First of all, do your best not to handle any credit card numbers if you can help it. For example, if you use a shopping cart such as 1AutomationWiz and you never handle any credit cards in person, then your PCI compliance is much easier. In this example, if the number of cards you process is small enough that you can use a self assessment questionnaire, the number of questions you need to answer drops from 224 to just 15 questions—a huge simplification of the amount of work you need to do to become PCI-DSS compliant!

Before you invest a lot of time making your organization PCI–DSS compliant, first take time to simplify how you accept and process credit cards. You may find that changing some of your business practices, without causing more work for you or inconveniencing your customers, can make PCI compliance even easier.

For example, at one time, I sold books and CD learning kits in the back of the room while speaking. I’ve stopped doing that now to simplify meeting PCI-DSS regulations. If I ever decide to accept credit cards again at events, my compliance will be more complicated.

Have you changed your business processes to be more PCI compliant?

Please post your comments on this blog.

It is also important to have adequate ventilation and fans to circulate the air through the servers so that the temperature inside the computer chassis remains cool as well.

Additionally, it is useful to put monitors in the server room so that if the air conditioning fails at night or over a weekend, alerts will be automatically generated to notify appropriate personnel who can come in to fix the problem before the servers are damaged.

While you are at it, lock your server rooms to prevent intrusion, monitor for floods if that is an issue in your building, and use appropriate power filtering to prevent electrical surges and spikes from damaging your servers.

Please post your comments on this blog.

Let’s see—the only way I can think of is to never share any client data with your employees—ever. Even without computers, if an employee is privy to client data, they may “steal” that and use it for other purposes.

The goal is to protect private client data—and you may choose to never enter that into a computer system your employees can access—or never enter it into a computer at all.

If your employees do want to access client data, and you just do not want the employees to be able to easily take large amounts of information, the challenges increase dramatically. Even so, the possibilities are closer than you may realize. Thanks to application delivery and virtualization technologies, you can allow employees to work from home, or the office, without having information stay resident on their computer. You can also restrict them from being able to:

• Save to a local drive
• Print information
• Copy and paste outside your protected space
• Or otherwise retain any information

However, there is little to stop an e-savvy employee from using a digital camera to take a screenshot, or using a yellow sticky note to write down someone’s credit card information or social security number. At least these kinds of activities take “time,” so you are restricting the speed of stealing data.

For what technology cannot solve, your corporate legal advisors can step in. They can help you with non-disclosure agreements, acceptable usage policies, and other agreements for your workers to sign. The key point here is that these do not necessarily prevent the theft, but they do provide you some recourse if the employee is ever caught.

There is even IT data security insurance. If your insurance provider does not offer this service, or if you want to shop around, I know someone who does offer IT security insurance.

In some organizations, prevention is crucial. Once the data gets out, the organization may be damaged beyond repair.

To prevent an employee from e-mailing themselves a client list, there are Data Loss Prevention DLP tools available in the world. They watch for suspicious behavior and can quarantine such messages before sending them out. That delay gives the responsible person in your organization the opportunity to stop the data before it leaves.

There are other strategies as well:

• Provide people with only the information they need to know. A good book full of these examples is Blind Man’s Bluff: The Untold Story of American Submarine Espionage by Sherry Sontag and Christopher Drew.
• Rotate employees through specific duties so their time to do harm is limited.
• Force employees to take mandatory vacations during which time illegal behaviors may be detected.
• Have a separation of duties such that it would be difficult for one employee to commit fraud all by themselves.

While “total protection” may result in your employees not being able to function, there are strategies that can provide you with both productivity and security.

Please post your comments on the blog.

IT security is frustrating and gets in the way of productivity. IT security can be expensive—but less now thanks to all of the competition in the marketplace for IT security products and services. Heck—lots of IT security is built into the Microsoft Server operating systems—and even Windows 7 for that matter. One just has to “turn it on.”

To me, the key concept relating IT security and productivity is to get away from the “either, or” way of thinking. In other words, you CAN have BOTH security and productivity! If you feel you have to give up productivity to be secure, I feel confident there is a solution that will let you have lots of both.

Granted, almost always, there will be some compromise. You may have to choose between being:

• 90% secure and 100% productive, or
• 100% secure and 90% productive

The choice is up to whoever will be held responsible for a data breach—probably the owner, CEO, board etc for the organization. I generally lean to the first option in many cases.

