Better Performance with IT Governance – when done properly

Two reports crossed my desk recently and I wanted to highlight a few action items based on their findings.  The first is based on data provided by Deloitte that centered on financial institutions entitled “Growing Confidence (The smart way to manage governance, risk, and compliance)“.  The second is by the IT Policy Compliance Group that included more than 2,600 organizations in the study.
Deloitte supports that GRC is a subset of a greater necessity for organizations and therefore it requires to be fully integrated into the organizations culture.  Specifically GRC goes beyond simple pizza box solutions and revolves instead around the people and behaviors.  In addition, the report strongly supports the concept that through the usage of risk management techniques organizations can take “risk intelligent” actions in the market place that otherwise couldn’t be possible – or could be done, but result in failure.  The Deloitte “book” is very easy to read and nicely broken down.  Definitely worth the time of anyone concerned with raising their business above simple technology problems to technology innovation.  GRC and governance of technology services must strive to move beyond simple change tickets to enhancing business value to the customers.
The 2008 report “IT Governance, Risk and Compliance – Improving Business Results and Mitigating Financial Risk” provides a nice breakdown of practices and a basic maturity grid based on their findings.  The report also builds upon prior years results, so a comparison between your organization across similar time periods is possible.

Action Items to Improve TODAY:

• What gets measured gets improved – establish ANY form of measure (scorecard, six sigma, 360, etc…) and have a set number of metrics that are published to the entire business.  This will ensure that progress occurs and that feedback allows for adjustment to metrics that matter
• Sponsorship must include all lines of business leaders, and the senior management – the net effect of these improvements will lower cost, allow for more agile deployments into new markets, and provide revenue generation opportunities (this is not the responsibility or focus of technologists)
• Establish a clear feedback process where metrics (as stated above) and services are reset regularly to meet the demands of the business (Revolutions in production from factories to services are constant, and only those that evolve with the trend remain relevant)
• In 2000 companies had their stock ticker symbol streaming across the walls… today they are gone b/c that is not a true reflection of the efforts and improvements of an organization – do not fall into such trap: publish metrics that relevant to those that are concerned (customize them based on the audience)
• Embrace automation and customization to match the culture of the organization and achieve a level of confidence as the business transforms beyond its defined borders and walls

Enjoy the Deloitte Book here, and find other similar publications here.
Enjoy the IT Policy and Compliance Group report here, registration necessary.

Best,

James DeLuccia IV

Security Metrics in a Recession – A Better Mindset

Business ebbs and flows in most industries and unless you are demonstrating true value it is hard to respond positively when management must make hard decisions.  If technology services are not demonstrating value – i.e, they are not in alignment with what the business needs or there is waste throughout the system perhaps a healthy dose of self evaluation is in order.  To that point I want to elaborate on an INC. magazine article I contributed entitled, “Instituting Security Metrics” by Lora Shinn.

There are two lines of thought I want to explore, the first is how Security Metrics *can* enhance the value of the technology environment and the other is how they can save the business.

Enhance Value:
Security Metrics are any measure of the organization’s efforts to safeguard the assets of the corporation.  These may be sensitive information databases, actual hardware devices, the staff, or any number of categories depending on your business.  It is important to recognize that these are “a part of” a greater measurement effort within your business.  It is 100% certain that your business is currently calculating ROI, ROA, ROE, and hundreds of other metrics relating to finance, employee turnover, customer satisfaction, competitive industry scorecards, and even compensation baselines.  These existing performance, governance, and business metrics can provide the technology group with a sufficient methodology and format when preparing similar security metrics.

In order to enhance value to an organization, technologists must be able to:

1. Justify the technology deployed
2. Identify important assets within the architecture
3. Measure what the business requires of these assets.

Only at this point can action be taken.  The “action” referred to here may include decommissioning unnecessary hardware, eliminating specific redundant architectures, insourcing or outsourcing specific functions, or transforming the operations to a fully distributed platform.

The end result is a technology services group that achieves optimal balance between mission and cost thereby providing meaningful impacts to both the top and bottom line of the financial statements.

Saving the Business:
Loss of sensitive data, downtime due to forensic / virii, government and industry partner fines, loss of customers, and loss of confidence with business partners are the results of security failing.  Security metrics must consider the inputs into these risks for the business and appropriately mitigate each as necessary.  In future postings and in a recent research briefing I will elaborate on these important points.

Check out the article here, and please post your comments on how you feel security metrics should be positioned, and which are your favorite?

