules pertaining to what private data is and how it should be protected and dealt with. As the digital and information age came upon us, these different laws started to negatively affect business and international trade. The OECD is an international organization that helps different governments come together and tackle the economic, social, and governance challenges of a globalized economy. Thus, the OECD came up with guidelines for the various countries to follow so data are properly protected and everyone follows the same type of rules. More information can be found at www.oecd.org/document/18/0,2340,en_2649_34255_1815186_1_1_1_1,00.html. Organizations that do not follow these types of rules and guidelines (whether knowingly or otherwise) can be fined, sued, and their business disrupted. Some companies have had to actually move their WAN connections because they were transferring privacy data through a country and breaking its law without knowing it.

The Chief Security Officer

Hey, we need a sacrificial lamb in case things go bad.

Response: We already have one. He’s called the Chief Security Officer.

The Chief Security Officer (CSO) is responsible for understanding the risks that the company faces and for mitigating these risks to an acceptable level. This role is responsible for understanding the organization’s business drivers and for creating and maintaining a security program that facilitates these drivers, along with providing security, compliancy with a long list of regulations and laws, and any customer expectations or contractual obligations.

The creation of this role is a mark in the “win” column for the security industry because it means security is finally being seen as a business issue. Previously, security was stuck in the IT department and was viewed solely as a technology issue. As organizations saw the need to integrate security requirements and business needs, the need of creating a position for security in the executive management team became more of a necessity. The CSO’s job is to ensure that business is not disrupted in any way due to security issues. This extends beyond IT and reaches into business processes, legal issues, operational issues, revenue generation, reputation protection, risk management—and all of this must be done in a cost-effective manner!

CSO vs. CISO The CSO and Chief Information Security Officer (CISO) may have similar or very different responsibilities. How is that for clarification? It is up to the individual organization to define the responsibilities of these two roles and whether they will use both, either, or neither. By and large, the CSO role usually has a farther reaching list of responsibilities compared to the CISO role. The CISO is usually focused more on technology and has an IT background. The CSO usually is required to understand a wider range of business risks, including physical security—not just technological risks. The CSO is usually more of a business person and typically is present in larger organizations. If a company has both roles, the CISO reports directly to the CSO.

The IS Security Steering Committee

A security steering committee is responsible for making decisions on tactical and strategic security issues within the enterprise as a whole and should not be tied to one or more business units. The group should be made up of people from all over the organization so they can view risks and the effects of security decisions on individual departments and the organization as a whole. The CEO should head this committee, and the CFO, CIO, department managers, and chief internal auditor should all be on it.

This committee should meet at least quarterly and have a well-defined agenda. Some of the group’s responsibilities are listed next:

• Define the acceptable risk level for the organization.

• Develop security objectives and strategies.

• Determine priorities of security initiatives based on business needs.

• Review risk assessment and auditing reports.

• Monitor the business impact of security risks.

• Review major security breaches and incidents.

• Approve any major change to the security policy and program.

They should also have a clearly defined vision statement in place that is set up to work with and support the organizational intent of the business. The statement should be structured in a manner that provides support for the goals of confidentiality, integrity, and availability as they pertain to the business objectives of the organization. This in turn should be followed, or supported, by a mission statement that provides support and definition to the processes that will apply to the organization and allow it to reach its business goals.

The Audit Committee

The audit committee should be appointed by the board of directors to help it review and evaluate the company’s internal operations, internal audit system, and the transparency and accuracy of financial reporting so the company’s investors, customers, and creditors have continued confidence in the organization.

This committee is usually responsible for at least the following items:

• The integrity of the company’s financial statements and other financial information provided to stockholders and others

• The company’s system of internal controls

• The engagement and performance of the independent auditors

• The performance of the internal audit function

• Compliance with legal requirements and company policies regarding ethical conduct

The goal of this committee is to provide independent and open communications among the board of directors, the company’s management, the internal auditors, and external auditors. Financial statement integrity and reliability is crucial to every organization, and many times pressure from shareholders, management, investors, and the public can directly affect the objectivity and correctness of these financial documents. In the wake of high-profile corporate scandals, the audit committee’s role has shifted from just overseeing, monitoring, and advising company management to enforcing and ensuring accountability on the part of all individuals involved. This committee must take input from external and internal auditors and outside experts to help ensure the company’s internal control processes and financial reporting are taking place properly.