Key point: This decision is NOT and I repeat NOT up to IT. I feel it is IT’s responsibility to alert executives to any such trade-offs so that the executives can make an informed decision since they have to live with the consequences of their choices.

I wonder just how much money in the purchase price of a new car has to do with the door locks and the key used to start the car? How much added frustration do we experience in our lifetimes due to having to lock, unlock, and start our cars with a key throughout our lives? Yet, our vehicles are productive and secure without having major conflicts between those two attributes.

On a tangent: If users could “see” someone stealing their data or borrowing their computer the way they could see someone borrowing their car, users would be more attentive to IT security.

Please post your comments on the blog.

It is beneficial, every year or so, to have someone in your organization shop around for data service rates for your business.

Most of my clients report findings such as, “We now have twice the data rate for one half the price!”

If you have not shopped around lately, now is a great time to do so! Remember to call telephone companies, cable services, fiber providers, and even fixed wireless if it is available in your area.

If you have multiple locations, you may even find that an MPLS solution, where the telephone company handles much of the traffic routing between locations, is a good option for your organization.

After you save money at the office, have your users check their homes as well. I just upgraded our home to a new provider for half the price that is providing two thirds of a T3’s speed for downstream data—speeds I’d only dreamed of before. The Internet is a whole new experience at these speeds! Remember too that commercial service to your business will cost more than residential service to homes, as well as often provide much faster upstream connections than residential services.

Please post your findings on the blog.

While I was presenting in May, a CEO in the audience related information about a productivity expert promoting human multitasking and providing “Generation Y” with the distractions they want while at the office. You may have followed my blog postings the past two weeks about the disruption of interruptions and the idea of human multitasking.

There is indeed literature promoting what I would call the “distracted work environment” in an effort to attract the “best and brightest” young employees.

I guess I’m old-fashioned, and I’m taking the stand that the “best and brightest” employees will not want to be distracted while performing their duties on the job. From an IT security perspective, this access can be devastating to your business.

The CEO in the audience feels that in order for Gen Y employees to be happy, employers need to provide them access to social media all day long to use at the worker’s discretion. He cited examples of the work environments at Google and other Internet companies. I wonder how many other employers tell themselves it is “ok” to provide distractions to workers.

For Google, and even the marketing professionals at your own organization, it makes sense—even to me—for them to access social media at work since that is part of their job!

To me, promoting social media for non-work-related tasks makes as much sense as keeping a carton of cigarettes readily available and constantly restocked at the desk of someone who is trying to stop smoking.  Sounds more like temptation and torture than being supportive of someone achieving their goal.

I believe in workers feeling happy based on a “job well done” and my appreciation for their accurate and productive work. I believe there are members of Generation Y who take pride in their work and perform to the best of their abilities. I feel it is the employer’s responsibility to provide them with a productive work environment—free of distractions.

Isn’t it enough that the employees can have their own smart phone or other device right next to their desk and use that for their distractions? Need we, as employers, provide the same distraction using a larger screen on company owned equipment? No, you do not—at least not in the summer of 2010. The inappropriate access for non-work-related social media access results in too much lost productivity and too risky for IT security.

You may have seen the short comedy video a wonderful video production firm created for The Foster Institute, Inc. demonstrating the internet misuse that may be going on in your organization. The theme of the video is an office romance gone awry.

One of the more enjoyable parts of blogging is stirring up some controversy, so please post your comments on the blog.

Between two back-to-back engagements in the East earlier this year, the best transportation option was to charter a private flight since other transportation options were more costly in both time and money. I booked the charter under the stipulation that the pilot allow me to sit in the copilot seat rather than “in the back” as long as I promised not to”push any buttons.” The charter service agreed, and it was 2 hours of the beautiful scenery and enlightening conversation!

The weather was beautiful and I was able to increase my knowledge of flying, navigating, aviation radio communications, and the procedures pilots use every day. My experienced and highly capable pilot spoke of how he flew Apache helicopters in the service and we discussed human multitasking—which is important when piloting an Apache. I learned later that a pilot in the book Apache by Ed Macy reports his cockpit video even showed the pilot’s two eyeballs looking in two different directions regularly during times that required multitasking!  I am unsure if the Generation Y employees have the same level of intensive training as Apache helicopter pilots.

Even my pilot, whom I hold in the highest esteem and feel enormous respect for his rotor and fixed wing piloting abilities, transmitted incorrect information through an air traffic control hand-off during our flight. I noticed it as he was transmitting, and the air traffic controller did too because they immediately asked for clarification. The point is, no matter how good we are, we are all humans. Adding multitasking requirements increases the chances for errors.

