The Most Serious Data Threat May be Sitting Next to You

An article that appeared recently in InformationWeek magazine examines what is sometimes the most serious threat an organization faces in terms of their own data security – the internal authorized user base. The following article from Ericka Chickowski explains that hackers may covet your data, but insiders are the most common source of database leaks.

How IT pros who manage database security rank database threats:

• An insider attach by someone with root access to the database or database server
• A logical attack on a Web-facing app connected to a database
• Database containing confidential data that IT is unaware of
• A misconfigured database
• A vulnerable database that hasn’t been patched

(Data: Enterprise Strategy Group survey of 179 IT pros)

In their quest to protect sensitive information from outside attackers, many organizations overlook the most imminent threat to their databases: authorized users.

“It sometimes amazes me how little concern companies have for their production data,” says James Koopmann, owner of database consulting firm Pine Horse. “They allow nearly anyone to plug in shareware, freeware, and demo tools to access sensitive production data without any concern for how it might be retrieving, caching, or altering data.”

As discussed in the latest Dark Reading Database Security Tech Center Report, five common factors are most likely to lead to the compromise of databases: ignorance, poor password management, rampant account sharing, unfettered access to data, and excessive portability of data.

Take the lack of security education. In our InformationWeek Analytics 2009 Strategic Security Survey, we asked respondents to rate the time spent on various security efforts. User training came in ninth out of 10 choices, a few points behind log file analysis. Yet in another study, CompTIA’s seventh annual Trends in Information Security report, published earlier this year, 85% of those organizations surveyed that do offer security training to non-IT staff saw a reduction in major breaches.

The goal of training must be to ensure that users who work with databases understand the sensitivity and/or financial value of the data they work with, and therefore are less apt to become casual in their security practices.

Poor password management is another common problem. Either IT departments allow database users to set easy-to-guess passwords, or they make passwords so complicated that workers end up writing them down and sticking them to the computer screen.

“We have to strike a balance between ease of remembering for database users versus how complicated we make the passwords to protect against outsiders,” says George Jucan, CEO of Open Data Systems, a database consulting firm.

Account sharing also creates security issues. While some users take advantage of their co-workers’ credentials, others gain access to data via highly privileged application server credentials. In either case, data compromises can occur without leaving a clear trail to the perpetrator. All that log file analysis won’t help you now.

Unfettered access to data is another common problem. In many cases, employees are given access to more information than they need to do their jobs.

“Most of the databases today provide role-based access control to databases, and few companies actually take advantage,” Jucan says. “If somebody doesn’t even see that certain data exists in the database, they will not be tempted to print it and leave it on the printer.”

Enterprises should also look into data-masking technology to limit the user’s exposure to highly sensitive and highly regulated data sets, such as Social Security numbers, without limiting the user’s ability to do his work.

Finally, take a closer look at technologies and practices for protecting data as it becomes increasingly portable. One of the biggest dangers companies face today is the ability of authorized users to simply download large chunks of information from the database onto spreadsheets, laptops, or portable storage devices. Experts say that tools such as database activity monitoring, data loss prevention, and encryption all can help protect portable data.

Taking the PRINCE2 exam?

The PRINCE2 exam, whether you are taking it for the first time or doing the re-certification exam, is in ‘objective testing’ format, which is a type of complicated multiple choice paper.  Whether you are taking the 2005 syllabus (which is being phased out as training companies update their manuals and courses) or the 2009 syllabus, these five study tips will help you revise for and pass the exam.

1.  Answer the question!

It sounds simple – but read the question and make sure you are answering the right thing.  If the question asks you to tick the three things that are most relevant, only choose three.  Don’t tick four.  If you can only work out two, take a guess at the third. The questions are not there to trick you!   With the assertion questions, don’t make stupid mistakes by not selecting the right answer.  There are a lot of answer options to choose from so make sure the letter you choose actually matches up with the answer you want to give.  It’s very easy – in the pressure of the exam – to select the wrong box on the answer form by accident.