The Data Owner

The data owner (information owner) is usually a member of management who is in charge of a specific business unit, and who is ultimately responsible for the protection and use of a specific subset of information. The data owner has due care responsibilities and thus will be held responsible for any negligent act that results in the corruption or disclosure of the data. The data owner decides upon the classification of the data he is responsible for and alters that classification if the business need arises. This person is also responsible for ensuring that the necessary security controls are in place, defining security requirements per classification and backup requirements, approving any disclosure activities, ensuring that proper access rights are being used, and defining user access criteria. The data owner approves access requests or may choose to delegate this function to business unit managers. And it is the data owner who will deal with security violations pertaining to the data he is responsible for protecting. The data owner, who obviously has enough on his plate, delegates responsibility of the day-to-day maintenance of the data protection mechanisms to the data custodian.

The Data Custodian

Hey, custodian, clean up my mess!

Response: I’m not that type of custodian.

The data custodian (information custodian) is responsible for maintaining and protecting the data. This role is usually filled by the IT or security department, and the duties include performing regular backups of the data, periodically validating the integrity of the data, restoring data from backup media, retaining records of activity, and fulfilling the requirements specified in the company’s security policy, standards, and guidelines that pertain to information security and data protection.

Data Owner Issues Each business unit should have a data owner who protects the unit’s most critical information. The company’s policies must give the data owners the necessary authority to carry out their tasks. This is not a technical role, but rather a business role that must understand the relationship between the unit’s success and the protection of this critical asset. Not all business people understand this role, so they should be given the necessary training.

The System Owner

I am god over this system!

Response: You are responsible for a printer? Your mother must be proud.

The system owner is responsible for one or more systems, each of which may hold and process data owned by different data owners. A system owner is responsible for integrating security considerations into application and system purchasing decisions and development projects. The system owner is responsible for ensuring that adequate security is being provided by the necessary controls, password management, remote access controls, operating system configurations, and so on. This role must ensure the systems are properly assessed for vulnerabilities and must report any to the incident response team and data owner.

The Security Administrator

Hey, I have administrator rights!

Response: Great, you’re a security administrator. I quit.

Anyone who has a root account on Unix or Linux systems or an administrator account on Windows or Macintosh systems actually has security administrator rights. (Unfortunately, too many people have these accounts in most environments.) This means they can give and take away permissions, set security configurations, and mess everything up if they are having a bad day.

However, just because a person has a root or administrator account does not mean they are fulfilling the security administrator role. A security administrator’s tasks are many, and include creating new system user accounts, implementing new security software, testing security patches and components, and issuing new passwords. (The security administrator should not actually approve new system user accounts. This is the responsibility of the supervisor.) The security administrator must make sure access rights given to users support the policies and data owner directives.

The Security Analyst

I have analyzed your security and you have it all wrong.

Response: What a surprise.

The security analyst role works at a higher, more strategic level than the previously described roles and helps develop policies, standards, and guidelines, as well as set various baselines. Whereas the previous roles are “in the weeds” and focus on pieces and parts of the security program, a security analyst helps define the security program elements and follows through to ensure the elements are being carried out and practiced properly. This person works more at a design level than an implementation level.

The Application Owner

Some applications are specific to individual business units—for example, the accounting department has accounting software, R&D has software for testing and development, and quality assurance uses some type of automated system. The application owners, usually the business unit managers, are responsible for dictating who can and cannot access their applications (subject to staying in compliance with the company’s security policies, of course).

Since each unit claims ownership of its specific applications, the application owner for each unit is responsible for the security of the unit’s applications. This includes testing, patching, performing change control on the programs, and making sure the right controls are in place to provide the necessary level of protection.

The Supervisor

The supervisor role, also called user manager, is ultimately responsible for all user activity and any assets created and owned by these users. For example, suppose Kathy is the supervisor of ten employees. Her responsibilities would include ensuring that these employees understand their responsibilities with respect to security, distributing initial passwords, making sure the employees’ account information is up-to-date, and informing the security administrator when an employee is fired, suspended, or transferred. Any change that pertains to an employee’s role within the company usually affects what access rights they should and should not have, so the user manager must inform the security administrator of these changes immediately.

The Change Control Analyst

I am in charge of change control and I order you to change your socks!

