The Most Serious Data Threat May be Sitting Next to You

An article that appeared recently in InformationWeek magazine examines what is sometimes the most serious threat an organization faces in terms of their own data security – the internal authorized user base. The following article from Ericka Chickowski explains that hackers may covet your data, but insiders are the most common source of database leaks.

How IT pros who manage database security rank database threats:

• An insider attach by someone with root access to the database or database server
• A logical attack on a Web-facing app connected to a database
• Database containing confidential data that IT is unaware of
• A misconfigured database
• A vulnerable database that hasn’t been patched

(Data: Enterprise Strategy Group survey of 179 IT pros)

In their quest to protect sensitive information from outside attackers, many organizations overlook the most imminent threat to their databases: authorized users.

“It sometimes amazes me how little concern companies have for their production data,” says James Koopmann, owner of database consulting firm Pine Horse. “They allow nearly anyone to plug in shareware, freeware, and demo tools to access sensitive production data without any concern for how it might be retrieving, caching, or altering data.”

As discussed in the latest Dark Reading Database Security Tech Center Report, five common factors are most likely to lead to the compromise of databases: ignorance, poor password management, rampant account sharing, unfettered access to data, and excessive portability of data.

Take the lack of security education. In our InformationWeek Analytics 2009 Strategic Security Survey, we asked respondents to rate the time spent on various security efforts. User training came in ninth out of 10 choices, a few points behind log file analysis. Yet in another study, CompTIA’s seventh annual Trends in Information Security report, published earlier this year, 85% of those organizations surveyed that do offer security training to non-IT staff saw a reduction in major breaches.

The goal of training must be to ensure that users who work with databases understand the sensitivity and/or financial value of the data they work with, and therefore are less apt to become casual in their security practices.

Poor password management is another common problem. Either IT departments allow database users to set easy-to-guess passwords, or they make passwords so complicated that workers end up writing them down and sticking them to the computer screen.

“We have to strike a balance between ease of remembering for database users versus how complicated we make the passwords to protect against outsiders,” says George Jucan, CEO of Open Data Systems, a database consulting firm.

Account sharing also creates security issues. While some users take advantage of their co-workers’ credentials, others gain access to data via highly privileged application server credentials. In either case, data compromises can occur without leaving a clear trail to the perpetrator. All that log file analysis won’t help you now.

Unfettered access to data is another common problem. In many cases, employees are given access to more information than they need to do their jobs.

“Most of the databases today provide role-based access control to databases, and few companies actually take advantage,” Jucan says. “If somebody doesn’t even see that certain data exists in the database, they will not be tempted to print it and leave it on the printer.”

Enterprises should also look into data-masking technology to limit the user’s exposure to highly sensitive and highly regulated data sets, such as Social Security numbers, without limiting the user’s ability to do his work.

Finally, take a closer look at technologies and practices for protecting data as it becomes increasingly portable. One of the biggest dangers companies face today is the ability of authorized users to simply download large chunks of information from the database onto spreadsheets, laptops, or portable storage devices. Experts say that tools such as database activity monitoring, data loss prevention, and encryption all can help protect portable data.

Defining Risk Management – Part 9: Risk Control

This is the ninth and final installment in the Defining Risk Management series. In this final segment, we look at what risk control is and how we monitor and track the risks that are identified and new ones that are encountered on our projects. This information is again, for the most part, derived from the book “The Project Management Question and Answer Book.”

What is Risk Control?

The process of monitoring and controlling and keeping track of the identified and the unidentified risks is risk control. In this process we hope to identify risks that are no longer possible and risks that are coming due, as well as any new risks that may become evident. We will also monitor risk activity to make sure the risk plans have been carried out successfully. Problems that have been found out in the risk plan can help us adjust the plans for future risk activities.

Risk control and monitoring are part of the risk management process and must be started early in the project and continued until the end. As the project progresses, we will find that many of the risks will change, some will no longer be possible, others will happen and be disposed of, and new risks will be identified. In addition we will learn about the project and the risks associated with it and adjust our vision of individual risks.