2.  Know your way around the manual

You are allowed to take the PRINCE2 manual into the exam.  It’s over 450 pages, so you can’t rely on the index when you need to get to something quickly.  Put sticky tabs in the key sections, especially:

• Each process section
• The product descriptions (in Appendix A in the 2005 manual)
• Each technique section
• Each component section

This will help you flick to a section quickly.  The manual is the only paperwork you’ll be allowed to take into the exam, but you can write in it.  If you have your own notes or diagrams, put them in the back – there are blank pages, or use the inside covers.  Use highlighters, or whatever works for you to make sure that when you flick through you can get to what you need quickly.

3.  Do some past papers

It’s really important to understand the format of the exam before you sit it.  Do any past papers that you can get your hands on.  Work through the sample questions from your training provider.  Search on the internet.  Practise!  It’s the kind of exam that you will get better at once you have cracked how to respond to the questions, like Sudoku.

Work through the sample Foundation questions even if you are only taking the Practitioner exam.  It’s a good refresher for the basics and will help you feel more confident about taking Practitioner.

4.  Learn the process model

Webopius recommends copying the process model into your manual, so you have a copy to hand.  This is excellent advice – I did it the first time I took the exam and I’ll be doing it for recertification.  You need to know the process model inside out, and the manual doesn’t have a complete picture.  In addition, you can annotate your own drawing with inputs and outputs to the processes, what techniques are used, who is involved at the various handoffs and anything else.  You can get the whole of PRINCE2 into one diagram (kind of) and the very fact of copying out the process model helps stick it in your mind.

5.  Watch the time

Time goes quickly when you are trying to work through an exam paper.  Don’t get caught short – you really do need to make sure that you have enough time to answer every question and give it the attention it deserves.  If something is too hard, move on.  Get as many of the easy points as you can before tackling the questions that you find harder.  It really isn’t worth giving a stonking answer to one part only to find out that you have run out of time to answer the rest of the paper.

Equally, look out for the number of points each question is worth.  It’s not sensible to spend a whole lot of time on a question worth only 3 marks, when some of the more complicated multi-part questions will help you rack up lots of marks.

Good luck!

Sensitive Data Often Exits with Employees

I’m not sure how this relates directly to Project Management. It really doesn’t, I guess, other than the fact that when employees exit many times they’re actively working on one of our projects and the same findings you read about below can affect your customers on the projects you manage in addition to the company you work for.

Dr. Larry Ponemon put together this document back in February on “Data Loss Risks During Downsizing”. I’m only including a portion of it here that outlines some of the key findings of national study performed by the Ponemon Institute and sponsored by Symantec.

The bottom line is that 59% of employees who leave or are asked to leave are stealing company data. And 79% admit that their former employer did not permit them to leave with the company data. The lack of care some companies take in ensuring that they’re protected when employees leave still amazes me.

Please read on…I’ll provide a link to the full study at the end of this article…

Key Findings

Following are the most salient findings of this survey research. Please note that most of the results are displayed in bar chart format. The actual data utilized in each figure and referenced in the paper can be found in the percentage frequency tables attached as the Appendix to this paper.

Employees are stealing data and are more likely to do so when they don’t trust their employer. According to 63% of respondents, their previous job required them to access and use proprietary information such as customer data, contact lists, employee records, financial reports, confidential business documents, software tools or other intellectual properties. More than 59% report that they kept company data after leaving their employer. It is very interesting to note that employees who do not trust their former employer to act with integrity and fairness are more likely to take the data. Sixty-one percent of respondents who were negative about the company took data while only 26% of those with a favorable view took data.

Employees are stealing proprietary and confidential data that might affect their former company’s business competitiveness and could result in a data breach. Sixty-five percent of those respondents who admit they took data left with email lists followed by 45% who took non-financial business information and 39% took customer information, including contact lists.

The most susceptible documents to theft are email lists and hardcopy files. Sixty-four percent of respondents took email history and hardcopy files (62%). Of least interest to employees are PDF files (9%), access database files (8%) and source code (3%).

Employees are stealing data in different ways. It is interesting that most employees (61%) who stole valuable customer and other business information are taking it in the form of paper documents or hard files. The next most popular means of transferring data is by downloading information onto a CD or DVD (53%) or onto a USB memory stick (42%) followed by sending documents as attachments to a personal email account (38%).

Employees who take company data are defying company rules. Of those employees who admit to stealing company information, 79% report they do not have permission to do so and 5% are unsure. The top reasons given for stealing data include: “everyone else is doing it, the information may be useful to me in the future, I was instrumental in creating this information, the company can’t trace the information back to me and the company does not deserve to keep this information.”

