For those of you following this space you know that I have spent a considerable amount of ink outlining M.G.L. c. 93H 201 CMR 17.00, better known as the Massachusetts Privacy Law.  What I have found first hand as well as though 3rd party accounts is although the requirements for compliance are fairly well-defined, how a small to medium size business achieves compliance is quite a different matter.  Terms such as “taking into account the size scope and type of business of the person obligated to safeguard the personal information under such comprehensive information security program and the amount of resources available to such person…” does not give one an awful lot to work with.  Add to that the question of HOW the Commonwealth intends to enforce this new law once it takes effect.

That’s when I started bringing my knowledge of CobIT and the adoption of new frameworks into the mix.  Using some very high level Control Objectives derived from CobIT as well as interpreting answers to questions I posed to various officials at the Commonwealth’s Office of Consumer Affairs, I have come up with a simple yet robust “Written Information Security Program” (WISP) and some policies and procedures that can be implemented and adhered to by Joe The Barber with 3 employees or Mid-Size Mike’s Manufacturing with 100 employees.

Some things to think about when preparing your WISP:

DO WE?

Have a written security plan that addresses all areas of our operations?

Have policies appropriate to our size and complexity, our activities, and the sensitivity of the customer information we handle?

Continually review our policies and practices?

Have a data recovery plan in case of a natural disaster? Do we test it periodically?

Conduct regular security audits and response exercises?

Keep records of information accessed and regularly monitor those records for unusual activity?

Adjust security passwords and other protocols promptly when employees leave?

Make all employees aware of the penalties for security breaches?

Use the latest, updated virus protection?

Combine numbers and symbols in passwords and change them regularly?

Inform business partners of their responsibilities to meet specific security standards?

Consider security ramifications before sharing data with business partners?

Avoid unusual or suspicious list requests?

Please visit the RGW Associates LLC website:  RGW Associate LLC

You can also contact me directly:

Sebastian DiFelice
Managing Director
RGW Associates LLC
sdifelice@rgwllc.com
(888) 452-8445 x801
direct (617) 237-0543
fax (610) 523-4443
www.rgwllc.com

A blog for avouding bad practices in the Information Security and IT Governance

I have culled the COMMONWEALTH OF MASSACHUSETTS OFFICE OF CONSUMER AFFAIRS AND BUSINESS REGULATION website and have found a useful Q & A / FAQ document that I have integrated into this blog.  I have also added my comments.  I hope you find these all useful.

Massachusetts is about to enact the most wide spread and comprehensive state regulation in the nation.  It targets the protection of state residents personal information by enacting a detailed set of provisions that are based on information security best practices as set forth in ISO 27001 information security framework.

On September 19, 2008 with the help of Governor Patrick the Massachusetts Office of Consumer Affairs and Business Regulation established new identity-theft regulations, 201 CMR 17.00: Standards for The Protection of Personal Information, which requires all companies that license, own or store ‘personal information’ on any resident of the Commonwealth to protect that information according to exact processes and meet specific standards.  Accompanied by Massachusetts law M.G.L. c 93H, 201 CMR 17.00’s requirements include up-to-date anti-virus software, firewalls, encryption and a Written Information Security Plan (WISP) along with other documentation.  These compliance standards must be met by businesses by March 1, 2010.

Below is a copy of the FAQ provided by the Office of Consumers Affairs:

What are the differences between this version of 201 CMR 17.00 and the version issued in February of 2009? There are some important differences in the two versions. First, the most recent regulation issued in August of 2009 makes clear that the rule adopts a risk-based approach to information security, consistent with both the enabling legislation and applicable federal law, especially the FTC’s Safeguards Rule. A risk-based approach is one that directs a business to establish a written security program that takes into account the particular business’ size, scope of business, amount of resources, nature and quantity of data collected or stored, and the need for security. It differs from an approach that mandates every component of a program and requires its adoption regardless of size and the nature of the business and the amount of information that requires security. This clarification of the risk based approach is especially important to those small businesses that do not handle or store large amounts of personal information. Second, a number of specific provisions required to be included in a business’s written information security program have been removed from the regulation and will be used as a form of guidance only. Third, the encryption requirement has been tailored to be technology neutral and technical feasibility has been applied to all computer security requirements.  Fourth, the third-party vendor requirements have been changed to be consistent with Federal law.

To whom does this regulation apply? The regulation applies to those engaged in commerce. More specifically, the regulation applies to those who collect and retain personal information in connection with the provision of goods and services or for the purposes of employment. The regulation does not apply, however, to natural persons who are not in commerce.

Does 201 CMR 17.00 apply to municipalities? No. 201 CMR 17.01 specifically excludes from the definition of “person” any “agency, executive office, department, board, commission, bureau, division or authority of the Commonwealth, or any of its branches, or any political subdivision thereof.” Consequently, the regulation does not apply to municipalities.

Must my information security program be in writing? Yes, your information security program must be in writing. The scope and complexity of the document will vary depending on your resources, and the type of personal information you are storing or maintaining. But, everyone who owns or licenses personal information must have a written plan detailing the measures adopted to safeguard such information.

What about the computer security requirements of 201 CMR 17.00? All of the computer security provisions apply to a business if they are technically feasible. The standard of technical feasibility takes reasonableness into account. (See definition of “technically feasible” below.) The computer security provisions in 17.04 should be construed in accordance with the risk-based approach of the regulation.

Does the regulation require encryption of portable devices? Yes. The regulation requires encryption of portable devices where it is reasonable and technically feasible. The definition of encryption has been amended to make it technology neutral so that as encryption technology evolves and new standards are developed, this regulation will not impede the adoption of such new technologies.

Do all portable devices have to be encrypted? No. Only those portable devices that contain personal information of customers or employees and only where technically feasible The “technical feasibility” language of the regulation is intended to recognize that at this period in the development of encryption technology, there is little, if any, generally accepted encryption technology for most portable devices, such as cell phones, blackberries, net books, iphones and similar devices. While it may not be possible to encrypt such portable devices, personal information should not be placed at risk in the use of such devices. There is, however, technology available to encrypt laptops.