The level of risk tolerance should be monitored as well. The attitude of the stakeholders will change during the course of the project. Communication with all stakeholders is important since it gives us a means of assessing changes in their risk tolerance.

Risk control may involve changing the way we look at risk. There are several reasons why this might take place. The risk tolerance of the stakeholders may change; the risk tolerance of the project team may change. As the project progresses toward its completion, certain risks that were thought to be very important to the success of the project may become risks that are no longer thought of as being so important.

In the beginning of the space shuttle project, the heat-resistant ceramic tiles were originally thought of as being one of the major risks in the program. If the tiles were lost or their integrity was compromised, the heat of reentry, some 3,000 degrees Fahrenheit, could reach the airframe’s aluminum structure and cause breakup of the ship. As time went by and NASA flew over one hundred missions with the space shuttle vehicles and the whole take-off and landing process became routine, the perceived severity of the risk diminished. During this time there were minor failures of the reentry tiles, but these failures proved to be minor repairs, and the shuttle vehicles suffered only minor damage. A program to develop a method of repairing risks in space was discontinued because it was deemed impractical. Part of the impracticality was probably because of the perceived reduction in the probability and impact of heat shield failures.

On February 1, 2003, just three days after the anniversary of the crash of the space shuttle Challenger, Columbia, the oldest space shuttle in the fleet, disintegrated on approach to landing. At this writing the investigations have hardly begun, but the heat shielding tiles are once again suspect because there is little that can go wrong on reentry except for a heat shield failure.

We see that during the project, the evaluation of the risk of heat shield failure began as a high risk. As time went on, the risk was revalued lower and lower. After the crash, the valuation of the risk has no doubt been raised higher than its former level.

In all projects, as we gain knowledge and experience about the project and its risks, we will change our attitude toward the risks in the project. This is natural and important. As we learn, we must change the level of effort we spend in certain areas or we will never have the resources, time, or money to complete any project.

A control system for risk is influenced by the organization the project is being managed under as well. In a project that is high in risk, we might have a person who is at a high level and is exclusively responsible for managing risks. On projects that are relatively routine by comparison, the risk manager may be the person responsible for the tasks that are most affected by the occurrence of a risk. These persons are responsible for communicating risk progress to the project manager and other affected stakeholders.

Risk audits can be used to document the effectiveness of the risk plans and the strategies that were used to mitigate, avoid, or transfer risks. A judgment can be made as to whether it was cost-effective to ignore the risks that were ignored.

Deviations in the project performance may indicate the effect of risks on the project. The earned value reporting system is helpful in identifying trends in performance on the project. Generally, schedule slippage and cost overruns are the result of some problems that have occurred. Trends in certain areas may indicate that risks are more severe than was anticipated or that new risks have taken place. One important product of the earned value reporting system is the indication of the cost and completion date at the end of the project. The sooner these slips in schedule or budget overruns can be communicated to the stakeholders, the better it will be for the project. Schedule slides and budget overruns that are severe enough can result in project termination.

A workaround is an unplanned response to a risk that was previously unidentified. These are the unknown risks that were discussed at the beginning of this chapter. They are also the risks that were passively accepted since these were deemed to be risks that would be ignored. Workarounds are paid for from funds from the contingency reserve or the management reserve, depending on whether the risk was identified and accepted or whether it was unknown until it occurred. In any case, the funding for the workaround comes out of these accounts and is put into the operating budget of the project, and a new baseline is created.

Since contingency plans and workarounds are not part of the project baselines until they occur, they should be initiated and approved by the execution of an official change notification. Remember that changes to the baselines should require an official change notification as the vehicle for showing the change in funding, schedules, and scope resulting in a new and current baseline.

PMTips: What We’re Here For

After 372 posts, nearly 500 reader and author comments and almost a quarter of a million words written over the past 7+ months, I’d like to take a moment to step back and discuss what we’re trying to do on the PMTips site.

