Monday, September 21, 2009

ERM-BC-COOP: Security 1, Business Continuity 0

A funny thing happened on the way to increased security.

My current employer, a major contractor to Uncle Sam, changed its computer security tool from a key fob to a smart card.

That makes Uncle happy, but as an enterprise risk manager I am left shaking my head muttering "Too bad no one asked us first."

There are a number of "got'chas" to the change.

The key fob the card replaced wasn't perfect and the cost to maintain the synching service may be more than that charged by the card provider; I am not privy to the bills.

Key fobs could get lost, but since they were always apart from the computer, a lost key fob wasn't a security disaster. The computer is loaded with a unique program that works in conjunction with the key fob - or the smart card.

Smart cards also can get lost, but as long as the computer is not "lost" with the smart card, there is no major disaster; again, the smart card and the computer go together.

But, got'cha #1: Most of us stick the smart card into our computers when we get the card.

Those of us using desktop machines can walk off and leave the card in the machine. This is a double whammy.

First, the installed smart card compromises the machine. A miscreant still would have to know the computer user's network ID - ANY computer user's network ID; there is no machine/user relationship.

Second, when Joe Q. Employee shows up for work tomorrow, Joe Q. won't be able to get inside the building (at least without some hassle and some explanation to the guards); the smart card also is the entry swipe card.

For those of us with notebooks - nee' laptops - the temptation is to stick the card into the box and leave it there. When the office is abandoned for the day, the computer is stuffed into its carrying case and off Jane goes. But if Jane forgets the computer or elects not to take it with her, she'll have to explain herself to the guards in the morning.

But it gets worse.

Let's say Jane has to fly to a customer site with her computer. As she sits in the airport something distracts her and she looks away just long enough for someone to walk away with her computer . . . with the smart card safely stuck in the computer's smart card slot.

Not only is the machine generally compromised, the person who "borrowed" the machine will easily find out who "owns" the machine (Jane) and the company that employs the owner (Secret Projects, Inc.). Even if our airport ganov (thief) lacks any computer skills, the value of the stolen box suddenly increases . . . maybe the hard drive houses sensitive information that can fetch a nice price from a competitor or someone who has another country's best interest at heart.

A lesser got'cha is that now neither Jane nor Joe can use their personal computer to access even a limited amount of places on the corporate intranet .

If the company machine dies - as it will - Joe and Jane are out of luck until a new machine can be provided, imaged, and the files that hopefully were saved to the network recovered and restored. How long with that take? Depends on Jane and Joe's rank within the company; for a rank-and-filer, maybe a week or three; for a C*O, probably less time.

In the "old days" of the key fob, Jane and Joe could access a number of things, including corporate email, from their personal computers. If the company machine failed, they could "make do" by using their own equipment. True, they could not access everything that they could with the company machine, and "sensitive" material should never be put on a personal machine, but life could go on, albeit less efficiently.

Once again, keeping risk management people out of the loop has presented the organization with several probably avoidable "got'chas." I'm not sure the organization had much choice but to implement the smart card system, Uncle Sam being the 800-pound gorilla customer that it is. Maybe Uncle should have talked to COOP experts - COOP being government speak for risk management - before insisting that vendors implement something with so many points of failure.

What do I mean "once again?" How many companies include risk managers when they consider a new building - tornado and earthquake proof, shelter-in-place, wide exits for handicapped - with paved paths away from the facility; full capacity stairwells, and much more; even something as simple as checking the flood history.

"Once again" to consider the risks all vendors pose, even money lenders. Does the vendor have a plan to assure product (including money) or service delivery?

"Once again" to consider the neighbors and the environment - are the neighbors high profile? Is the facility near an airport, major highway, railway, sea port?

"Once again" to consider both insurance coverage and carriers; is there enough of the "right" insurance and can the carrier(s) cover the loss, either individually or as a consortium?

Enterprise risk management is best practiced from the business concept and is a continual process.

Enterprise risk management is a process that requires - if properly done - input from everyone, both within the organization and the organization's vendors - including architects and CPAs, lenders and regulators. No one should be expected to an expect in everything, but an experienced, inquisitive enterprise risk management practitioner can play a major role in discovering the "what if's" that each individual SME knows lie in wait.