Best,

James DeLuccia

HIPAA: An update on guidelines and enforcement

A lot of individuals are as familiar with HIPAA as they are with PCI DSS. The difference is quite extreme for the reason – People are aware of HIPAA due to the privacy statement they sign when they hit the doctor’s office. They are aware of PCI DSS due to credit card breaches. The reason has been a fundamental difference between how each party has enforced discretions.

The punitive and public reprimands are minimal for HIPAA (1 public audit to date), while for PCI DSS they are generally carried on the major media channels (WSJ). Recently I came across some stats that have been published (and are regularly updated) that indicate the number of resolutions (6,467 for 2006) and the number of organizations that had corrective actions (1,571 in 2006). These numbers do not align with other public data (the Verizon data breach, the Internet Crime Report, breaches of PII), but the variance may be the result that these include only those where complaints were filed.

In addition, NIST updated SP 800-66 Rev1 “An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule“. The comment period just ended, so a final version should be forthcoming. The standard is described as follows:

“NIST announces the release of the public draft of Special Publication 800-66 Revision 1, An Introductory Resource Guide to Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule (Draft). This Special Publication (SP), which discusses security considerations and resources that may provide value when implementing the requirements of the HIPAA Security Rule, was written to help educate readers about information security terms used in the HIPAA Security Rule and to improve understanding of the meaning of the security standards set out in the Security Rule, direct readers to helpful information in other NIST publications on individual topics the HIPAA Security Rule addresses, and aid readers in understanding the security concepts discussed in the HIPAA Security Rule. This publication does not supplement, replace, or supersede the HIPAA Security Rule itself. “

The document is a great resource for any organization that is building their global governance control environment framework, and contains additional references to other NIST documents to provide greater detail and information. In addition to this document, HIPAA stakeholders should check out the CMS documents.

Looking for others thoughts and perspectives around HIPAA compliance… the good and the bad, and any useful references.

Best,

James DeLuccia

ABA Banking Journal Article on Project Management

I have been fortunate to work directly on product development of software, widgets, and service businesses and the end result is a intense appreciation for project management techniques.  Projects have failed (lack of culture appreciation, scope creep) and others have succeeded (senior executive support, cost reduction ~ grid computing metrics, short term returns) for varying reasons, but all have provided valuable lessons to everyone involved.
The American Bankers Association Banking Journal exists to help managers and executives succeed in the competitive financial services market – now more important than ever with financial market values dropping about 22% over the past 12 months.  There most recent published journal features an article that I contributed on the complexity and opportunity that exists for project management for technology groups that seek to provide true business value.  Check out the article, The Case for e-Project Management here!

Projects can only succeed when the right information, people, and culture are in place… some good self evaluation questions that you need to consider include:

• Is the technology environment capable of meeting the business objectives?
• How is the costs of these projects and the existing technology resources allocated and linked to business revenue generation?
• How are current projects measured?  (To that point  – How are past projects measured?)
• How have the project goals been communicated, and is the messaging understandable for each party involved?

Management and practitioners must consider the importance of technology environment projects – such as achieving PCI DSS compliance within 6 months or revamping your technology control environment to reflect the global threat of fraud, and establish a successful roadmap that appreciates the culture of each organization.

Other thoughts?  Favorite lessons?  Please share…

Best regards,

James DeLuccia

** Join me at the ACFE 19th Annual Conference in Boston, July 14th!!

Prevent Fraud and Increase Revenue by 6%

The cost of fraud to an organization is approximately 6% of an organizations revenues each year.  This is an astounding figure calculated by the Association of Certified Fraud Examiners using a global survey, and supported by several other international and independent authorities.  A great means of reducing the damage of known and unknown damages to an organization is through the establishment of a preventive health-check system.
The establishment of clear accountability, responsibility, upper management support, and clear awareness of areas of high risk are fundamental to every organization.  In IT Compliance and Controls this is discussed in detail under Principle 1 – Tone at the Top and Principle 3 – Human Resources.  A great supplemental to the book’s In Practice guidances – the ACFE has available an excellent Prevention Check List for business leaders.
The document is very simple and has immediate benefits.  There are careful guidelines recommended when conducting such efforts that should be embraced.  The need for such checklists exists separate from PCI and such regulations, as this is present around the world – consider SocGen (Reports 1-3 detail the fraud!) and WorldCom.

Check out the checklist here today, bring your general council on board, and determine how you can increase your revenues by 6% today.

Best,

James DeLuccia

A special thanks to the ACFE for making this freely available without registration.