Must I encrypt my backup tapes? You must encrypt backup tapes on a prospective basis. However, if you are going to transport a backup tape from current storage, and it is technically feasible to encrypt (i.e. the tape allows it) then you must do so prior to the transfer. If it is not technically feasible, then you should consider the sensitivity of the information, the amount of personal information and the distance to be traveled and take appropriate steps to secure and safeguard the personal information. For example, if you are transporting a large volume of sensitive personal information, you may want to consider using an armored vehicle with an appropriate number of guards.

What does “technically feasible” mean? “Technically feasible” means that if there is a reasonable means through technology to accomplish a required result, then that reasonable means must be used.

Must I encrypt my email if it contains personal information? If it is not technically feasible to do so, then no. However, you should implement best practices by not sending unencrypted personal information in an email. There are alternative methods to communicate personal information other through email, such as establishing a secure website that requires safeguards such as a username and password to conduct transactions involving personal information.

Are there any steps that I am required to take in selecting a third-party to store and maintain personal information that I own or license? You are responsible for the selection and retention of a third-party service provider who is capable of properly safeguarding personal information. The third-party service provider provision in 201 CMR 17.00 is modeled after the third-party vendor provision in the FTC’s Safeguards Rule.

I have a small business with ten employees. Besides my employee data, I do not store any other personal information. What are my obligations? The regulation adopts a risk-based approach to information security. A risk-based approach is one that is designed to be flexible while directing businesses to establish a written security program that takes into account the particular business’s size, scope of business, amount of resources and the need for security.  For example, if you only have employee data with a small number of employees, you should lock your files in a storage cabinet and lock the door to that room.  You should permit access to only those who require it for official duties.  Conversely, if you have both employee and customer data containing personal information, then your security approach would be more stringent.  If you have a large volume of customer data containing personal information, then your approach would be even more stringent.

Except for swiping credit cards, I do not retain or store any of the personal information of my customers. What is my obligation with respect to 201 CMR 17.00? If you use swipe technology only, and you do not have actual custody or control over the personal information, then you would not own or license personal information with respect to that data, as long as you batch out such data in accordance with the Payment Card Industry (PCI) standards. However, if you have employees, see the previous question.

Does 201 CMR 17.00 set a maximum period of time in which I can hold onto/retain documents containing personal information? No. That is a business decision you must make. However, as a good business practice, you should limit the amount of personal information collected to that reasonably necessary to accomplish the legitimate purpose for which it is collected and limit the time such information is retained to that reasonably necessary to accomplish such purpose. You should also limit access to those persons who are reasonably required to know such information.

Do I have to do an inventory of all my paper and electronic records? No, you do not have to inventory your records.  However, you should perform a risk assessment and identify which of your records contain personal information so that you can handle and protect that information.

How much employee training do I need to do? There is no basic standard here. You will need to do enough training to ensure that the employees who will have access to personal information know what their obligations are regarding the protection of that information, as set forth in the regulation.

What is a financial account? A financial account is an account that if access is gained by an unauthorized person to such account, an increase of financial burden, or a misappropriation of monies, credit or other assets could result. Examples of a financial account are: checking account, savings account, mutual fund account, annuity account, any kind of investment account, credit account or debit account.

Does an insurance policy number qualify as a financial account number? An insurance policy number qualifies as a financial account number if it grants access to a person’s finances, or results in an increase of financial burden, or a misappropriation of monies, credit or other assets.

I am an attorney. Do communications with clients already covered by the attorney-client privilege immunize me from complying with 201 CMR 17.00? If you own or license personal information, you must comply with 201 CMR 17.00 regardless of privileged or confidential communications. You must take steps outlined in 201 CMR 17.00 to protect the personal information taking into account your size, scope, resources, and need for security.

I already comply with HIPAA. Must I comply with 201 CMR 17.00 as well? Yes. If you own or license personal information about a resident of the Commonwealth, you must comply with 201 CMR 17.00, even if you already comply with HIPAA.

What is the extent of my “monitoring” obligation? The level of monitoring necessary to ensure your information security program is providing protection from unauthorized access to, or use of, personal information, and effectively limiting risks will depend largely on the nature of your business, your business practices, and the amount of personal information you own or license. It will also depend on the form in which the information is kept and stored. Obviously, information stored as a paper record will demand different monitoring techniques from those applicable to electronically stored records. In the end, the monitoring that you put in place must be such that it is reasonably likely to reveal unauthorized access or use.

Is everyone’s level of compliance going to be judged by the same standard? Both the statute and the regulations specify that security programs should take into account the size and scope of your business, the resources that you have available to you, the amount of data you store, and the need for confidentiality. This will be judged on a case by case basis.

I password protect data when storing it on my laptop and when transmitting it wirelessly. Is that enough to satisfy the encryption requirement?No. 201 CMR 17.00 makes clear that encryption must bring about a “transformation of data into a form in which meaning cannot be assigned” (emphasis added). This is to say that the data must be altered into an unreadable form. Password protection does not alter the condition of the data as required, and therefore would not satisfy the encryption standard.

I am required by law to contract with a specific third-party service provider, not necessarily of my choosing. Must I still perform due diligence in the selection and retention of that specific third-party service provider? Where state or federal law or regulation requires the use of a specific third-party service provider, then the obligation to select and retain would effectively be met.

What all this means is that, no matter what size business you have, you will need to alter the way you transact business.  A new view must be taken regarding data and how it is stored and moved.

Next time: How Does My Company Become Compliant

Sebastian DiFelice

Siguiendo con los comentarios acerca de las intervenciones en el evento de CIONet del pasado 1 de Octubre, una de las que más me gustó fue también una de las iniciales. De acuerdo al original formato definido por Mona y CIONet España, Federico Florez (CIO de Ferrovial) tuvo diez minutos para disertar acerca del rol del CIO.

Federico aprovechó al máximo sus diez minutos. La intervención comenzó con la enumeración de las áreas que estaba a punto de tratar: el rol del CIO, las complejidades que acarrea la función, las fortalezas u oportunidades que trae, y los requerimientos para ser un CIO exitoso.

