Upload
janice-gaines
View
225
Download
0
Tags:
Embed Size (px)
Citation preview
© 2003 Terry James. All rights reserved
1
The CRM Textbook: customer relationship management training
Dr. Terry James© 2009
Chapter 9: Security
© 2006 Terry James
2
CRM versus Security In a perfectly secure system you can’t access
anything – which is not useful Understand your system is not perfectly secure,
there are risks The more secure, the more expensive
Got to pay for all those locks and guards In perfect CRM system, every employee
knows everything about every customer Balancing act
Maximize knowledge of customers versus risking an exposure to unnecessary customer details
The job is never done, the target keep moving Whatever solution you have, hackers are working
on a new way to outsmart you
© 2006 Terry James
3
Role based security
You see only what you need to see to do your job, to fulfill your role Limits to which customers you see (if
any) Limits to the data seen per customer?
money, address, phone, products,… Time of day, day of week What products
The better the security, the more discrete the controls
© 2006 Terry James
4
Defaults
Do we take away abilities until we have a secure profile?
For clients, employees, suppliers, managers, etc No, we give you no access as default
Then we grant increasing access to do your job and role in the organization
Focus on timing Every access should expire or be reviewed
periodically Logon, credit cards, pass cards, …
No dead accounts, no logons for employees who’ve left, ..
© 2006 Terry James
5
Identity Management CRM and security both want to be sure
they identify people correctly Identity theft is a big issue, and largely due
to incompetence The easiest solution is to know your
clients and employees If you know their face, their name, then
identity fraud is difficult If you are not sure, go to the database and
call the client and ask if they just applied for loan or used a credit card. Ask them which store they last went to and when was that?
Due diligence is KYC – know your clients
© 2006 Terry James
6
Improving security Good security is what you know and what
you have It is harder for a thief to steal your PIN number
(something you know), AND steal your credit card (something you
have) Good security is dynamic
The faster your passwords change, the harder it is for a thief to keep up
Be aware of shoulder surfing, cover you hand when entering passwords
Challenge response Passwords can change using a formula with
every usage, may even require a calculator device to generate the response
An added cost for improved security
© 2006 Terry James
7
Who is responsible for security? The security manager, obviously
The security team as well Senior managers? Other employees?
Do we include customers? How about partners like a lawyer or accountant? Suppliers?
Everyone is responsible, anyone can download a virus, or give a password
to the wrong person Beware of dumpster diving – garbage can reveal
details about you and your organization
© 2006 Terry James
8
Educate If everyone, including customers, can
compromise security, then educate them.
Tell them you will never ask for passwords over the phone or email.
Explain phishing scams and what to do Offer free courses, send out flyers,
display posters with rules and advice
© 2006 Terry James
9
Closing the barn door
No point closing the barn door after the horse ran off
Don’t wait to be hit to spend money on security
Be proactive Hire an expert to review your security Ask an employee to try and find a
flaw
© 2006 Terry James
10
Privacy is serious
Privacy is getting attention Governments are appointing oversight Penalties for violating privacy policies can be
severe Check the legislation and comply Post your own privacy policies
Make promises you can keep Associations you join may want extra rules
Don’t fight it, use forced compliance as a selling feature by exceeding your competitor’s promises
© 2006 Terry James
11
Group discussion You see someone you don’t know walking
the halls. What do you do? You have a meeting with a sales person.
The meeting is over. What happens next? Answer
If you see someone you don’t know walking around unescorted, introduce yourself and find out who they are and what they are doing.
Escort people who are not employees out the building, or until you can leave them with another employee.
© 2006 Terry James
12
Physical security Doors, locks, guards, walls, … this is
simple. Video cameras Safe or vault for high quality valuables
Is the safe flood-proof, fireproof? Is the storage area onsite and offsite?
Is important data encrypted? The lost laptop with 10,000 high profile
clients data is a sad but common issue. Encrypt data
Take an inventory, mark every asset, note the owner
© 2006 Terry James
13
Conferences
A great way to gain ideas, exchange information, learn new skills
BUT Be aware that conferences can expose
weaknesses and security issues Be aware of who you talk to and what
you give away Vet what technologists present Brief engineers about security risks
© 2006 Terry James
14
Levels of security As the data becomes more sensitive, the security
should increase Access to the lobby is open to the public Access to executives requires appointments
Access to employee floors is forbidden without an employee escort
Access to client data needs passwords Access to data center needs passwords, perhaps
biometrics (scan retina eye or finger print Access to password database needs multiple
levels – passwords, video camera, etc.
© 2006 Terry James
15
PIPEDA Principles1.Accountability2.Identify purpose3.Consent4.Limit collection5.Limit use, disclosure, and retention6.Accuracy7.Safeguard8.Openness9.Individual access10.Challenge compliance
© 2006 Terry James
16
The disaster The disaster just struck, flood, fire,
earthquake, bomb, 8 foot of snow,etc.
In a well-managed company, what happens next?
© 2006 Terry James
17
Plan ahead Who will be on the crisis team? Do you have a plan? Can you anticipate events?
What order will you restore systems? Can you limit surprises or false alarms?
Test vulnerabilities, fix, and retest Can your web site be hacked?
Log every event
© 2006 Terry James
18
Business Continuity Have a plan Keep backups
Incremental and full Onsite and offsite With passwords on sensitive data Test backups work
Avoid single point of failure Computers, networks, people, databases,…
Can you switch automatically to backup system Can run in degraded mode?
Examples – brute force attack 3 try cutoff on logon, popup message, and issue
alarm
© 2006 Terry James
19
Whistleblower Is your culture open?
Can employees voice concerns anonymously Are employees punished for voicing concerns
Is there a process for reporting wrongdoing or suspicions? Transparency
Are decisions open, minutes published, results announced
The more secrets, the more reason for concern If in doubt, follow the money Who gets paid, how much effort is spent hiding who
gets paid and for what Charities, non-profit companies, private companies…
the more the money is hidden, the more reason for concern
Conflict of interest with auditors, government, … ?
© 2006 Terry James
20
Trap: Hiding issues When an event occurs, don’t run or hide Take control of the incident using Public
Relations (PR). Tell your story first to gain control
Be clear, be complete, be honest Make reparations if required
If you lie, even by omission, it will drag on and on
Your reputation, lawsuits, and questions about management will follow
Knowledge moves quickly today How long does it take for a rumor to spread
from 2 people to everyone?
© 2003 Terry James. All rights reserved
21
You will never find love, if you don’t risk a broken heart