We live in a day of social media, text messages, e-mail, and constant information being “fed” to us at sometimes an alarming rate. I would find it difficult to use the Internet and e-mail at all without good spam and web content filters to eliminate the data I’m for sure not interested in anyway.

Scientific studies in controlled environment show humans who multitask suffer a precipitous drop in productivity with an associated increase in errors.  Why would we do this to our employees, especially if they are paid by the hour?

Scientists discovered that, rather than multitasking, the brain must perform rapid task-switching. On top of that, the brain must now also monitor to see which task needs attention in the next moment.  This leads to each important task only receiving the partial attention of the human.

On top of that, do you enjoy talking to someone who is not making eye contact and they type furiously while you speak? Most employers want their workers to provide full attention to work-related tasks while on the clock.

Can you or anyone you know effectively do more than one thing at the same time? Please post your comments on the blog.

When CNN ran the story, Study tracks effects of interruptions on doctors, I immediately thought about the effects of interruptions on the “doctors” who take care of your IT—your IT professionals!

If you have seen me speak, or experienced an IT Vital Systems Review audit, you have heard my soap box spiel about how IT professionals all need at least one 45 minute period of uninterrupted time each day to accomplish tasks. My preference is that they get even more than one of those periods.

When solving an IT related issue, planning the next upgrade, or focusing on some other IT related process, it is crucial for the IT professional to be balancing multiple ideas and multiple subjects around in their brain simultaneously. One unnecessary interruption can throw the IT professional back to “square one” again in a nanosecond.

The CNN article says doctors did not even return to almost 20% of the tasks they were doing when interrupted.

Interruptions are dangerous to medical professionals in hospitals, pilots in aircraft, and IT professionals in your organization.

Save them time, and yourself money, by allowing them to work quietly from time to time.  If you have them on staff, IT developers are the same way. Writing code is a thought intensive process.

I was interrupted twice while writing this article. How many times were you interrupted while reading it?

For that matter, some of the CEO’s and other key executives that read these blog postings can benefit from some uninterrupted time as well!  Please post your thoughts on this blog.

If you suffer a data breach or lose a laptop, you may be required to send out letters notifying everyone who has ever done business with you of the possible loss of data.

One of my clients explained that the costs can soar to $5 per person to locate and notify people you’ve done business with. That’s $5,000 for every 1000 people you’ve served!

Additionally, there may be fines levied against you. For example,  in April 2010 the Financial Regulatory Authority fined the brokerage firm D.A. Davidson & Co. in Montana $375,000 after a hacker broke into their servers.

More and more, my clients and audience members are asking about IT security insurance to augment your protection. There is even IT data security insurance. If your insurance provider does not offer this service, or if you want to shop around, I know of an agency that does offer IT security insurance and can write coverage anywhere in the USA: Andy Burkart, CPCU, of Burkart-Heisdorf Insurance Agency. The phone number is 800-989-6174.

I am NOT an insurance professional, so I encourage you to post any information and comments on this blog.

This is a concern for identity theft and also a source for other private information falling into the wrong hands. Organizations that fall under HIPAA compliance, Gramm-Leach-Bliley Act, PCI-DSS, and other regulations are sometimes more sure of the risk.

Earlier this month while I was performing an audit on a client’s network, he explained that he refuses to allow his staff to “outsource” making copies even to their CPA firm. He does this in order to “isolate” the area he needs to protect. He has a strict policy that documents can only be copied using copy machines in their office.

One of my readers is in contact with an organization that processes used copiers and they make sure to erase the hard drives before the copiers go to new owners.

If any of you are specifically seeking a copy machine security specialist, the CBS video interviews John Juntunen and it appears his web site is www.copiersecurity.com. The phone number on the web site is 530-672-9300 if you want to explore his services. The web site shows they offer a service that will remove your copier’s hard drive, destroy the drive, and replace the destroyed drive with a new drive formatted for use with that copier. They also offer anti-tampering kits to help you monitor your copiers to at least know if someone has accessed the data on the hard drives.

One point he made in the interview is how many companies do not seem to care about security until they have a breach—and then it is too late. I’ve felt the same frustration in the past. Security, be it in your computers, servers, or copy machines, is an important issue!

Please post any of your experiences or additional ideas about copy machine security here on this blog.