I was semi-impressed yesterday when I visited a global retail chain, signed up for a new credit card and they handed me back the application form for me to destroy.  Retail stores that manage payment card information must abide by strict rules governed by PCI — the Payment Card Industry standard developed to protect card information.

The form that I filled out had Personal Information (PI) and not payment card information, so therefore would not fall under the PCI purview.

I asked the retail clerk processing my information what would happened if I left the form behind – in an attempt to better understand the security process.  The retail clerk told me that they place remaining forms in the bin behind her and that a disposition company destroys everything in the bin.  They receive a certificate from the said company once the data is destroyed for proof.

Good start.  The company could have taken this protection process a step further by having a more secure bin with a cover and a lock instead of using a standard looking waste paper basket.  Still, one giant leap for better InfoSec Data Protection.

201 CMR is here to stay, at least until H.R. 2221 gets passed

How is your company doing so far with meeting the Massachusetts regulation for the protection for PI?  If you are outside the Commonwealth and do not store Mass. residence PI, are you doing anything to protect your state’s residents PI?

jay.martin@cppit.com – ITIL, CISM, ISMAS – www.cppit.com

In a recent survey conducted by Global Knowledge in partnership with Tech Republic, the following are the top 5 certifications and corresponding average salaries:

PMP® – Project Management Professional $104,253
CCNA – Cisco Certified Network Associate $79,695
MCP – MS Certified Professional $74,438
MCSE – MS Certified Systems Engineer $86,454
ITIL® v3 Foundation $101,185

Global Knowledge reports, “Does the type of training one receives make a difference? Again, the answer is “yes”. After controlling for tenure, respondents who took only IT training had lower average salaries than their counterparts who did not take training in the prior year($74,025 vs. $80,130). However, if the respondent also took some form of project management or business-related training (including ITIL®) in addition to his or her IT training, that deficit reversed ($86,021 vs. $80,130).” To view the complete survey visit http://blogs.techrepublic.com.com/hiner/?p=3873&tag=nl.e101

We see this as a very positive sign that there is an increase in the value of process skills in the organization.  And for a second year in a row!!!  (See my 2009 blog entry at http://cppit.com/blog/2009/04/22/recent-study-says-economic-counter-trend-in-demand-for-it-process-and-architecture-skills/ )

Still good to be a geek; even better to be a process-oriented geek .

Let’s face it.  The configuration management database is really the Holy Grail of IT Service Management.  Business services  are defined  that support one or more business processes.  These business services  connect to various software and hardware elements (or infrastructure services) that represent connectivity, processing and storage capabilities used to support the business service.  Ideally through an extension of the CMDB referred to as the Coniguration Management System (CMS)  you might also connect supplier contracts (underpinning contracts), OLA’s, and SLA’s.  Additionally you would include links to incidents, problems and changes.  The end goal would be to have optimal visibility to see what services you are supporting along with all of the past, present and future activity regarding these services.  It is the IT data warehouse that transforms data from multiple IT management operational data store so that key IT management decisions can be made.

The vision for a CMDB/CMS strategy is spot on as a critical underpinning for holistic service management.  The execution piece is very tricky.  And, in the case of the CMDB, this is a consummate example of the importance of ITIL’s  guidance on breaking vision down into manageable, achievable interim goals.

For organizations that have substantial infrastructure and have no current tracking mechanism, be realistic about the results you hope to achieve.  Auto discovery tools can be helpful but are also very complex and require you to access all points in the network to give you comprehensive results.   A structured, slow but reliable approach to getting your arms around the relationship models is to target a handful of services to begin with and do one service at a time. Once each service is validated in the CMDB assuring that you are managing it under your change management process is key.

Identifying business critical services and prioritizing them within this strategy will allow you gain better control and visibility to the areas that are most important to your enterprise as the first phase of this process.  Once you’ve got these critical services captured, you can tackle others.  In a large organization, this discover & control method will be a multi-year process, but the approach makes the CMDB promise achievable.

I mentioned in my blog in late November that the cost to Health Net over loss of an unencrypted hard drive containing 450,000 patient records (revised down from 1.5m) would be much greater than the cost of securely controlling and protecting their information assets. Health Net will begin the process of emptying their wallets in an effort to build a defense against the lawsuit levied against them by Attorney General Richard Blumenthal.

The breach occurred in May of 2009 and was not reported until November. As discussed, Connecticut’s breach notification law are fairly strict and I would assume holding off reporting such an incident for 5+ months is over the top which could cause Blumenthal to make Health Net an example for all to see. To add fuel to the fire, the American Recovery and Reinvestment Act of 2009 (also known as the HITECH act) also imposes notification mandates that were apparently neglected. See my November blog post under security entitled “Health Net Breach — A Failure of People, Process & Technology” for more details.

jay.martin@cppit.com

CISM, ISMAS

www.cppit.com

The national Data Accountability and Trust Act, H.R. 2221 passed within the House of Representatives earlier this month (Dec. 8th, 2009).  The Bill — as with 201 CMR 17.00, the Massachusetts Protection for Personal Information — seeks to protect consumer personal information and requires notification to individuals in the event of a breach, albeit from a national level.  The bill is set to go before the Senate next and then the President.

