TEC 401 Session Three
Joseph Lewis Aguirre
Human Factors In TechnologyHuman Factors In Technology Human Factors In TechnologyHuman Factors In Technology
Objectives- WS3Objectives- WS3 Organizational and Social Impact of Technology•Examine the “new social contract.”•Identify ethical information policies within the organization.•Describe the application of technology to HR functions.
Technology and HR FunctionsTechnology and HR Functions
The Technology is increasingly being used for knowledge management in order to provide just-in-time information and skills in the workforce.
•Electronic publishing (e.g., company newsletters).
•Television and video (e.g., corporate advertisements to families and friends).
•Audio teleconferencing
•Interactive multimedia (e.g., computer-based training for employee skills upgrade).
•Simulation and virtual reality
•Authoring aids (e.g., policy and procedures templates, online surveys, keyword searches for resume generation).
•Electronic performance support systems (e.g., employee evaluation input, sales quota productivity).
New Social Contract – (NSC)New Social Contract – (NSC) NSC: (ethical organization information policies)A social contract for the Information Age deals with key social tensions peculiar to the use of information:
•Ownership of intellectual output.
•Privacy of personal information and internal organizational communications.
•Accuracy and quality of information.
•Access to information.
•Flow and content of information.
•Obligations of organizations created by the use of information.
Automobile monitoringAutomobile monitoring
Progressive Corp. is offering 25% discounts to drivers who allow it to install a monitoring device in their cars and keep a digital driving diary of their moves
Tracing NanoparticlesTracing Nanoparticles
Nanotechnology: manipulation, precision placement, measurement and modeling or manufacture of sub-100 nanometer scal matter
Common TruthCommon Truth
Everything we say and do represents a choice, &
How we decide determines the shape of our lives.
- Josephson Institute of Ethics
Security Vs PrivacySecurity Vs Privacy
Biggest Problem isn’t about privacy…it is sloppy security
-----Lee Gomes, Wall Street Journal
• The Regulatory Landscape
• The Security Landscape
• Information Security
• Resources
Regulatory OverviewRegulatory Overview
Privacy of Student Records= FERPA
Privacy of Student Records= FERPA
“Traditional” Higher Education regulations for Information Security
Registration of Foreign Students= SEVIS
Registration of Foreign Students= SEVIS
Privacy of Medical Records= HIPAA
Privacy of Medical Records= HIPAA
Regulatory LandscapeRegulatory Landscape
“Non Traditional” Higher Education regulations for Information Security
Student / Faculty Lending= GBL / FTC
Student / Faculty Lending= GBL / FTC
Homeland Security= Patriot Act
Homeland Security= Patriot Act
Accounting Scandals= Sarbanes Oxley
Accounting Scandals= Sarbanes Oxley
Internet/Service Provider= COPPA, DMCA
Internet/Service Provider= COPPA, DMCA
State/Local Privacy Initiatives= Local regulations
State/Local Privacy Initiatives= Local regulationsPrivate privacy rules
= Visa, ACHPrivate privacy rules
= Visa, ACH
Regulatory Landscape (Cont)Regulatory Landscape (Cont)
HIPPA ComplianceHIPPA Compliance
HIPPA - Health Insurance Portability and Accountability Act of 1996
Under HIPAA, large integrated delivery networks to individual physician offices must put in place physical and technical data security measures to ensure against illegal access to communications networks, databases and applications.
The criminal and civil penalties for non-compliance are severe, and present healthcare firms and their executives with significant liability issues
FERPAFERPA
20 U.S.C. § 1232g; 34 CFR Part 99 is a Federal law that protects the privacy of student education records.
Applies to all schools that receive funds under an applicable program of the U.S. Department of Education.
Family Educational Rights and Privacy Act
• Higher education institutions as “lenders”– Student loans– Faculty / real estate loans– Short term cash loans (?)