Only 16% say they were permitted to keep sensitive, confidential or proprietary information. However, their reasons are suspect. Specifically, the top two reasons for their belief that it was acceptable are “other laid-off employees kept this information when they left the company (54%) and no one checked their belongings when they left the company (50%).” Only 11% report that their former supervisor said it was permissible to keep this information.

Companies are failing to take proper steps to stop data theft. While a small number (4%) of employees told their employers that they were taking data, only 15% of companies conducted a review or performed an audit of the paper and/or electronic documents that employees were taken. If they did, respondents report that it was not complete (45%), or worse, superficial (29%). Approximately 41% of respondents say the review was conducted by their direct supervisor or manager followed by the human resources personnel. Approximately 89% report that their company did not do an electronic scan of devices such a portable data-bearing equipment or USB memory sticks.

Employees leave their laptops but take CDs, USB memory sticks and PDAs. Ninety-two percent of employees took CDs/DVDs followed by USB memory sticks (73%) and PDAs (17%). Only 9% kept their Blackberry and 3% kept their laptops.

Employees were able to access their former employer’s computer system or network after departure. According to 24% of respondents, their ability to access data continued after they left the company creating a data security risk. Of these respondents, 32% say that they accessed the system and their credentials worked and 38% say their co-workers told them that their access rights continued. In the case of 35% of the respondents, access to the system continued one week or longer.

While only 4% report that they gained access using a co-worker’s authentication credentials after departure from the company, 51% said their supervisor told them they would have access to the company’s system, email or network for a specified period of time. More than 44% continued to receive email on their company’s account.

Employees’ reasons for leaving are mixed. Approximately 37% were asked to leave, 38% found a new job and 21% moved on because they are anticipating a layoff. Immediately after leaving their former company, 61% took paper documents or hard files, 53% downloaded information onto a CD or DVD and 42% downloaded information onto a USB memory stick.

Implications and recommendations for companies

All companies share the potential risk of having a data breach because of the actions of former employees. In addition, they have allowed competitive information about customers, business partners and other intellectual property to walk out the door putting them at a competitive disadvantage. We recommend that companies immediately assess the potential data loss from former employees who had access to sensitive and confidential data as part of their job.

Dr. Larry Ponemon presented this paper entitled “Data Loss Risks During Downsizing” on February 23, 2009. To read the full 24-page study, go here.

CIO Budget Dilemma: How to Choose Which Projects Live and Which Projects Die

This is a great article written by Howard Anderson for InformationWeek. Howard gives some very straightforward insight into how to quickly decide what projects to hang on to when you’re faced with a critical IT budget issue. I like his style of writing and the content is great…please read on….

Project Triage: Skippy Must Die

You have a problem. Your project budget has been decimated. The suits are under serious budget pressure and are mouthing expressions like “shared pain,” which is never what you want to hear. So you’ll have to decide what lives and what dies. Further, some of your best people are on projects that will never see sunrise. Did I mention that there are some Sacred Cows out there protected by their Godfathers, but which should logically die? Can you figure out which Godfathers are on their way out?

This isn’t about technology; it’s about management. And you need help to plow through this mess to get to a point where you can do the fun part: showering money on sexy things that will wow Mahogany Row and drive business forward. But now is no the time.

Some of these projects are “strategically important” but might not survive the bloodletting – is there a way you can hide them? Some of these projects have so much management attention that you are not kill them, but they should mercifully be put out of their misery, because either they’re never going to work or the real cost is three times what anyone thought. Other projects made sense at the time but don’t now. Want to take that Big Write-Off now? Not such a good time.

Want to play company politics? Very risky. Ignore politics? More risky. This isn’t the time to bet your job. Here are Howard’s Rules:

• Find a common enemy. Maybe it’s the economy. Maybe your company is at a crossroads. But use the common enemy argument to kill obvious losers. Kill any project where the ROI – and you know how to fudge those numbers – is more than two years out. Kill projects where the resultant savings/benefit cuts over multiple cost centers. Kill projects whose justification is flimsy, like they will save everyone 6.3 minutes per week.

• Move your best people into Safe Harbors, projects that can’t be killed, even if those projects aren’t quite as much fun or challenging. A great programmer is worth 10 average ones. A great project manager is the difference between on time, on budget” and Excuse City. Yes, you may lose a few people, but you’ll live to fight another day.