H.R. 2221 would require “for profit” organizations to develop the necessary security policies and safeguards to protect U.S. Residence personal information within 1 year of passing.

More to come later…

jay.martin@cppit.com

CISM, ISMAS

www.cppit.com

The recent Health Net data breach of 1.5 million patient records due to a lost hard drive included unencrypted personal information such as names/addresses, medical records, Social Security numbers and other financial information.  A breach of this magnitude is shocking and what is more astounding is that the breach apparently occurred in May 2009 and was not reported to the Connecticut Attorney General’s office until this month (November, 2009).  The breach may be a gross negligence of HIPAA, FTC “Red Flag” Regulations, Connecticut’s Public Act 08-167, CGS 36a-701(b) and other state regulations/breach laws.  

I am sure that Health Net, like most companies, felt they developed the necessary controls to meet such regulations.  But a breakdown of this magnitude proves a failure of the company to institute “strong enough” information security policies, employee awareness programs and technology across the company to protect against this major corporate risk.   That is why we have been advising our clients to develop a risk-based information protection plan that estimates their potential loss against the cost of securely controlling and protecting their information assets.  The monetary penalties and consequences to Health Net for this breach will far outweigh the “should-have” preventative costs of deploying the right controls for this threat.  If the lost hard drive were encrypted, I wouldn’t even be writing this blog.

In his statement, Attorney General Richard Blumenthal stated that “I will vigorously and aggressively seek damages, penalties and other appropriate remedies, if warranted.”

This is not an option:  *Information security programs that include people, process, technology and partners must be vigorously managed and improved upon over time.*     Comments are welcome.

jay.martin@cppit.com

www.cppit.com

 A huge chink in the armor of end-to-end encryption took a big hit last week when the US-CERT reported that a man-in-the-middle exploit code against SSL and TLS is publicly available.   The exploit allows a malicious attacker to insert themselves into an SSL or TLS conversation during a client or server initiated renegotiation of their security context.  The vulnerability affects pretty much every site we securely connect with including our online banking sites, paypal, etc.  It also affects all operating systems and browsers.

Updates are not available to remediate the exploit, but there appears to be an Internet draft standard dated November 14, 2009 to fix TLS.  The RFC is here if you wish to review.  This means that the committee that wrote the new Internet draft was aware of the vulnerability and was secretly meeting to provide a fix prior to CERT releasing the news.

As you may know, SSL will not be updated as most of us are really using TLS in our browsers when we connect to secure web sites.  We still may call it SSL, but SSL is a fallback protocol to TLS.

I suspect a patch is on its way within the next few weeks, so make it a priority to update your systems through your normal patch update mechanism.

What is a “Service Catalog”?  Ask this question to 10 people and y0u may get 20 answers.  And the answers vary from a documented resume-like list  of IT capabilities to a  list of requestable  items that IT can provide to an end-user.  As IT vendors and consulting organizations, we’ve done nothing but contribute to the overall confusion around the service catalog.  The only thing we’ve been able to convey with any consistency is that if you are an IT service provider (whether internal to an organization or an external third party) it’s important to have one.  That’s were the common theme around service catalog ends, I’m afraid.

So let’s break it down from an ITIL perspective:

Question 1:  What is a Service?

A service is something that provides “value” to customers by facilitating outcomes customers want (an email service that is up and running  24 x 7 with the ability to send and receive messages, filter spam and guarantee deliver – or pick another customer facing service where you can clearly articulate a desired business outome) without the specific ownership of costs or risks (because the customer is not a technology expert, they are a subject matter expert for their business area…this does not mean that they don’t pay for the service…it means that as the technology expert The IT service provider  has a better opportunity to understand and control the costs and risks than they can hope to…therefore they’ve put the ownership of this in your more capable hands).

Question 2:  What is a business service and what is an infrastructure service?

A business service is an IT service that DIRECTLY  supports a business process.  Benefits Administration for example is a business service that allows the a business unit to track and manage corporate benefits, benefit entitlements and the subscription choices of employees.  In a water delivery system, think of the faucet being the business service.  When I turn the cold water faucet on I get cold water.  When I turn the hot water faucet on I get hot water.

An infrastructure service is an IT Service NOT DIRECTLY used by the business, but is required by the IT service provider so that they can provide business services.  For example,  in order for the Benefits Administration Business service to perform it’s required functions it needs to be supported by server administration services, storage services, directory services, or communications services.  Think of the infrastructure services being the plumbing and the water heater in your home and the wells, or reservoirs, pumping stations and the municipal piping that deliver water to your home.