• Protection of non-public “customer information”– Paper or electronic form– Prevent unauthorized use or access – Includes you, affiliates, and third party vendors
GBL and FTC EnforcementGBL and FTC Enforcement
• Privacy requirements of GLB/FTC met by complying with FERPA
• Comprehensive written information security program requirement must still be met– Risk assessment– Design and implement information safeguards– Prevent unauthorized use or access
GBL and FTC EnforcementGBL and FTC Enforcement
• Internal control of “customer information”– Good internal controls
• Third party control:– Due diligence before selection– Data protection, information security audit clauses in
contracts– Periodic outside verification of third party systems,
protections
GBL and FTC EnforcementGBL and FTC Enforcement
• Enhanced “Know Your Customer” regulations placed on financial institutions
• Account opening / entity identification procedures for new accounts
• No common practices yet developed–Some banks are very intrusive, wanting personal
identification of corporate officers–Some banks are very liberal
• Where are your corporate documents?
PATRIOT ACTPATRIOT ACT
TITLE I--ENHANCING DOMESTIC SECURITY AGAINST TERRORISM
TITLE II--ENHANCED SURVEILLANCE PROCEDURESSec. 201. Authority to intercept wire, oral, and electronic communications
relating to terrorism.
Sec. 202. Authority to intercept wire, oral, and electronic communications relating to computer fraud and abuse offenses.
Sec. 204. Clarification of intelligence exceptions from limitations on interception and disclosure of wire, oral, and electronic communications.
Sec. 208. Designation of judges.
Sec. 209. Seizure of voice-mail messages pursuant to warrants.
Sec. 217. Interception of computer trespasser communications.
USA Patriot ActUSA Patriot Act
TITLE I--ENHANCING DOMESTIC SECURITY AGAINST TERRORISM
TITLE II--ENHANCED SURVEILLANCE PROCEDURESSec. 201. Authority to intercept wire, oral, and electronic communications
relating to terrorism.
Sec. 202. Authority to intercept wire, oral, and electronic communications relating to computer fraud and abuse offenses.
Sec. 204. Clarification of intelligence exceptions from limitations on interception and disclosure of wire, oral, and electronic communications.
Sec. 208. Designation of judges.
Sec. 209. Seizure of voice-mail messages pursuant to warrants.
Sec. 217. Interception of computer trespasser communications.
USA Patriot ActUSA Patriot Act
TITLE VI--PROVIDING FOR VICTIMS OF TERRORISM, PUBLIC SAFETY OFFICERS, AND THEIR FAMILIES
Subtitle A--Aid to Families of Public Safety OfficersSubtitle B--Amendments to the Victims of Crime Act of 1984
TITLE VII--INCREASED INFORMATION SHARING FOR CRITICAL INFRASTRUCTURE PROTECTION
TITLE VIII--STRENGTHENING THE CRIMINAL LAWS AGAINST
TERRORISM TITLE IX--IMPROVED INTELLIGENCE TITLE X--MISCELLANEOUS SEC. 2. CONSTRUCTION; SEVERABILITY.
TITLE I--ENHANCING DOMESTIC SECURITY AGAINST TERRORISM
USA Patriot Act (Cont) USA Patriot Act (Cont)
Keep America Safe and Free
Certain ACLU Allegations re. Patriot Act:• The FBI can investigate United States persons based in part
on their exercise of First Amendment rights, and it can investigate non-United States persons based solely on their exercise of First Amendment rights.
• Section 215 might also be used to obtain material that implicates privacy interests other than those protected by the First Amendment. For example, the FBI could use Section 215 to obtain medical records.
ACLUACLU
Sarbanes Oxley Act (Sox)Sarbanes Oxley Act (Sox)
Corporate Certification of Financial Statements•Correct•Complete•Effective underlying controls
Requires organizations governed by the SEC to establish and maintain an audit committee responsible for the appointment, compensation and oversight of any employed registered public accounting firm
Does not apply directly to information security or non-publicly held entities (but...)Sets minimum standards for accountability and integrity of accounting systems/records
ISO 17799ISO 17799
ISO/IEC 17799 Part 1: Is a guide containing advice and recommendations to ensure the security of a company’s information according to ten fields of application.
BS7799 Part 2: Information security management -- specifications with guidance for use provides recommendations for establishing an effective Information Security Management System (ISMS). At audit time, this document serves as the assessment guide for certification.
ISO 17799ISO 17799The goal is to “provide a common base for developing organizational security standards and effective security management practice and to provide confidence in inter-organizational dealings.”