El Rol del CIO. La posición del CIO está caracterizada por los siguientes elementos distintivos:

• Expuesto a cambios: el CIO es el responsable del área sobre la cual repercuten en mayor medida los cambios en el entorno de la organización y los negocios.
• Maneja grandes presupuestos: las áreas de sistemas y tecnologías suelen manejar los mayores presupuestos y representar los mayores gastos/inversiones para la organización (superados quizá sólo por la categoría de nóminas). Necesita hacer compras en nombre de la Compañía, y debe hacerlo bien, asegurando el valor a obtener por la adquisición sobre un período que puede llegar a extenderse sobre varios años.
• Gestiona tecnología: lo cual es un desafío en sí mismo, al tratarse de un tema tan complejo y cambiante.
• Gestiona recursos humanos: quizá mucho más complejo y desafiante que el punto anterior. Algunos de los perfiles que componen un departamento de Sistemas o Tecnologías de la Información pueden ser algo complicados.
• Es, o debe ser, un líder en innovación. El resto de la organización confía en el CIO para liderar la innovación, ya que se asume naturalmente que es parte de su rol.
• Está sometido a presiones de agentes externos, económicos y culturales.

Complejidades del Rol: además de la compleja naturaleza intrínseca de la función de un ejecutivo de nivel C, el rol viene con problemas adicionales:

• Altas exigencias en cuanto a nivel de comunicación. Debe transmitir mensajes claros al CEO y a los directores, sobre temas muy complejos.
• Debe ganar su credibilidad día a día, a través de la provisión de un servicio excelente en cuanto a la operación. Es importante también que haga un muy buen trabajo en cuanto a medir y comunicar este servicio de nivel excelente.
• Debe comunicar en forma apropiada el valor que genera la organización de TI, y el aporte que realiza al negocio. En cuanto a este punto en particular y hablando en general de la situación en las grandes compañías en España, Federico Florez opinó que “seguramente no sabemos medir y comunicar apropiadamente el valor del CIO para el Negocio de la Compañía”, y que probablemente “el sector TI no está apuntando al negocio”.

Fortalezas: en cuanto a los puntos fuertes, o ventajas que vienen con la función de CIO (alguna tenía que haber ), podemos enumerar:

• El CIO llega a obtener un conocimiento muy profundo de la empresa y sus procesos de negocio. Después del CEO, es probablemente el ejecutivo con el conocimiento más completo de la compañía.
• Si consigue establecer una determinada credibilidad y obtener la confianza de los ejecutivos, tiene muchísima capacidad para proponer, liderar e implementar grandes cambios en la organización.
• El CIO tiene la posibilidad de posicionarse como líder en la innovación. La innovación es percibida como un valor en sí mismo por las áreas de negocio.
• En un momento en que son requeridas muchas reducciones de costes, el área liderada por el CIO es una de las que tiene más posibilidades de mostrar grandes ahorros.

Requerimientos: para ser exitoso en su función, hay un conjunto de características que debe reunir un CIO:

• El CIO debe conseguir que el CEO entienda su rol, y la  importancia estratégica que las tecnologías de la información tienen para el negocio de la compañía.
• El CIO debe convertirse en un interlocutor válido para los ejecutivos de las áreas de negocio, debe tener su mano en el pulso de la organización y enterarse inmediatamente de las tendencias y los cambios. Para esto, es fundamental que consiga posicionarse en los primeros niveles de la organización (idealmente, reportando directamente al CEO).
• Debe poseer una gran capacidad de gestión de proyectos grandes, sobre mediano o largo plazo, usualmente requirentes de una inversión sostenida.
• En cuanto a habilidades personales, debe ser una persona con una gran capacidad de comunicación con altos niveles; debe poseer una sólida formación y mantenerse actualizado; debe ser un hábil gerente (en cuanto a capacidad de gestionar). Debe estar dispuesto a aprender permanentemente.

En resumen, se trata de un perfil altamente complejo, y de una función apasionante con grandes e interesantes oportunidades. El CIO tiene asegurado una provisión permanente de retos profesionales, y a cambio debe estar dispuesto a abrazar el cambio antes  que nadie, así como también a ofrecer grandes dosis de esfuerzo y sacrificio.

La capacidad de síntesis de Federico Florez es increíble, verdad? Haber conseguido transmitir tantos conceptos claves, con tanta claridad, en sólo diez minutos, fue una excelente demostración “en vivo” de los desafíos, la flexibilidad y la capacidad de comunicación inherentes al rol de un CIO. Los asistentes,  muy agradecidos.

In previous articles I had covered some of the well known dangers of excessive resource multitasking, but here’s one you might not have considered – impacts to knowledge transfer and a long term increase in the risk profile for an organization’s skills supply.

The economic downturn has reduced the breadth of skills available in most organizations and we find that the once limited “single point of failure” skill set is now the rule as opposed to the exception.

There are many ways to avoid creating such single points of failure including regular job rotation, knowledge transfer at regular points in a project’s lifetime, job shadowing and even pairs programming.

However, a basic requirement for all of these practices is the recognition that growing an organization’s skill sets requires investment of resources and the need to let the ground lie fallow (or to at least to perform crop rotation if I may be permitted to stretch my analogy to the breaking point).

With excessive multitasking, any available bandwidth that a skilled SME might have to harvest or transfer knowledge to others is consumed by wasteful context switching.  On top of that, management immaturity ensures that the SME is over-committed to project work such that they have no ability to share their knowledge at the end of a project.

The most common symptom of this disease is that your skilled SMEs will be running at 110% while junior resources are underutilized.  This symptom can cause burnout, quality issues, job dissatisfaction or attrition.  Hence, the very skills that are core to the successful running of your business are at the greatest risk – illogical, but unfortunately the reality at many companies!

If you haven’t yet at least picked up a copy and reviewed this upcoming legislation being handed down by the General Court of the Commonwealth of Massachusetts and you run a business  (large or small) that “owns, licenses, stores or maintains personal information about a resident of the Commonwealth”

WHAT ARE YOU WAITING FOR!!!???