As someone wise once said, the only thing that is constant is change. So, when change does take place, someone must make sure it’s safe. The change control analyst is responsible for approving or rejecting requests to make changes to the network, systems, or software. This role must make certain that the change will not introduce any vulnerabilities, that it has been properly tested, and that it is properly rolled out. The change control analyst needs to understand how various changes can affect security, interoperability, performance, and productivity. Or, a company can choose to just roll out the change and see what happens...

The Data Analyst

Having proper data structures, definitions, and organization is very important to a company. The data analyst is responsible for ensuring that data is stored in a way that makes the most sense to the company and the individuals who need to access and work with it. For example, payroll information should not be mixed with inventory information, the purchasing department needs to have a lot of its values in monetary terms, and the inventory system must follow a standardized naming scheme. The data analyst may be responsible for architecting a new system that will hold company information or advise in the purchase of a product that will do so.

The data analyst works with the data owners to help ensure that the structures set up coincide with and support the company’s business objectives.

The Process Owner

Ever heard the popular mantra, “Security is not a product, it’s a process”? The statement is very true. Security should be considered and treated like any another business process—not as its own island, nor like a redheaded step-child with cooties. (The author is a redheaded step-child, but currently has no cooties.)

All organizations have many processes: how to take orders from customers; how to make widgets to fulfill these orders; how to ship the widgets to the customers; and how to collect from customers when they don’t pay their bills; and so on. An organization could not function properly without well-defined processes.

The process owner is responsible for properly defining, improving upon, and monitoring these processes. A process owner is not necessarily tied to one business unit or application. Complex processes involve many variables that can span different departments, technologies, and data types.

The Solution Provider

I came up with the solution to world peace, but then I forgot it.

Response: Write it down on this napkin next time.

Every vendor you talk to will tell you they are the right solution provider for whatever ails you. In truth, several different types of solution providers exist, because the world is full of different problems. This role is called upon when a business has a problem or requires a process be improved upon. For example, if Company A needs a solution that supports digitally signed e-mails and an authentication framework for employees, it would turn to a public key infrastructure (PKI) solution provider. A solution provider works with the business unit managers, data owners, and senior management to develop and deploy a solution to reduce the company’s pain points.

The User

The user is any individual who routinely uses the data for work-related tasks. The user must have the necessary level of access to the data to perform the duties within their position and is responsible for following operational security procedures to ensure the data’s confidentiality, integrity, and availability to others.

The Product Line Manager

Who’s the guy responsible for explaining business requirements to vendors and wading through their rhetoric to see if the product is right for the company? Who is the guy responsible for ensuring compliance to license agreements? Who is the guy translating business requirements into objectives and specifications for the developer of a product or solution? Who is the guy who decides if his company really needs to upgrade their operating system version every time Microsoft wants to make more money? That would be the product line manager.

This role must understand business drivers, business processes, and the technology that is required to support them. The product line manager evaluates different products in the market, works with vendors, understands different options a company can take, and advises management and business units on the proper solutions needed to meet their goals.

The Auditor

The function of the auditor is to provide a method for ensuring independently that management and shareholders of an organization can rely upon the appropriateness of security objectives as well as the information they are being provided with regarding the status of the organization as a whole. The auditor is brought in to an organization to determine if the controls that have been implemented by the administration for either technical or physical attributes have reached, and comply with, the security objectives that are either required for the organization by legislation or have been deemed necessary by the governance of the organization. Auditors can conduct either internal or external auditing of an organization and a combination of both will usually provide the most comprehensive and objective evaluation of the organization being evaluated. The biggest concern for auditors is the question of bias and objectivity. The use of a third party for reviews will typically alleviate that issue, and in some instances there are actually legal mandates and regulations that prevent even third-party auditors from working for too many years in a row with a single organization in order to prevent them from becoming too close and thereby compromising their objectivity in evaluations and audits.

Why So Many Roles?

A decision maker is not the proper role for the data custodian or system administrator in protecting system resources. They may have the technical knowledge of how security mechanisms should be implemented and configured, but they should not be put into a position of deciding how the company approaches security and what security measures should be implemented. Too many times companies handle security at the administrator level. In these situations, security is not viewed in broad enough terms. Proper risk analysis is usually not performed. Senior management is not fully aware of the risks the company faces. Not enough funds are available for security, and when a security breach takes place, there is no efficient way of dealing with it. As stated previously, security should work in a top-down fashion to be ultimately successful.