• Online collection of personal information from children under 13
• Requires privacy policy, consent from parent, and protection of data
COPPA (Children's Online Privacy Protection Act)
COPPA (Children's Online Privacy Protection Act)
• Protection of intellectual property and property rights–Identification of covered information–Steps to prevent abuse of covered information
• Posting of appropriate notices on institutional/department web sites
Digital Millennium Copyright Act (DMCA)
Digital Millennium Copyright Act (DMCA)
• If electronic information includes social security number and/or banking information
• AND electronic systems suffer a security breach• Consumer customers who are residents of
California must be notified of the security breach
California Privacy Legislation (SB 1386)
California Privacy Legislation (SB 1386)
• How are we “doing business with residents of California”?
• Does it apply to businesses outside California?–Will not know for decade or more–Behave as if it does
• Model for Federal legislation applicable to all states
California Privacy Legislation (SB 1386)
California Privacy Legislation (SB 1386)
• Colorado legislature passed law prohibiting use of SSNO or credit card numbers as identification for check payments–Revision of cashiering procedures
–More difficulty researching returned checks / payments
• Indicative of trend across all states
Prohibition of use of SSNProhibition of use of SSN
• Visa, Mastercard, Discover, American Express, Diners, JCB
• Visa has most specific information security rules–Other card associations follow Visa’s lead
• Probable penalties assessed for noncompliance–Eventually Visa will get to given sector for compliance
monitoring–Most likely to occur after you receive serious publicity
for a breach
Credit Card AssociationCredit Card Association
• Specific security requirements for Internet-, telephone-initiated transactions–WEB, TEL Standard Entry Class codes
• Web site security requirements–128 bit Secure Sockets Layer–Specific transaction authorization–“Commercially reasonable” security standards
Automated Clearing House (ACH) Rules
Automated Clearing House (ACH) Rules
• Treasury Institute for Higher Education–http://www.treasuryinstitute.org/default.asp
• Association for Financial Professionals–http://www.afponline.org/
Assessing Security of Sensitive Systems - More Info
Assessing Security of Sensitive Systems - More Info
• Protecting your own system–http://www.afponline.org/Information_Center/
Publications/AFP_Exchange/tinuccisup/tinuccisup.html
• Graham Leach Bliley / FTC–http://www.ftc.gov/os/2002/05/67fr36585.pdf (Final
Rule)–http://www.nacubo.org/business_operations/
safeguarding_compliance/index.html–http://www.ftc.gov/privacy/glbact/index.html
Assessing Security of Sensitive Systems - Resources
Assessing Security of Sensitive Systems - Resources
• USA PATRIOT Act Analysis–http://www.afponline.org/ohc/
082003/219_article_13/219_article_13.html
• Sarbanes Oxley–http://www.afponline.org/FRACpublic/sox/sox.html
–http://www.treasurystrategies.com/resources/articles/HowILearnedSarbanes.pdf
Assessing Security of Sensitive Systems - Resources
Assessing Security of Sensitive Systems - Resources
• COPPA–http://www.ftc.gov/bcp/conline/pubs/buspubs/
coppa.htm–http://www.ftc.gov/bcp/conline/edcams/coppa/
index.html
• DMCA–http://www.educause.edu/ir/library/html/cem9913.html–http://www.educause.edu/issues/issue.asp?issue=dmca–http://www.copyright.gov/legislation/dmca. pdf
Assessing Security of Sensitive Systems - Resources
Assessing Security of Sensitive Systems - Resources
• California Privacy Bill SB 1386–http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-
1400/sb_1386_bill_20020926_chaptered. html
• Colorado Prohibition on SSN for identification–http://www.state.co.us/gov_dir/leg_dir/olls/sl2003a/
sl_180.htm
Assessing Security of Sensitive Systems - Resources
Assessing Security of Sensitive Systems - Resources
• Visa Cardholder Information Security Program (CISP)–http://www.usa.visa.com/business/merchants/
cisp_index.html
• MasterCard Electronic Commerce Best Practices–http://www.mastercardmerchant.com/
preventing_fraud/website_security.html–http://www.mastercardmerchant.com/docs/
best_practices.pdf
Assessing Security of Sensitive Systems - Resources
Assessing Security of Sensitive Systems - Resources
• ACH WEB transaction requirements–ACH Rules, Operating Guidelines, Section IV, Chapter VI
(Special Topics, Internet-Initiated Entries)
• SANS SCORE Project homepage–http://www.sans.org/score/–Assessing the security of third party vendors (ASP
checklist) http://www.sans.org/score/asp_checklist.php–(BS 7799 / ISO 17799 checklist)
http://www.sans.org/score/checklists/ISO_17799_checklist.pdf
Assessing Security of Sensitive Systems - Resources
Assessing Security of Sensitive Systems - Resources
Common TruthCommon Truth
Everything we say and do represents a choice, &
How we decide determines the shape of our lives.