This law will go into effect March 1st 2010 and applies to ALL “Persons” regardless of size or geographic location.

The regulation implements minimum standards that must be met by anyone or any business that falls into the category outlined above – even if your business is not located in the Commonwealth.  In addition (and this is the first time in history that I can think of, that the General Court has gone this far) the law specifies the type of technology that shall be used to meet the standards set forth there in.

Now, chances are, that if you are a larger business, you already have Policies and Procedures in place that meet or exceed the minimum standards being introduced in this bill (if not, contact me, this is a great opportunity for you to begin adopting a governance framework to bring you into compliance and help you align your IT goals with your business needs).   If however, you are a small business that  “outsources” it’s credit card and payroll, according to Sec 17.03 paragraph 3 subsection 6, you will need to take “all reasonable steps to verify that any third-party service provider with access to personal information has the capacity to protect such personal information in the manner provided for in 201 CMR 17.00”.  This is the real kicker for small businesses.  The question that has not yet been answered, at least as far as I can see, is: what form of attestation and assurance will satisfy this portion of the law?  One would think that this would be done by the Service Provider and not need to be repeated hundreds or thousands of times by the small businesses that Provider services.

There is a way to logically and effectively approach this newest burden being placed on US businesses and that is by following the checklist provided by the great Commonwealth of Massachusetts (a copy of which is attached below).

Commonwealth of Massachusetts 201 CMR 17.00 COMPLIANCE CHECKLIST

Also, a gap analysis can be performed once this checklist is completed to see exactly where your business falls short in terms of compliance to these new regulations.

In short, it is not too late to begin working on a solution to insure compliance with this new law once it comes into effect.  It is NOT however, something that should be put off any longer…

Visit http://www.rgwllc.com for services available to help you maneuver through this legislation and build a strong and supportable security model going forward.

In this post I am going to make a pitch for adopting COBIT as an IT Governance framework.  I do this because I honestly believe that it is perhaps the most flexible and adaptive frameworks available today.  Many people do not like COBIT (Control Objectives for Information and related Technologies) because they view it as vague and unstructured.  It is for these reasons that I feel it is the best thing going out there right now; simply because with COBIT it’s more of a ‘what’ as opposed to a ‘how’.  When you are ready for the ‘how’ use ITIL (COBIT maps very well to ITIL by the way) or ISO20000 or employ NIST recommendations.  Below is a summary overview of COBIT along with some of my own remarks and observations.

Introduced in 1996, COBIT has been updated several times over the years with the latest release being 4.1.  It provides business, IT and audit with a generally accepted and applicable IT Governance framework to work from.

COBIT is a comprehensive set of resources that contain all the information organizations need to adopt an IT governance and control framework.  COBIT provides best practices across 4 domains and the control objectives associated with each of the domains.  It does this in a manageable and logical structure to help ensure that IT is successful in delivering against business requirements.

Contributions to the needs of the enterprise by COBIT:

• Creating measurable links between business requirements and IT goals
• Organizing IT activities into a generally accepted process model
• Identify the major IT resources to be leveraged
• Defines the management control objectives to be considered
• Provides  management tools:
  • Goals and metrics to enable IT performance to be measured
  • Maturity Models to enable process capability to be benchmarked
  • Responsible, Accountable, Consulted and Informed (RACI) charts to clarify roles and responsibilities

Since COBI T is positioned at a high level it is focused on what is required to achieve adequate management and control of IT.  COBIT integrates and works harmoniously with other, more detailed, IT standards and best practices acting as an integrator of these various guidance materials.  Use COBIT as an umbrella framework that links to governance and business requirements.

As COSO (Committee of Sponsoring Organizations of the Treadway Commission) is considered the generally accepted internal control framework for enterprise, COBIT is considered the generally accepted internal control framework for IT.

Of primary interest to both business and technology are the management guidelines.  These guidelines provide answers to questions posed by management:

How far should we go in controlling IT

• Does the cost justify the benefits
• What are the indicators of good performance
• What are the key management practices that need to be applied
• What are others doing
• How do we measure and compare

When I look at the world around me I am often amazed at some of our expectations.  Instant gratification, channel hopping, click and go – all habits which have engrained themselves in our persona’s.  We often struggle to wait.

Don’t get me wrong – I am guilty of this as much as most people, and in many ways, I am grateful for the opportunities and adventure which this cultural shift presents.  However, everything in its time and place.  Some things are just not meant to be nor are they capable of being instantaneous.

Often times management has very valid concerns such as:

We have numerous projects running off the rails.

Service is not what we want it to be.

People are not getting the things done which need to be done…

While immediate action may change the direction and impact results, such actions very rarely result in lasting change.  To create lasting change we must shift the underlying cultures, processes and resources in the right direction.  Figuring out the right direction takes time, acquiring the right resources and shifting the culture and/or process also takes time.

Overall, we need to act now, think of the future and work towards making both successful – otherwise, as they say – history is doomed to repeat itself.

Most companies I have worked with and for believe they have a solid grasp of where they exist on the IT Governance Maturity Model (as defined by the COBIT Framework).  Unfortunately where they think they are and where they really are is usually two different things.  Many times the two are at opposite ends of the spectrum.  That is why I always urge management to perform a gap analysis on Control Objectives that have been defined as needing improvement.  This is accomplished by first defining Scope, Risk and Resources along with a clear set of deliverables.  A ‘C’ level champion needs to be brought on board to give legitimacy to a project of this berth; only then can a company perform an honest assessment of its actual performance as it relates to the scope of the project.  This is accomplished by defining targets for improvement and performing a gap analysis to identify areas for improvements.  These steps naturally lead to the definition of a project (or projects) for which an improvement plan is developed; the developed plan is then executed by implementation of the improvements.  The implementation is then monitored for performance and finally reviewed to determine the programs effectiveness.  This is where the Maturity Model comes in as a measure of the sustainability of the newly implemented control objectives.  The cycle then repeats itself by identifying new governance requirements.

