Enhancing Authentication – Don’t be late to the party

Some Banks are finally beefing up their online security for consumers.  I recently logged into Chase and they now require you to select a device/email for sending a one-time Identification code.  On a previous login I was requested to add a cell phone number, home phone or email address(es) for contacting me about account changes, etc.   So when I logged in this time, I was given the choice of where to send this one-time ID code and promptly chose my cell phone via text.  Nice touch Chase.  Hope the other banks and financial institutions are watching.

What do you think about using the above scenario more consistently for business end-user access to corporate information when accessing their networks remotely (e.g. not on the company LAN)?
The majority of companies I work with still use a single-factor authentication scheme (what I know, such as a username/password) for accessing their networks remotely or are still utilizing the much-malign hardware token that end-users are required to have on their person.  Why not take advantage and add a second-factor authentication using a device I always carry – my cell phone (most often company issued) like Chase Bank has done above?

How is your company beefing up access & authentication?

Effectively Navigating the Confusing IT Compliance Maze

Most companies, depending upon their industry, have to comply with anywhere from one to six or more regulatory requirements imposed by a government or industry entity to protect consumers, patients, investors and others. And the number of requirements in scope for a given company seems to increase on a daily basis as a result of a variety of recent events which include:

  • Sub-prime mortgage lending practices that have left individuals homeless and investors with a fraction of their previous net worth
  • Ponzi schemes that have wiped out individuals’ entire life savings; and
  • Security breaches that have exposed thousands or credit card holders to- potential identity theft and economic peril … to name just a few.

While these regulations are intended to protect us from unscrupulous activities or ill-advised management decisions by providing safeguards and promoting transparency, many of these regulations have direct implications to the management of information and therefore the complexity and cost of IT. For example, a pharmaceutical company will have to comply with 21 CFR Part 11 to meet FDA requirements, HIPAA if they store patient information and Sarbanes Oxley if they are a public company, in addition to state regulatory requirements like  201 CMR 17.00 that the Commonwealth of Massachusetts  imposes on companies that store personal information about Massachusetts residents if they are a Massachusetts employer.

So how do you navigate the myriad of requirements that apply to your industry and situation? Each of these requirements breaks down into a number of controls that need to be put in place based upon the risks that are relevant to your situation. In many cases, these controls are similar across regulatory requirements, but in order to make that determination you have to sort through each corresponding authority document to determine the appropriate controls and harmonize them.

Fortunately there is help available in this effort by leveraging work done by Network Frontiers, an organization that has analyzed over 600 authoritydocuments from both an IT and legal perspective (visit www.unifiedcompliance.com) . They have harmonized the controls for well over 350 into the Unified Compliance Framework (UCF). With over 2400 controls documented, the UCF is the underpinning for a number of governance, risk, and compliance (GRC) vendors such as CA, NetIQ, Compliance Spectrum, and McAfee amongst others.

While using compliance framework such as UCF provides an opportunity to streamline and demystify IT compliance management, employing good practice standards and frameworks such as IT service management (ITSM) and ISO 27000 allows you to more easily implement these controls, measure your maturity and complete more audits successfully. Consistent, routine use of documented processes and the appropriate governance structure allow you to maintain the appropriate risk mitigation strategies and evidence that can be easily reported and verified so that your organization is not scrambling two months before the auditors come in to pull everything together.

In Practice

Good practice is foundational. Having sound change, security, incident, asset and configuration process in place lays the groundwork for assuring that risk is assessed and handled appropriately, decisions are made based on reliable information, approvals are handled effectively and by the right individuals and roles and responsibilities are well known and appropriate. Good practice stabilizes the environment and provides a mechanism for continual improvement facilitating an effective and efficient organization. Good practices allow a mechanism for the IT organization to operate in concert enabling the management of “services” of the assurance of value to the business. Having good practice processes in place provides a platform upon which controls can be built so that as each new compliance mandatebecomes relevant for your organization, it does not necessitate creating a new model specific to this purpose.

Your foundational good practice processes need only be reviewed to assure that they include the necessary measurable controls applicable to any newregulatory requirement and that the commensurate adjustments are made. As a result, the effort to incorporate new requirements should be minimized while the ongoing good practices in place contribute to business value and operational excellence. 