- Josephson Institute of Ethics
ETHICS – NOT!ETHICS – NOT!
• Religion;• Political stance;• Fad• Laws• Absolutes• Something that can only be understood by extremely intelligent people.
ETHICS IS:ETHICS IS:
• What we believe, why we believe it, and how we act out those beliefs;
• Personal & public display of personal attitudes and beliefs;
• Fluid through different situations;• An aid in decision making; and• According to Aristotle:
a) A standard of behavior; &b) An area of study exploring the nature of
morality. .
Act with integrity– Protect the privacy and confidentiality of
information– Do not misrepresent or withhold information– Do not misuse resources– Do not exploit weakness of systems– Set high standards– Advance the health and welfare of general public
Standard of ConductStandard of Conduct
Ethics Decision Tree for CPAs
CPA’s Taxes and Code of Ethics
• If It is Necessary, it is Ethical-justify-the-means reasoning
• The False Necessity Trap - As Nietzsche put it, "Necessity is an interpretation, not a fact."
• If It’s Legal and Permissible, It’s Proper-. Ethical people often choose to do less than the maximally allowable, and more than the minimally acceptable.
• It’s Just Part of the Job- Fundamentally decent people feel justified doing things at work that they know to be wrong in other contexts.
• It’s All for a Good Cause- is a seductive rationale that loosens interpretations of deception, concealment, conflicts of interest, favoritism and violations of established rules and procedures.
ETHICS - OBSTACLESETHICS - OBSTACLES
• It’s All for a Good Cause- is a seductive rationale that loosens interpretations of deception, concealment, conflicts of interest, favoritism and violations of established rules and procedures.
• I Was Just Doing It for You -n"little white lies" or withholding important information in personal or professional relationships, such as performance reviews.
• I’m Just Fighting Fire With Fire- This is the false assumption that promise-breaking, lying and other kinds of misconduct are justified if they are routinely engaged in by those with whom you are dealing.
• It Doesn’t Hurt Anyone - Used to excuse misconduct,
ETHICS - OBSTACLESETHICS - OBSTACLES
• Everyone’s Doing It - This is a false, "safety in numbers" rationale fed by the tendency to uncritically treat cultural, organizational or occupational behaviors as if they were ethical norms, just because they are norms.
• It’s OK If I Don’t Gain Personally - This justifies improper conduct done for others or for institutional purposes on the false assumption that personal gain is the only test of impropriety.
• I’ve Got It Coming - People who feel they are overworked or underpaid rationalize that minor "perks"
• I Can Still Be Objective - By definition, if you’ve lost your objectivity, you can’t see that you’ve lost your objectivity!
ETHICS - OBSTACLESETHICS - OBSTACLES
– Proportionality: good must outweigh harm– Informed Consent: understand and accept
risk– Justice: fair distribution– Minimized Risk: avoid unnecessary risk
Ethical Considerations- PrinciplesEthical Considerations- Principles
1. Trustworthiness.
2. Respect.
3. Responsibility.
4. Fairness.
5. Caring.
6. Citizenship.
Ethical Considerations – 6 Pillars of Character
Ethical Considerations – 6 Pillars of Character
Ethics Decisions - RequirementsEthics Decisions - Requirements
Making ethical decisions requires the ability to make distinctions between competing choices.
It requires training, in the home and beyond
Ethics Decisions - ConclusionEthics Decisions - Conclusion
No one can simply read about ethics and become ethical.
People have to make many decisions under economic, professional and social pressure.
Rationalization and laziness are constant temptations.
But making ethical decisions is worth it, if you want a better life and a better world.