Question 3:  What is a Service Catalog?

A Service Catalog is a database or structured document with information about all Live Service or services planned for delivery.  It is used to support the sales and delivery of IT Services.  The Service Catalog includes information about deliverables of IT Services, contact points, prices, ordering and request processes.   The portion of the service catalog that is visible to business customers are only the Business Services.  Both Business and Infrastructure services are visible to the IT organization.

Question 4: What is a Service Request?

A Service Request is the action of subscribing to a service or turning on, off or altering some underlying aspect or capability of a service.  For example,  if Email is my business service I may be able to make the following requests:

• Add or remove mailbox
• Add or remove a mail user
• Grant or restrict rights to access a mailbox to a user
• Extend the amount of space in a mailbox

Question 5:  What is an Actionable Service Catalog?

It is an electronic version of the Service Catalog described in Question 3, constructed in such a way to allow you to search services, service levels, service contacts,  make requests related to services.  It provides both a communication vehicle (linking realtime service level metrics,  or alerts to service changes, for example) and an automated service request mechanism to allow for self-service.

Six Sigma or ITIL for IT organizations?  We’re often asked this question as if there is a clear choice between the two or that they are mutually exclusive.  While, in fact, both ITIL and Six Sigma have the same goals – to drive process efficiency and effectiveness, they each contribute in a complimentary fashion to achieving these goals. For those IT organizations that have well defined processes in place, Six Sigma tactics can be used to measure the analyze and improve the performance and effectiveness of the process.

But the key is that you have to have something to measure.   For those organizations that have informal or loosely defined processes, this is where ITIL comes in.  ITIL provides a process framework that is accompanied by well-defined inputs, outputs, activities and metrics.  ITIL lays a process foundation that Six Sigma methods can continuously improve upon.  For those organizations who have well-defined, poor performing processes, ITIL, as a recognized leading good practice, can be a place to start in the reengineering effort.

Can you implement ITIL and Six Sigma in tandem?  There should be a well-architected approach to implementing Service Management using ITIL and applying Six Sigma as a continuous improvement methodology.  The process definition needs to come first; but should be defined taking into account current pain points and inefficiencies and supplying concrete measuring points to a Six Sigma program that can continue to assure that it remains or continues to gain efficiency and effectiveness.

Both ITIL and Six Sigma are excellent mechanisms to build an effective, productive, service-oriented IT organization.  The trick is to understand the role that each plays and assure that your implementation approach is designed to produce the maximum benefit.

In CPP’s June Podcast, we discussed a security breach that occurred a few years ago and the steps my team took to detect, respond and remediate the incident.  Here are the five things I learned from that breach.

1).  Planning your response to a disaster or security incident is just as important as the safeguards you put in place
You cannot protect against everything.  The following often delays or prohibits putting the necessary mitigation plans and preventative controls in place:
   -  Residual risk that remains based upon your organization’s tolerance or risk appetite
   -  The cost of mitigating risks and putting necessary controls in place to thwart threats & vulnerabilities
   -  Business strategies and priorities that conflict with your security program
   -  Zero day threats and vulnerabilities
If you agree with at least one of the bullets above, then it is of the upmost importance to have Incident Response Plans and Response Teams in place that you can trust.
2).  Select a team or teams you can trust
Tough times don’t last, tough people do.  Choosing people for your Emergency Response and Incident Response teams should be done on a selective basis.  Having the right people on call at the right time may save your organization from further loss.  Creative people that can think clearly in stressful situations can make all the difference between ending up in the headlines or heading the bad guys off at the pass.
3).  Store your Incident Plans in plain sight (and at multiple sites)
When an incident or disaster occurs you don’t want to leave your response to chance — even if you have selected a great team.  Know exactly where your Continuity, DR and Incident Response Plans are located.   This is achieved through constant awareness and possibly automation.  Both electronic and paper documents should exist in multiple locations.
4).  Monitor, Monitor, Monitor
Our security breach was discovered by a higher-than-normal CPU event that triggered an automated alert to our Service Desk.  Good processes and disciplines (automated and otherwise) must take over from there.  Monitoring for anomalies on your servers, network devices, databases and applications are an important first step in addition to the traditional security monitoring (IDS/IPS, Anti-virus, logging, etc.). 
5).  Embed good processes and practices such as ITIL into your organization’s daily life
I brought ITIL into my previous employer’s organization in 1999.  Good Event, Incident and Problem Management disciplines were vital in detection, notification, “root cause” and escalation of the attack.  Change/Configuration and Release Management disciplines were significant in quickly correcting the incident, the underlying problem and putting the necessary corrective, compensatory and deterrent controls in place.

Comments are welcome.
Jay Martin
jay.martin@cppit.com