• Protect projects that keep the lights on and will carry you to a better day. There’s a tendency to put off upgrades until “next year” – but next year may be worse.

• Find projects to throw under the bus. You must show that you are a Team Player, so know what you want to kill and why. Smart CIOs will start to move their deadwood to those projects, so when they get killed, the people you’d like to go will go with them.

• Get the operating divisions to kick in some of their budget to the Sacred Cows. That will force them to choose.

• Keep one or two Knock Your Socks Off projects. You need to retain a little sex appeal to give hope to the superstars. Do as little as possible as loudly as possible.

• Pass out enough sugar to international so they don’t feel completely neglected.

• Combine projects where possible.

• Realize that what you’re buying is Time. You just don’t have the budget you thought you did. Some projects must be cut to zero. And they must be cut right now.

This article was written by Howard Anderson for the March 14, 2009 issue of InformationWeek.

Ten trends for 2009

2009 is going to see a change in the way project are run, according to ESI International.  “In 2009, more than any time in recent history, empowering people with the right skills, knowledge and tools to pick the right projects, ensure support for change and effectively track progress for smart governance will be key to project success,” says J. LeRoy Ward, PMP, PgMP, Executive Vice President, ESI International.

So, without further ado, these are the shifts we’ll be seeing this year:

1. Making an environment for change
   75% of all change programmes fail because of a lack of employee support.  Today’s economy will force organizations to confront the important roles middle managers play in the success of change efforts. Middle managers’ roles will shift from being the messenger of directives ‘from above’ to creating a positive environment to enable change, accountability and ownership of change initiatives, achieving the full benefits of change and ensuring return on investment.
2. Skills for managing virtual teams
   The role of virtual teams will grow, along with the demand for the skill sets to manage them, like being able to manage cross-border teams. Powerful communication, key management strategies and new rules of engagement will be required to manage virtual teams through change and budget difficulties.
3. Sharper distinctions between project and programme management
   This year will see an increase in the understanding of the differences between projects and programmes and the utilization of strategies to boost programme managers’ effectiveness and increase programme success: and not just through using the same methods as their organizations currently use to manage projects.
4. Involvement in communities of practice
   The number and importance of project management communities of practice, like the ICPM and Gantthead, will increase significantly in 2009. These informal communities, like the conversations formed through this blog, will be highly prized for the lack of bureaucracy that increase the sharing and use of best practices, enabling increased dialogue to overcome challenges and growing future leaders.
5. Better appreciation of the Project Management Office
   Although the project management office has gained wide acceptance, it still needs buy-in at the senior executive level. 2009 will build on developments from last year and we will see an increase in the importance of quantifying the PMO’s value and how to present that data to senior management to ensure funding in what promises to be highly competitive arena for organizational resources.
6. Back to basics
   More than any year in recent history, 2009 will be a critical year for ensuring project success.  Project managers will increase their emphasis on the basics, taking a first-things-first approach and address fundamentals such as gaining and sustaining executive commitment, addressing gaps in the alignment of organizational strategy and projects, project selection, and efficient measurement process while leveraging existing resources to increase project success.
7. Demand driven resource management
   We are already seeing the impact of the economy on the recruitment situation.  The adoption of Demand Driven Resource Management will increase significantly in 2009. It’s a way of essential cost containment which will lead to greater organizational performance and efficiency.
8. Improved requirements metrics
   The economic need to accurately assess and evaluate the organizational and cost impact of project requirements will bring a greater role for business analysis.  We need to have quality metrics that we can use to assess the economic, performance and feasibility value of each project, and project component.
9. People before technology
   Any good project manager will know that this has always been the case, but this year organizations will want to ensure that technology investments deliver enhanced performance. This will result in greater recognition of the critical role people play, leading to increased recognition that employees need the right skills and knowledge before applying processes for consistency and adding technology to deliver increased efficiencies.
10. Changing the way we manage risk
    In 2009, many organizations will leave behind the ‘one number’ method for project outcomes and embrace a quantifiable range of potential results on which to base decisions.  Leadership in risk management will recognize that the best governance hinges on the availability of quality information at the project level.

Have you noticed any of these trends affecting your projects yet?