Keep in mind that whether for good or ill, change is always just a decision away.
SecurityEthics andSociety
•Employment -Computer monitoring
•Working Conditions-Upgrade
•Individuality-Loss of individuality
•Health-Ergonomics
Ethical ChallengesEthical Challenges
– Proportionality: good must outweigh harm– Informed Consent: understand and accept
risk– Justice: fair distribution– Minimized Risk: avoid unnecessary risk
Ethical Considerations- PrinciplesEthical Considerations- Principles
The BCS Code of Practice says:
“A system is at risk from the moment that the project which develops it is first conceived.
This risk remains until at least after the system is finally discontinued, perhaps indefinitely. Threats to security range from incompetence, accident and carelessness to deliberate theft, fraud, espionage or malicious attack.”
Security and RisksSecurity and Risks
LeaksLeaks02-25-05 BoF, 1.2 Million federal government charge cards affected. Computer back up tapes were lost.
LexisNexis - 03-09-05 310 consumers affected. Unauthorized use of customer logins and passwords
MCI - 05-23-05 16,500 current and former employees,. Laptop stolen from MCI financial analyst
CardSystems Solutions 06-17-05 40 million credit card holders affected. Person broke into the computer network of CardSystems
USC - 06-20-05, 270,000 consumers affected. Hackers broke into applications database
CyberMinesCyberMinesTargeted Attacks - mass mailings of worms and viruses. Using keyloggers, security flaws in web browsers - solution: get unplugged
Botnets - robot networks made up of home and business PCs taken over by hackers. ISPs monkey
Net crash - arcane protocol, exploit border gateway protocol to advertise their routs so they can carry their network
Critical infrastructure attacks - cyberattacks that penetrate supervisory control and data acquisition - compliance with rigorous cybersecurity standards.
CyberMines (Cont)CyberMines (Cont)
Phraud - Internet-related fraud accounted for 53% of all consumer fraud complaints to FTC in 2004. In Phising, guard personal information. Evil twins, do not use unsecure attach points. Pharming, how to find Nemo.
Hijacking - Covert control of computer resources. Use firewalls and secure browsers.
Wireless Attacks - smartphones, PDAs, etc.
Cyber EnemyCyber EnemyBot Network Pperators - hackers
Organized Crime Groups
Corporate Spies
Foreign Intelligence Services
Hackers
Insiders
Phishers - trading on sensitive data
Spyware/Malware authors
Terrorists
Who is the enemyWho is the enemy
In-house security breaches account for some 70-90% of all security breaches. Hurwitz Group
57% - Worse breaches occurred when their own users accessed unauthorized information.
Next problem happened when user accounts remained active when users left the company. Digital Research
Only 21% are concerned with external security threats.
Cost of Computer CrimeCost of Computer Crime
Cost of Computer Crimes
$-$1.00$2.00$3.00$4.00$5.00
1997 1998 1999 2000 2001
Mill
ion
s o
f U
S
IP Theft
Fraud
Source: Computer Security Institute
Insurance Council of Australia estimates $3 trillion/year
Action Taken After BreachAction Taken After Breach
Source: Computer Security Institute
0%20%40%60%80%
100%
Pa
tch
es
Did
no
tre
po
rt
Re
po
rte
d to
law
en
forc
em
en
t
Re
po
rte
d to
leg
al
cou
nse
l
Security Vs PrivacySecurity Vs Privacy
Biggest Problem isn’t about privacy…it is sloppy security
-----Lee Gomes, Wall Street Journal
Security Vs PrivacySecurity Vs Privacy
Biggest Problem isn’t about privacy…it is sloppy security
-----Lee Gomes, Wall Street Journal
Worm EvolutionWorm Evolution
1988 - Robert Morris First worm
2001 - Code Red, exploited IIS to infect 359,00 hosts to launch a Denial Of Service attack on the White House site…random propagation caused it to clog and contain
2001 - Code Red authors learned and launched Nimda
2003 - Sapphire - exploited vulnerability in MS SQL Server
2004 - Welchia.C - compiled list of addresses - variant SoBig.F
2005 - BotNets - Worm writers partner with spammers for profit.
• Hackers, crackers, and thieves, oh my! Viruses, worms, and trojans, oh my!