What I have described above is the Road Map to IT Governance.  What must be kept in mind when using this Road Map is that some solutions will be low hanging fruit, quick wins, while others will be more challenging and long-term tasks or projects.  I always recommend that priority be given to the ‘low hanging fruit’, those most likely to give the greatest results.  While the long-term tasks should be broken down into manageable pieces otherwise you risk the chance of the projected becoming overwhelming and unmanageable.

Attached is the Maturity Model found as part of Control Objective ME4 (Measure and Evaluate) – Provide IT Governance.

COBIT Maturity Model

If you are interested in finding out more about COBIT and IT Goverenance in general please visit:

IT Governance Institute

Information Systems Audit and Control Association (ISACA)

Please feel free to leave me your comments and or questions.  I will do my best to respond quickly with the information you requested.

If you are a company that does business with persons who reside in the Commonwealth of Massachusetts or if you have employees who live in the Commonwealth, come March 1st 2010, you will need to comply with this sweeping new privacy law.

Some key requirements include:

The Massachusetts law is the first in the nation to require specific technology for the protection of ‘data at rest’ as well as ‘data in transit’.

Personal information is defined as a Massachusetts resident’s name in combination with one of the following – with or without a security code, access code, PIN, or password that would permit access to a resident’s financial account:

* Social Security number
* Driver’s license number or state-issued identification card number
* Financial account number or credit/debit card number

The new legislation will affect all organizations who own or license personal information of Massachusetts residents — regardless of the size or location of the business.

(Here’s the real meat and potatoes of this bill…)

Organizations must require and oversee that third-party service providers with access to personal information also comply with the new law.

Organizations affected include:

* Businesses that track customers by account numbers (such as healthcare institutions and related vendors)
* Retailers that accept credit cards for purchases by Massachusetts customers
* Financial institutions (such as banks, insurers, or brokerages) with customers residing in Massachusetts
* Companies with branch offices located in Massachusetts

What should you do next:

Please visit the Mass.gov website to find out more about how this will affect YOUR business

http://www.mass.gov/?pageID=ocapressrelease&L=3&L0=Home&L1=Consumer&L2=Identity+Theft&sid=Eoca&b=pressrelease&f=20090817_idtheftregs&csid=Eoca

Here is the link to the complete text of 201 CMR 17:

http://www.mass.gov/Eoca/docs/idtheft/201CMR17_rlam.pdf

This is perhaps the most far reaching pieces of legislation to come out of a State or Commonwealth.  Think about it, an company, anywhere, that does business with a person from Massachusetts MUST comply with this new law!

We will try to keep you up to date regarding this very important law.

With the dramatic refocusing on internal controls over the past several years, a resurgence in internal policies and procedures has occurred.   When considering you policies, whether you are building them or updating them, organizations must consider the basic overall role of a policy.  Policy is a core governance element.

There are numerous guides, downloads and tools which may help you in crafting your policies, but at the heart of it all you should ensure that your policy articulates the organizational persepctive as to:

(1) Accountability: who is accountable for the policy and policy area,

(2) Expectations: what employees are expected to know and how they are to behave in relation to this policy,

(3) Exceptions: who approves exceptions and how they are handled

(4) Consequences: what the consequences or results on failure (intentional and accidental) are.

Often, the exceptions and consequences sections are not included or are unclear in current policies, yet all four elements are imperative.

A policy or process without a designated accountable person is not worth doing.  If no one is accountable to ensure it gets done it is either not likley to get done or is not worth doing.   While, if you and your employees don’t understand or know what is expected, then it becomes extremely difficult to actually deliver on or meet those expectations.

Without the possibility and  guidance for exceptions you are potentially bound to unrealistic and unreasonable expectations that do not reflect your business reality or impair you agility. Finaly, without consequences, no one (management and employees) has any “skin in the game”.  If management is not willing to act on willful or negligent violations of a policy then employees know that it is not all that important.  However, there needs to be different levels of impact and severity for the the nature of the issue at at hand (i.e.  triaining, % of bonus lost, dismissal, etc…)

In the end, a policy with all of these elements becomes a key management control, which lends weight to operational practices and controls. In medium to large business these are the contextual background against which and under whose authority all the detail and operational controls exist.  For SME’s this can often play the role of the key control and reduce or eliminate some of the more detailed operational controls which may cost more then they are worth.

So the next time you are considering your policies or writing new ones, consider all four elements and if they are not present ask – do I need this policy?  If not, then eliminate the overhead, if so then make sure your policy includes all four key elements.

Visiones Ampliadas

El mes pasado, Infonomics ha generado un gran debate y seguimiento. Es grandioso saber que los lectores están tomando un gran interés en el debate, especialmente considerando que el grupo de trabajo internacional formado por la comisión técnica conjunta de la norma ISO y EC ha completado su primera reunión y se pone en marcha.
Hay muchas maneras de ampliar la discusión y el debate, y me alegro de publicar las opiniones de otros comentaristas bien informados e innovadores.
Mi colega y amigo con base en Londres Chris Ogden es un consultor con amplia experiencia y entrenador de ejecutivos, que ha desarrollado de manera independiente sus puntos de vista sobre la evolución del uso de TI en los negocios. En “IT Governance –Redesigning the Board’s Role”, Chris propone que la aparición de Internet ha sido la oleada que impulsa la necesidad de un grado mucho mayor de supervisión y control del uso de TI por el directorio de las organizaciones.

Gracias a la ubicuidad de Internet que describe Chris, yo fui capaz de transmitir el mes pasado Infonomics desde Bad Homburg en Alemania, donde pasé dos días explicando la norma ISO / IEC 38500 para 24 delegados de Alemania y otras partes de Europa. Mi anfitrión de este evento fue la Dra. Gisela Boendgen, de Serview GmbH. Gisela y sus colegas hicieron un trabajo excelente en la organización de las dos sesiones de la clase magistral de día completo, y fue un gran placer entregar el contenido en su centro de educación presencial, con pub irlandés! Para resaltar
del curso fue la lección de Segway, donde los participantes abordaron las dos máquinas de transporte personal Segway para jugar en la hora del almuerzo en la explanada del edificio. Como nunca antes había intentado, me sorprendió lo fácil que es aprender a manejar el Segway y ahora pregunto por qué es que no se han vuelto tan comunes como fueron las bicicletas una vez. ¿Podría
ser algo acerca de los factores en la adopción de tecnologías que hemos estado discutiendo en estas páginas?