A company’s security is not tied only to the type of firewall installed and the timeliness of security patches being applied. A company is an environment filled with various resources, activities, people, and practices. The security of the environment must be approached in a holistic way, with each part of security addressed in a serious and responsible manner. Although most environments will not contain all of the roles outlined previously, all of these responsibilities still must be carried out.

References

• Security School for CISSP Training: Domain Spotlight on Security Management Practices http://searchsecurity.techtarget.com/content/0,290959,sid14_gci1010840,00.html

• NIST Administrative Manual, Subchapter 11.02, “Information Technology Security” www.nist.gov/admin/mo/adman/1102.HTM

• Information Security Management Handbook, Domain 3, Chapter 3-5-3, “Information Protection: Organization, Roles, and Separation of Duties,” Rebecca Herold (CRC Press LLC, 2003) www.delcreo.com/delcreo/free/docs/Information%20Protection.pdf

Personnel

Many facets of the responsibilities of personnel fall under management’s umbrella, and several facets have a direct correlation to the overall security of the environment.

Although society has evolved to be extremely dependent upon technology in the workplace, people are still the key ingredient to a successful company. But in security circles, people are often the weakest link. Either accidentally through mistakes or lack of training or intentionally through fraud and malicious intent, personnel cause more serious and hard-to-detect security issues than hacker attacks, outside espionage, or equipment failure. Although the future actions of individuals cannot be predicted, it is possible to minimize the risks by implementing preventive measures. These include hiring the most qualified individuals, performing background checks, using detailed job descriptions, providing necessary training, enforcing strict access controls, and terminating individuals in a way that protects all parties involved.

Structure

If a company wants to have effective employee safety, management must put in place a certain structure and actually follow it. This structure includes clear definitions of responsibilities, lines of authority, and acceptable reprimands for specific activities. A clear-cut structure takes the mystery out of who does what, and how things are handled in different situations.

Several items can be put into place to reduce the possibilities of fraud, sabotage, misuse of information, theft, and other security compromises. Separation of duties makes sure that one individual cannot complete a critical task by herself. In the movies, when a submarine captain needs to launch a nuclear torpedo to blow up the enemy and save civilization as we know it, the launch usually requires three codes to be entered into the launching mechanism by three different senior crewmembers. This is an example of separation of duties, and it ensures that the captain cannot complete such an important and terrifying task all by herself.

In an organization that practices separation of duties, collusion must take place for fraud to be committed. Collusion means that at least two people are working together to cause some type of destruction or fraud.

In a software development environment, there should be clear distinctions between programmers, testing environments, libraries, operations, and production. Programmers should be able to work on their code and test it as needed. Once the programmer is finished with her tasks, she turns the code over to quality assurance, who in turn run their own tests in another environment that mirrors the production environment. Once the code passes all the necessary tests, it should be stored in a software library.

When it is necessary for the code to go into production, it moves from the library to the production environment. Code should not go from the programmer directly to production without testing and checking it into the library. The test environment should be clearly differentiated from the production environment to ensure that untested code does not accidentally go into production. And the programmer should not tinker with the software once it is in production. These clear-cut methods make sure no steps are skipped in the phases of software development, and that changes are not made in unstructured and dangerous ways.

Hiring Practices

I like your hat. You’re hired!

Depending on the position to be filled, a level of screening should be done by human resources to ensure the company hires the right individual for the right job. Skills should be tested and evaluated, and the caliber and character of the individual should be examined. Joe might be the best programmer in the state, but if someone looks into his past and finds out he served prison time because he continually flashes old ladies in parks, the hiring manager might not be so eager to bring Joe into the organization.

Nondisclosure agreements must be developed and signed by new employees to protect the company and its sensitive information. Any conflicts of interest must be addressed, and there should be different agreements and precautions taken with temporary and contract employees.

References should be checked, military records reviewed, education verified, and if necessary, a drug test should be administered. Many times, important personal behaviors can be concealed, and that is why hiring practices now include scenario questions, personality tests, and observations of the individual, instead of just looking at a person’s work history. When a person is hired, he is bringing in his business skills and whatever other baggage he carries. A company can reduce its heartache pertaining to personnel by first conducting useful and carefully carried out hiring practices.