• Identity theft running rampant (electronic AND in person)–Internal/external fraud on the rise–Third party vendors selling private information
• Wireless networks broadcasting data• The insecure nature of academic networks
Security LandscapeSecurity Landscape
• Definition of “sensitive data”• Analysis of where sensitive data is used• Assessment of the security of systems with
sensitive data• Securing systems with sensitive data• Developing an information security culture
Sensitive DataSensitive Data
• “Personal information”–Name, address, contact information, gender, age
–Social Security Number–Banking information, including financial institution, account number, credit/debit card number
–Health / medical data
Sensitive DataSensitive Data
• Corporate information–Operational procedures–Contingency procedures–Bank account and investment information
• Other information that might be used to conduct fraud or impersonation–Often depends on context–Look at as a whole, not specific pieces
individually
Sensitive DataSensitive Data
• Student systems• Cashiering / Bursar / POS systems• Application, registration, recruitment systems• Accounts Receivable / Payable• Human Resources / Payroll• Medical / clinical systems• Departmental databases
–Treasury workstation–Conference registrations (if keep credit card
numbers)• Research databases
Sensitive Data Found in:Sensitive Data Found in:
• Nontechnical assessments:–Physical security assessment–Location of sensitive records–Logical access to data
(Who has access? Do they really need access?)
–Disaster backup procedures–Contingency procedures–Privacy statement / policies
Assessing Security of Sensitive Systems
Assessing Security of Sensitive Systems
• Third party vendor assessment• Boilerplate language for
–Protection of data–System security–Secure file exchange–Financial penalties for noncompliance
• Use of subcontractors ONLY with your permission
Assessing Security of Sensitive Systems - Contractual Services
Agreement
Assessing Security of Sensitive Systems - Contractual Services
Agreement
• Do our procedures require sensitive data?–SSN on deposited checks–Credit card number on conference registration server–SSN as student ID
• Can we replace the data with nonsensitive data?• Can we change the procedure entirely?
–ACH payments instead of checks
Assessing Security of Sensitive Systems - Operational SecurityAssessing Security of Sensitive Systems - Operational Security
• Does the organization have a master privacy policy?
• Does each departmental web site either have their own privacy policy or link to master?
• Does the policy comply with local law? (California, other states)
• Is data access limited to “need to know”?–Access control lists for everything
Assessing Security of Sensitive Systems - Privacy Policies
Assessing Security of Sensitive Systems - Privacy Policies
• Visa Cardholder Information Security Program Compliance Questionnaire–77 point technical security checklist
• SANS SCORE Project checklists• Form alliance with internal auditors (EDP
auditors)• Hire outside expertise for
assessment
Assessing Security of Sensitive Systems - Technical AssessmentAssessing Security of Sensitive Systems - Technical Assessment
• Implement technical security measures–Firewalls, intrusion detection and response, appropriate
architecture–Visa CISP checklist measures (SSL, data encryption,
etc.)–Access control policies (least possible access to data)
implemented and enforced–Enforce good passwords
• Hire professional security programming expertise (require department to do so)–Particularly if cards accepted over web sites
Assessing Security of Sensitive Systems - Securing
Assessing Security of Sensitive Systems - Securing
• Centralized student systems behind mega-firewall• Firewalls within firewalls• Data inquiries run on server, only results passed
to client–Remote access to student data severely limited
• Web servers never retain credit card information• Look at processes and procedures (sanitize
reports, etc.)