Hay novedades importantes en los programas de educación de Infonomics, y estos serán anunciados en el futuro próximo. Pero ahora mi prioridad es concluir y publicar el libro que yo conozco muchos están esperando pacientemente. Esta cerca, los detalles y disponibilidad será en el Infonomics de julio.

Saludos, Mark Toomey
30 de junio 2009.

IT Governance – Redigning the Board’s Role

De administración de IT al gobierno sistémico

Introducción

En los últimos 30 años, el uso de la Información y las Comunicaciones (TIC) ha experimentado un cambio radical en la forma en que se utiliza en las organizaciones – públicas y privadas – de cualquier tamaño significativo. En términos aproximados, en el período B.I. (“Antes de la Internet”), el uso de las TI se limita a los sistemas contables y de lo que entonces era conocido como el “procesamiento de datos”- la automatización de las actividades de rutina, tales como el procesamiento de la nómina o la captura y presentación de piezas y materiales. Sin embargo, desde la aparición de la Internet en la década de 1990, los sistemas de gestión de la información han sido objeto de un uso en todas las áreas de una empresa, desde la logística a la comercialización, de las finanzas a la I + D, desde la fabricación hasta la gestión de clientes y, en última instancia, a la re -invención del modelo de negocio completo.

Este cambio a la era A.I. (“Después de Internet”) se ha producido gradualmente, pero se ha generalizado. Aunque no ha pasado inadvertido para los profesionales de TI, o por las empresas y los medios de comunicación, a su impacto real y el significado no se le han dado la atención que necesita. Las TIC ahora absorben importantes inversiones en capital y recursos humanos. Lamentablemente, la capacidad de muchas de las organizaciones – o tal vez la mayoría – para proporcionar una supervisión adecuada de dirección a estas inversiones en el más alto nivel deja mucho que desear.

Las razones de esto es son sutiles y profundas.

Una breve mirada a cómo trabajan las empresas

Vale la pena repasar brevemente cómo trabajaban las empresas en la era B.I. y cómo el explosivo despliegue de las TIC en el período I.A. ha afectado a esta figura. Lo que sigue puede ser visto como una obviedad, pero vale la pena volver a examinar.

La actividad de la empresa – B.I.

El lado de “hacer” de las operaciones de una empresa – fue en gran medida manejada por la gente. Ventas, producción y fabricación, servicio y gestión de proveedores fueron funciones de grandes equipos de personas que trabajan con sistemas manuales o semi-manuales de – Papel, lápiz, la máquina de escribir y teléfono.

La forma en que el trabajo se realizó en realidad, ha evolucionado lentamente durante décadas anteriores. La producción en masa se había traducido en entornos de producción donde el trabajo era detallado y rutinario, con poca o ninguna oportunidad para la participación de los trabajadores en el diseño de cómo se realizó el trabajo.
La introducción de las TIC permitido que muchos de estos procesos manuales pasen a ser automáticos. Los ejemplos incluyen el procesamiento de nóminas, planificación de la producción, la banca y de mantenimiento de la cuentas.

La transición de B.I. a A.I.

Como las TIC entraron en un uso más extendido durante la 1970 “s y 1980″ s, las organizaciones se dieron cuenta que la tecnología podría abarcar aspectos más amplios de sus operaciones. Pero para aprovechar esta tecnología de manera efectiva, las empresas también descubrieron que la forma en que sus agentes trabajaban, tenía que cambiar. Los procesos de producción, suministro y entrega son cada vez más estudiados y más eficaces.

Las TIC fueron introducidas en muchas áreas nuevas de operación del negocio. Sin embargo, como los sistemas de trabajo de las TIC lo hacen de manera específica y no son fáciles de cambiar, las personas que las utilizaron estaban obligados a trabajar en los nuevos y claramente definidas formas sistemáticas. Y la gente exigió la participación en el diseño de la obra. Este desarrollo doble – el uso de las TIC y el rediseño de trabajo para hacer el mejor uso de la tecnología – significa que amplios sectores de las operaciones empresariales se integraron cada vez más con los sistemas TIC que ahora se necesitan para ejecutar la empresa.

Este “rediseño del trabajo” no es tan simple como parece. Se centró en tres áreas clave:

• Personas – su comportamiento, su actitud hacia su trabajo, lo bien que estaban motivados, en definitiva cómo las empresas sacado el máximo partido de su recurso más importante.
• Procesos – la forma de trabajo se hizo para el mejor efecto, la secuencia de pasos, lo que se necesita como entrada a cada paso, lo que se produce, y cómo se miden estos procesos.
• Estructura – la forma en que se organiza el trabajo para el mejor efecto, en esencia, la propia organización – que procesos deben ser realizados por los grupos de personas, cómo se gestionan (o cómo deben gestionar ellos mismos) y cómo los elementos de la estructura (la organización) debe interactuar para ser más eficaces.

Ya al final de esta etapa de transición (que se produjo a finales de los ‘70 hasta principios de los ‘90 (alrededor de 15 – 20 años), las compañías estaban encontrando que los tres aspectos anteriores (P, P y E) la forma de realizar “Hacer” el trabajo está cada vez más vinculado a las TIC. El uso de diversos sistemas TIC ahora era sólo “parte del trabajo”.

La era A.I.