First, let me say that this has been an extremely interesting and challenging twist on Project Management for me. To actually put thoughts to writing on past experiences, ideas, headaches, mistakes, frustrations and of course successes has been very rewarding for me. I find myself always looking forward to the next article and working to come up with fresh ideas to share or information from favorite articles or books that others may not have run across yet.

The PMTips “About” tab states the following….

PMtips.net is a blog about project management, collaboration, knowledge management and all other work 2.0 concepts present in today’s web 2.0 world.

This is a collaborative project that has several authors each of them master in the field. The purpose of this blog is to offer practical tips, tricks how-to`s and to serve as a resource for shedding light on the tools, trends, and practices that can make the life easier for many of use dealing with different challenges on a daily basis.

Its wished-for audience are those who do not use PM tools and are not seeing themselves as PM’s, but actually they do their work; people who just started being PM’s in organizations, small, medium, or larger, and are constantly searching out answers that can help them do their work more efficiently and profitably.

At PMtips.net every day new posts are posted which will help you win in your business. We invite you to visit us often and to share your insight with this community as well, since without having you as part of the conversation our aspiration to be helpful will become harder to achieve.

Looking at paragraph #3 I think we’ve gone far beyond that. We strive to be a good, useful resource to new PMs, but the comments and challenging feedback we get from experienced PMs helps to motivate the writers here and has forced our readers and our authors to think about certain PM topics in new and innovative ways.

As always, though, were are here to help PMs who are struggling or need information and answers. I’ve personally sent out more than 50 copies each of Risk Management Plans and Project Communication Plans after writing articles about each and offering templates. We’re just PMs like everyone else out there, but if there are needs for these types of tools – whether we’ve written about them or not – or questions that need answered on topics not yet covered, always feel free to send us those thoughts either through a comment or directly to an author at their email address. The door is always open.

Thanks again for reading and I am personally looking forward to much more interaction with our reader base.

White House unveils new Web site detailing IT project performance

The dashboard consolidates information the Bush administration reported as part of its quarterly IT Management Watch List and High Risk List. The lists were scrapped in favor of the dashboard because the lists “didn’t really give a lot of visibility into what was going on and what was the root cause of some of these problems,” Kundra said.

“Secondly, the administration would not be able to benefit from the ingenuity of the American people by asking them, is there a third way or a better way than how we’re approaching some of these technology issues,” he added.

The dashboard allows for both. Visitors to the Web site can obtain granular information on any project, such as the money budgeted and spent on each project milestone. They can also provide feedback to the project’s chief information officer through an online e-mail form, export data to personal computers or Web sites, and share data with friends via social networking sites such as Facebook and Twitter, Kundra said.

…. Read more.

What is Story Points?

Recently I held a presentation on this topic, and later produced a blog post about it on my Scrum blog http://scrumftw.blogspot.com. I’m very interested to hear from readers in this forum about the subject.

Traditionally, the aim has been to try to estimate time by looking intensely at a problem (or a task, activity, requirement,…) – so traditionally there’s a lot of effort spent on breakdown, analysis & estimation. But at the same time, we all know that estimating time is very hard and often pretty inaccurate – because software development is research-oriented and there are things that surface only once we start digging in, which then change the picture. We all know this – yet those time estimates tend to become commitments down the line.

I argue that it’s not only the problem (task, activity, requirement,…) that is hard to foretell; the environment where we solve the problem also has a significant effect on the amount of time it will take to complete. And often the environment is much harder to foretell than the problem itself. So, in the end it doesn’t matter how long time you spend analyzing, you will still have a large unknown in the shape of the environment.

The point I want to make is that estimating in Story Points is about recognizing that Time is a result of the Size of a problem solved within a certain Context.
Time = Size x Context

Story Points is a unit for representing Size. This way Context becomes something we can grasp by comparing Size to Time – which is why we measure Velocity