Assessing Security of Sensitive Systems - Centralized Security
Assessing Security of Sensitive Systems - Centralized Security
• Buy-in from the highest levels–Lots of scary stories–Regulatory requirements–Financial liability–Adverse publicity
• Basic security education for all users AND students
• Partnership with internal auditors• Partnership with campus computer departments
Assessing Security of Sensitive Systems - Culture DevelopmentAssessing Security of Sensitive Systems - Culture Development
FinancialFinancial
Typical Vulnerability Breach
Invalidated Parameters Hijack accounts; steal data; commit fraud
Command Injection Flaws Database dumps all account information
Buffer Overflows Crash the servers; damage app, other mayhem
Cross Site Scripting Steal account and customer information
Broken Accounts/Session Mgmt Hijack accounts; steal data; commit fraud
Information Security Action PlanInformation Security Action Plan
1. Keep it simple
2. Security requirements
3. Assessing threats
4. Establish Security framework
5. Plan for disaster
6. Develop clear security policy
7. Use the right security tools
8. Staff training
9. Monitor
Application ProtectionApplication Protection
Improved QA
Scanning/Vulnerability Assessment
Host Based
•Intrusion Detection (IDS)
•Intrusion Prevention (IPS)
Application Firewall
Application Protection - QAApplication Protection - QA
Right the first time
No runtime performance penalty
Built into application development cost
Time consuming
Protects from known vulnerabilities
Lack of specialized security expertise
ADVANTAGE DIS-ADVANTAGE
Scanning and Vulnerability Assess.Scanning and Vulnerability Assess.
Identifies vulnerabilities
Complement lack of security expertise
VENDORS
•SPI Dynamics
•Sanctum
•Kavedo
Secure as last scan
A challenge fixing vulnerabilities discovered
ADVANTAGE DIS-ADVANTAGE
Host Based ScanningHost Based Scanning
Plugs security holes once discovered
Helps with network level
VENDORS
•Cisco
•NETA
•Sana
May not address OS, platform dependencies and other vulnerabilities
ADVANTAGE DIS-ADVANTAGE
SecuritySecurity
Static Content eCommerce
Risk of Breach
Minimal
Severe
QA
E-COMMERCE
Real Time Protection
Application ProtectionApplication Protection
Stops hacks before they get to the application
Continuous protection
VENDORS
•Teros
•Netcontinuum
•Magnifier/F5
Upfront investment
Increased network complexity
ADVANTAGE DIS-ADVANTAGE
Secure Application Gateway
DECISION ENVIRONMENTDECISION ENVIRONMENT
Values
GOALS
STRUCTURE
CLIMATE
ENVIRONMENT
MarketplaceOther Teams
CultureCompetition
Pressures
Clarity Commitment
Reward System
Reporting Relationships
Feedback System
Behavior Norm
Decision Making
Competition
Enthusiasm
Stress
Trust
Involvement
Flexibility
Collaboration Mission Philosophy
Accountability
Fund TransfersFund Transfers
42%
46%
2%4%6%
Europe
US& Canada
Asia Pacific
South America
Africa MiddleEast
21%
2%8%
49%
20%
Europe
US& Canada
Asia Pacific
South America
Africa MiddleEast
Origin
Destination
HR PerceptionHR Perception
Focus on retaining high quality workers 40%
Fair performance evaluations 41%
Rate favorable job training 58%
Opportunities of advancement most
What is required to move up? Do not know
Company shows genuine interest I employee well being most
Source: Hay Group, 2005 survey
HR PerceptionHR Perception
In a Knowledge economy, finding and nurturing talent is one of the most vital
corporate functions. And that is just what HR does so badly.
--Keith. H. Hammonds, FAST Company’s deputy editor
You are only effective if you add value. That means you are not measured by what
you do, but what you deliver.--David Ulrich, University of Michigan
HR - Walking the TalkHR - Walking the Talk
“ The underlying principle was invariably restricted to the improvements of bottom line performance”
Study of relationship between what companies said about their human assets and how they actually behaved.
--Strategic Human Resources Management (1999)
--Keith. H. Hammonds, FAST Company’s deputy editor
HR PerceptionHR Perception
HR People aren’t the sharpest tacks in the box
HR pursues efficiency in lieu of value
HR is not working for you
The corner office does not get the HR
--Keith. H. Hammonds, FAST Company’s deputy editor
HR ExamplesHR Examples
A talented young marketing executive accepts a job offer with Time Warner out of a business school. She interviews for openings in several departments - then she is told by HR that only one is interested in her.
--Keith. H. Hammonds, Why We Hate HR, August 2005 FAST CO.
HR ExamplesHR Examples
A talented young marketing executive accepts a job offer with Time Warner out of a business school. She interviews for openings in several departments - then she is told by HR that only one is interested in her.
FACT: She learns later, they all had been interested in her. She had been railroaded inot the job, under the supervision of a widely reviled manager.
--Keith. H. Hammonds, Why We Hate HR, August 2005 FAST CO.