Internet y otros avances aceleraron radicalmente esta transición (que ya estaba muy avanzada) en la forma que las TIC afectan el trabajo de las personas. Sin embargo, es fácil pero engañoso considerar a Internet como solo algo “más de las TIC”. Internet representa un punto de transición importante en la forma  como se realiza el trabajo. Este documento no es un momento adecuado para explicar estos hechos en detalle, pero vale la pena resumir tres que son más importantes. Ellos son:

• Trabajo en colaboración – la capacidad de los equipos a trabajar juntos sobre los problemas y su solución, en todo el mundo y en diferentes momentos. Estos equipos pueden combinar trabajadores de múltiples organizaciones.
• Compromiso con el cliente – la capacidad de interactuar, aprender de los clientes en tiempo real, y para traducir este conocimiento en productos y servicios nuevos o modificados, una vez más a menudo en tiempo real.
• Externalización – no sólo la externalización de gran parte de la operación de una sola empresa (tales como el activo de las TIC en sí mismo) a un tercero, pero el paso de un sinnúmero de funciones de la pequeña empresa a terceros, a menudo en lugares remotos lugares. Estas funciones incluyen cada vez más aspectos como el diseño, la investigación y la formación – funciones inicialmente no consideras como candidatas para la externalización.

El efecto acumulativo de estos y otros acontecimientos ha creado la “empresa extendida”, donde el límite entre una empresa y sus conexiones hacia arriba y hacia abajo se vuelve borroso. Estos avances están cambiando la cara de los negocios. En la era B.I. ellos habrían sido imposible.

El efecto es que en nuestra era de A.I., el aspecto masivo de las TIC conecta las organizaciones a otras empresas, otras geografías, otros países. Y estas conexiones ya no son las que se puede apagar si nos da la gana. Su funcionamiento eficaz puede ser la piedra angular de nuestro éxito, pero igualmente pueden ser el origen de la caída de una empresa.

¿Cómo ha afectado a las organizaciones el fracaso del gobierno?

Una ocurrencia común, aprovechada por los medios de comunicación, es el fracaso de otra “computadora”. Cuando se busca el culpable y se identifica perfectamente, la computadora y sus defensores humanos son una vez más hechos desfilar con todo desprecio.

Veamos algunos ejemplos recientes:

• Terminal 5 de Heathrow
  Las circunstancias de la desastrosa puesta en marcha de la nueva Terminal 5 de Heathrow en el verano de 2008 han sido bien publicitadas. Un nuevo sistema informático de manejo de equipaje de era considerado como el culpable. Sin embargo, las cuestiones relativas a este – como la
  formación del personal para utilizar el nuevo sistema – sin duda, ha sustentado el fracaso. La falta de entendimiento formal de la forma en que la “P, P & E”, además que las TIC deben ser gestionados fue claramente reconocido por la alta dirección de BAA, BA y otros.
• El Sistema de Registro NHS
  Los fracasos en esta inversión pública masiva, con razón, objeto de mucho escrutinio público mucho. Los sistemas de las TIC (anteriormente conocido como el Programa Nacional de TI – NPfIT) se dice que están varios años atrás y masivamente sobre los primeros 6 mil millones de Libras de presupuesto.
  Los proveedores de TIC han recibido mucho oprobio. Sin embargo, en los últimos 18 meses se ha informado de que el NHS, con retraso, reconocido sus propios errores en ser los destinatarios ineficaces de un sistema tan complejo. La responsabilidad para hacer los cambios (P, P & E de nuevo) en el funcionamiento del hospital ha sido devuelta a los jefes ejecutivos. Desafortunadamente, es poco probable que le hayan dado las herramientas y la educación para ayudarlos en su tarea.
• Un Ejemplo Australiano – La Aduana
  Como parte de un importante programa de re-ingenieria de los controles fronterizos de exportación e importación de todos los bienes a través de puertos de Australia, el Servicio de Aduanas desarrollado completamente la nueva tecnología, para sustituir a los complejos sistemas que habían evolucionado a lo largo de más de 25 años. El nuevo sistema exigió que todos los importadores, agentes y compañías de transporte desarrollen nuevas prácticas de trabajo y tecnología complementaria. Pero cuando la Aduana insistió en salir con sus propios sistemas, la industria no estaba lista y los puertos se cerraron efectivamente durante tres semanas, hasta que los viejos sistemas fueron llevados a la acción. Dos investigaciones, incluyendo una por la Oficina Nacional de Auditoría observó deficiencias extensas e innecesarias en la dirección y el control de todo el proyecto, incluyendo una completa falta de objetivos claramente definidos.

La conclusión es clara: a menos que las organizaciones se vuelven mucho mejor en tratar con eficacia a las TIC, y en la organización y el control de los cambios en el negocio correspondientes, estos fracasos va a continuar y, se desperdiciará mucho dinero – Públicos y privados.

Consecuencias

El fracaso colectivo de la mayoría de las organizaciones en comprender cómo hacer frente a esta transición de la era B.I. a A.I. en los niveles más altos, está en la raíz de muchos de nuestros repetidos fracasos en la gestión de las TIC. La razón es simple pero la solución es menos clara.

Este debate ha demostrado que la “P, P & E” están íntimamente relacionados con las TIC, al cambiar una, los otros se ven afectados. Cada vez más, el desafío, la complejidad y el costo de cambiar uno o más de estos elementos supera con creces el de cambiar las TIC.

La razón de la falta continua de gestión de las TIC de manera eficaz es que; no se trata de la gestión de las TIC: es sobre la gestión de la operación integrada de personas, procesos, estructura y las TIC. Estos cuatro componentes constituyen un sistema. Ellos no pueden ser gestionados o regulados como entidades individuales.

¿Qué se puede hacer?

En resumen:

La supervisión del Senior Management necesita cambiar desde Gestión de TIC hacia Gobierno Sistémico

Gobierno Sistémico – Implicaciones y Recomendaciones

Este trabajo ha examinado las razones que la supervisión eficaz de la función de las TIC en muchas grandes empresas y agencias del gobierno ha sido ineficaz y las graves consecuencias financieras, tanto financieros como en términos de reputación que puede resultar de esto.

La principal conclusión que se ha establecido es que las organizaciones tienen que dejar de pensar en las TIC como una entidad separada y en su lugar avanzar hacia el gobierno sistémico. El gobierno sistémico reconoce la profunda y positiva incursión que las TIC han hecho en las organizaciones y reconoce que ahora sólo puede ser gestionada si se considera a las TIC como un componente del sistema que es “el negocio operativo”.