Also, when references are being checked, it may be a good idea to have a background check performed on the potential new employee. These can cover things not readily apparent or obvious during the course of a simple reference check. Many organizations do not feel they have the time or resources to conduct background checks on their potential employees because they need to fill positions as quickly as possible. This can lead to hiring a person for “right now” instead of the “right person.” Employees represent an investment on the part of the organization and by taking the time and hiring the right people for the jobs, the organization will be able to maximize their investment and achieve a better return.

A more detailed background check can reveal some interesting information. Things like unexplained gaps in employment history, the validity and actual status of professional certifications, criminal records, driving records, job titles that have been misrepresented, credit histories, unfriendly terminations, appearances on suspected terrorist watch lists, and even real reasons for having left previous jobs can all be determined through the use of background checks. This has real benefit to the employer and the organization because it serves as the first line of defense for the organization against being attacked from within. Any negative information that can be found in these areas could be indicators of potential problems that the potential employee could create for the company at a later date. Take the credit report for instance. On the surface, this may seem to be something the organization doesn’t need to know about, but if the report indicates the potential employee has a poor credit standing and a history of financial problems, it could mean you don’t want to place them in charge of the organization’s accounting, or even the petty cash.

Ultimately, the goal here is to achieve several different things at the same time by using a background check. You’re trying to mitigate risk, lower hiring costs, and also lower the turnover rate for employees. All this is being done at the same time you are trying to protect your existing customers and employees from someone gaining employment in your organization that could potentially conduct malicious and dishonest actions that could harm you, your employees, and your customers as well as the general public. In many cases, it is also harder to go back and conduct background checks after the individual has been hired and is working. This is because there will need to be a specific cause or reason for conducting this kind of investigation, and if any employee moves to a position of greater security sensitivity or potential risk, a follow-up investigation should be considered.

Possible background check criteria could include:

• A Social Security Number Trace

• A County/State Criminal Check

• A Federal Criminal Check

• A Sexual Offender Registry Check

• Employment Verification

• Education Verification

• Professional Reference Verification

• An Immigration Check

Additional verification checks for higher-level or sensitive positions could include:

• Office of Foreign Asset Control (OFAC) – USA PATRIOT Act

• Professional License/Certification Verification

• Credit Report

• Drug Screening

Employee Controls

A management structure must be in place to make sure everyone has someone to report to and that the responsibility for another person’s actions is spread equally and intelligently. Consequences for noncompliance or unacceptable behavior must be communicated before an event takes place. Proper supervisory skills must be acquired and used to ensure that operations go smoothly and that any out-of-the-ordinary activities can be taken care of before they get out of control.

Rotation of duties (rotation of assignments) is an important control to keep each department a healthy and productive part of the company. No one person should stay in one position for a long period of time because they may end up having too much control over a segment of the business. Such total control could result in fraud, data modification, and misuse of resources. Employees in sensitive areas should be forced to take their vacations, which is known as a mandatory vacation policy. While they are on vacation, other individuals fill their positions and thus can usually detect any fraudulent errors or activities. Two of the many ways to detect fraud or inappropriate activities would be the discovery of activity on someone’s user account while they’re supposed to be away on vacation, or if a specific problem stopped while someone was away and not active on the network. These anomalies are worthy of investigation.

Two variations of separation of duties and control are split knowledge and dual control. In both cases, two or more individuals are authorized and required to perform a duty or task. In the case of split knowledge, no one person knows or has all the details to perform a task. For example, two managers might be required to open a bank vault, with each only knowing part of the combination. In the case of dual control, two individuals are again authorized to perform a task, but both must be available and active in their participation to complete the task or mission. For example, two officers must perform an identical key-turn in a nuclear missile submarine, each out of reach of the other, to launch a missile. The control here is that no one person has the capability of launching a missile, because they cannot reach to turn both keys at the same time.

Termination

Because terminations can happen for a variety of different reasons and terminated people will have different reactions, companies should have a specific set of procedures to follow with each and every termination. For example:

• The employee must leave the facility immediately under the supervision of a manager or security guard.

• The employee must surrender any identification badges or keys, complete an exit interview, and return company supplies.

• That user’s accounts and passwords should be disabled or changed immediately.

It seems harsh and cold when this actually takes place, but too many companies have been hurt by vengeful employees who have lashed out at the company when their positions were revoked for one reason or another. If an employee is disgruntled in any way, or the termination is unfriendly, that employee’s accounts should be disabled right away and all passwords on all systems changed.