Although the incorporation of compliance to regulatory mandates can seem daunting, there are frameworks to help you navigate the maze. Using acombination of compliance frameworks such as UCF and IT Service Management good practices such as those associated with ITIL, ISO 27000 andothers can help to organize and simplify the effort and put you on the shortest path to compliance success.

Can Your IT Service Management Implementation Be Outsourced? 5 Steps to Successfully Use Consulting for Your ITSM Program

Service Management initiatives can be help drive better IT operational efficiency and effectiveness when you understand where you are and what improvements can help you meet your goals. As more companies start to consider implementing IT Service Management (ITSM), turning to professional consulting organizations for help with process definition and implementation can help to facilitate a successful program implementation.It is, however, important to note that implementing ITSM good practices is much different than implementing technology. When implementing technology, there is a tendency, particularly within large companies, to heavily leverage consultants for the lion’s share of the work. Consultants are brought in to do any and all of the following tasks:

  • manage the project(s),
  • gather, and in some cases even specify the requirements,
  • develop or configure software,
  • implement necessary hardware,
  • document the efforts,
  • develop and deliver training and conduct the rollout .

In essence, much of the effort to deliver new technology capabilities in the form of IT services is often outsourced fairly routinely, and in many cases successfully. Ongoing success of service operation of these new technologies would require that internal resources are trained to provide support or that the appropriate outsourcer is in place to assure successful service operation.The implementation of an ITSM program, however, is quite different. With respect to implementing good practices, we are primarily talking about instituting new or modifying existing processes and practices. While one or more ITSM consultants used in the “staff augmentation” model, as described above for technology projects, can crank out process documentation and help to specify requirements for automation, they cannot define your processes for you nor can they, alone, affect the behavioral modification required for successful implementation and ongoing continuous improvement. Getting to “success” with ITSM includes organizational transformation. People in the organization must adopt new policies, modify their procedures and embrace new responsibilities. We are talking about changing the way people do things.To be successful, the drivers for such change cannot be outsourced. The message of expectations, urgency and sponsorship must be communicated early and often by senior IT management. A steering committee of senior managers along with your ITSM consultant(s) should form the guiding coalition to lead people in the organization through the changes that will be necessary to reach goals that need to be attained. In addition, each of the various teams involved in the daily activities of each process being defined or modified should be represented in the working teams that will define the processes they will be expected to use on a daily basis. Without this level of involvement process internalization and the sense of ownership that is necessary for long-term participation and continuous improvement is less likely to occur. Lastly, the system of rewards must be adjusted to reinforce the transformation you are hoping to achieve with implementation of retooled process and service management behaviors.Below are 5 steps for using consultants for your ITSM program to promote successful ITSM implementation:

  1. Use your principal consulting resource as a program mentor. This person can help you structure and plan the program and guide you in the right direction. Assign your own program manager and expect that this person will spend between 50 and 100% of their time (depending on the size of the organization) directly involved in this effort
  2. Fight the urge to expect your consultant to give you an out of the box solution. Expect that if your consultant has worked with other customers in your industry, they can leverage this experience to help you streamline solutions for your need, but the size and nature of your organization will require more specific solutions to meet your needs.
  3. Appoint Process Owners to work with consultants to define each process. Expect these individuals to spend 25 to 50% of their time (depending on the size of the organization) in the definition phase of this project. This process owner should be responsible for helping to identify a cross-functional working team for their process area to assist with process definition and roles and responsibilities.
  4. Use consultants to facilitate process definition workshops.   Consultants should be trained in meeting facilitation and process modeling to provide objective, informed guidance to the overall project.
  5. Once the process has been vetted and agreed to by the process team, consultants can be used to document the process, create training materials, solicit requirements and write requirements documents for process automation, train employees, assist in developing communication materials.

The development and implementation of your ITSM program cannot be outsourced to consultants. The typical staff augmentation rules for technology projects do not apply. The fundamental organizational and behavioral changes that accompany process improvement require direct involvement throughout the program from high level IT management and other players in the organization. Working in conjunction with your ITSM consultant(s) your IT organization can implement effective processes to help you achieve efficiencies while improving levels of service. But if you abandon the importance of your role in the process and think that you can hire a consultancy can come in, implement, educate without requiring sponsorship and time from individuals in the organization you are likely going to spend significant dollars with little return on investment.Valerie Arrajvalerie@service-catalyst.com