Esta transición representa un cambio importante en el pensamiento empresarial. Hay varias consecuencias inmediatas:

1. La supervisión del nivel de Directorio debe ver a la empresa como un sistema. Los directorios deben reconocer que no pueden supervisar efectivamente la implantación de las TIC como un elemento separado y distinto.

2. Tiene que haber una responsabilidad a nivel del Directorio por el Gobierno del Sistema. Pueden optar por establecer un comité para realizar esta tarea.

3. Una de las funciones superiores – como un director de sistemas de gobierno – ha de tener la responsabilidad por el diseño efectivo, despliegue y operación de las personas, procesos, estructura y la TIC para el negocio como un todo. Esto puede ser una línea de reporte directa al CEO, trabajando con la autoridad delegada del Directorio.

El papel de la función de las TIC

La función de las TIC en la empresa opera fundamentalmente como un proveedor de servicios para la empresa. En muchos casos esta función, sub-contrata parte de este
el suministro a terceros. Durante los últimos veinte o más años ha habido avances significativos en el establecimiento de normas para la gestión técnica de este suministro. Estas normas, tales como COBIT, ITIL y otros han adquirido una aceptación internacional. Este progreso en la gestión de la oferta de las TIC a los negocios de manera profesional, es bienvenido.

Hacia un nuevo marco de gobierno sistémico

A pesar que las TIC han hecho progresos en lograr que su propia casa este en orden, ha habido pocos progresos para que la empresa (los usuarios de las TIC) desarrollen un enfoque de la gobernanza de las TIC como un recurso de negocios. Esta situación sin embargo, recientemente se ha cambiado. La Organización Internacional de Normalización (ISO) ha publicado un nuevo estándar de gobierno corporativo de las TIC. Fundamentalmente, esta norma reconoce
por primera vez que el gobierno de las TIC debe ser propiedad de los que tienen la responsabilidad de la entrega de un sistema comercial eficaz. En esencia, este estándar (denominado ISO 38500), establece un “sistema de orientación” para el Directorio para llevar a cabo el papel del gobierno sistémico aludido anteriormente.

Acerca de Chris Ogden y Business Next

BusinessNext Ltd, con sede en el Reino Unido, ha estado trabajando con los consejos y la administración superior sobre cuestiones estratégicas para los últimos 8 años. Chris Ogden, director gerente de BusinessNext ha tenido una importante experiencia en Sistemas de Información.

Trabajando estrechamente con Infonomics, Chris y Business Next tienen la capacidad necesaria para llevar juntas y ejecutivos nuevas formas de trabajar, con consultoría a medida y programas de formación especialmente desarrollados específicamente para satisfacer las necesidades de las organizaciones para avanzar hacia el gobierno sistémico.

Preguntas son bienvenidos y deben ser dirigidas a chris@business-next.com.

“Translated, with permission, from the original at  http://www.infonomics.com.au written by Mark Toomey, Author of book “Waltzing With The Elephant”.

“Traducido, con permiso, desde el original en http://www.infonomics.com.au escrito por Mark Toomey, autor de “Waltzing With The Elephant”.

When considering ERP solutions, the key drivers are to spend sufficient time understanding the needs.  In fact, the very first question would be to assess if the business strategies are well established, and equally important, to assess whether the business processes and assumptions that drive the perceived need for a new ERP system are valid.  It is well known that a technology solution cannot fix an ailing business process, in fact, it will only make it worse.  This is important to SMBs considering an upgrade to their ERP system – if the issue is the business process, fix the process before embarking upon a upgrade.  Before embarking on the ERP system upgrade, it is imperative to assess the risks.  Risks are both intrinsic (internal operations, sales, marketing, finance, HR) and extrinsic (how they impact your customers and supply chain).  For SMBs also desiring to upgrade their ERP system, they must assess the existing software and really scrutinize whether the upgrade is going to bring the benefits that are desired. For example, one question to ask is whether a few customizations or enhancements or bolt-ins to the current software satisfy a majority of the requirements.

Assuming that there is a need for an ERP system or an upgrade exists, SMBs need to assess the true life cycle costs, benefits and risks of the upgrade.  It should be pointed out that the life cycle technology costs are but a fraction of the overall costs – the cost of implementing the change across the organization can be daunting.  A healthy bout of skepticism on the true benefits should be entertained.  More than 50% of ERP implementations according to researchers have failed to yield the promised benefits. 

Once the needs and benefits are established, from an IT Governance point of view, the mandate for an ERP system must come from the top and have complete support and cooperation of all key stake-holders.  ERP is not an IT driven, but a business driven project.  Selecting the appropriate vendor is a complex task.  It is best to bring an un-biased consultant to assess the product features against the needs to establish the degree of fit.  Simply attending vendor presentations is not adequate, as vendors attempt to change your business needs to meet their tool features.  

Implementation of ERP, is significantly more complex.  Most recommend an incremental approach as opposed to the big-bang to mitigate risk. Again, the critical aspect is having the business units manage the deployment, with IT just playing the role of a facilitator.

Making sure that the IT processes within your organization meet you business needs is a dynamic art form.

When you are looking to create or adapt your existing processes you should really consider several key ingredients:

• your business reality/needs
• any legislative or contractual requirements
• the strategic role of information technology for your business (now and in the future)
• the size, scale and industry of your organization
• IT process frameworks
• IT control frameworks

Using the relevant components from these inputs you can take your unique requirements and leverage the publiclly available knowledge base of process and control practices and tailor them up or down, or even morph them into a solution that meets your needs in your culture.

Too often these processes are put in place without much thought – because that’s the  way we do things, that’s the minimum we need, because so-and-so said so, etc..

When you understand that business requirements and expectations you are able to scale and create processes that deliver on the basic requirements for your business in the strategic context they need to.  The trick is to not to get too caught up in the actual development process or the frameworks but in wisely using the available resources at your disposal to deliver on your needs.

At the same time it is no surprise the the realm of IT has and continues to rapidly change.  Your risks, requirements and expecations are also changing.  If you know who you are, where you area coming from and what is changing you are better able to enable agility not only in technology enablement but also in ensuring that IT is delivering value and enabling you business requirements.