John Glenn, MBCI
Enterprise Risk Management practitioner
Hollywood/Fort Lauderdale Florida

Wednesday, September 16, 2009

ERM-BC-COOP: BIAs for boxes ??

Maybe I'm way off, but I get really upset when someone tells me to do a Business Impact Analysis (BIA) on a computer system, a box.

First, I'm "ticked off" because the real, critical resource is overlooked - that resource is "people" in case you are a first time visitor to a Glenn site.

But then to worry about BOXES !

My Spouse, while an intelligent woman - she has the MBA in the family - is not a risk manager, so when I ranted that someone wants BIA's on systems - boxes - she didn't understand why I was upset.

Fortunately, Yahoo came to my rescue.

The Spouse has a Yahoo email account; if Yahoo keeps changing things that "ain't broke" (a la Microsoft) she might start using her Gmail account more and Yahoo less (and then on to Linux Ubuntu?).

Anyway, to make my point, I asked her if the machine she was using went away, what would she do.

"Go to the library," she replied. Never mind that there are two more machines in the same room. Doesn't say much for the company she keeps, but …

OK, I said. Now what happens if Yahoo "goes away"? Can you still get your email?

Hummm.

The light comes on; she suddenly realizes that it's the APPLICATION that is critical, not the box, not the "system."

(And that's why whenever I expect an important email, I ask that it be sent to two different e-addresses, and maybe my snail-mail address as well. Hey, risk management is my business and I practice what I preach.)

I'm not suggesting that the box be ignored; my apps still need a place to call home. I will admit that moving some of my applications from machine-to-machine is a pain, especially when I have downloaded updates; fortunately all my critical vendors work with me (since I have all the important product and version license information available).

When I create a disaster recovery plan for an IT organization, I need to know what OSs are on each box and the amount and speed of the box's RAM. Do I care about the hard drive? Not a lot.

Why?

If I have 5 XYZ OS machines with 10 critical applications, including databases, I need to know

    (a) how much hard drive capacity I need for all these applications and databases

    (b) if they can co-exist on one machine or do I need to find multiple boxes

If they can co-exist, how fast must the processor run?

I need to know the requirements for a REPLACEMENT machine - or machines. I also need to assure that there is connectivity to whatever the current boxes are connected. (I recently learned THAT lesson when I discovered my new notebook lacks a connector for my old scanner.)

But, basically, a box is a box is a box.

That is not to write that I care nothing about the box. I do. I want to know the machine's Mean Time Before (Between) Failure - MTBF - and I want to know the Mean Time To Repair - MTTR - of the parts with the lowest MTBFs, and I want to know spares - and associated documentation and tools - are available to get the box up and running else I need to know where to find a new host for my applications.

I can live without my company machine -actually, I AM living without it as this is written - but I cannot live without the access to the inter and intranets. I have all manner of email, but the company email and IM are, temporarily, inaccessible. That pretty much puts me out of business. (I still have the phone, and I can use local - on the box - applications but . . .).

Since I have another machine with most of the same applications, I can keep busy, but there are many things - besides email - I cannot accomplish. The box that's "down" actually is fine; it's a security application that has brought email and IM and access to the company intranet to a halt.

The security apps developers know about the bug and are "working on it."

By the way, I actually anticipated this hiccup and created an email auto-responder that explains why I am not getting back to my fans in my usual speedy manner and that if they really need me, call the number on the auto-reply. (I have to tell you, I feel like the Maytag repairman … very lonely. Even the Help Desk hasn't called back; am I the new Rodney Dangerfield [z'l]?)

BIAs for systems? No. BIAs for applications. Yes and yes again.

John Glenn, MBCI
Enterprise Risk Management practitioner
Hollywood/Fort Lauderdale Florida
http://JohnGlennMBCI.com
JohnGlennMBCI at gmail dot com

Wednesday, September 9, 2009

OpenOffice is not MS Office

I hate to admit it, but OpenOffice.org applications and many of the Ubuntu utilities (e.g., Evolution) have a long way to go to compete with Microsoft Office and Microsoft utilities.

Granted, “you get what you pay for,” and OpenOffice IS free versus Microsoft products which are expensive.

But the more I use Ubuntu and the free applications and utilities available to it, the more I realize free apps leave something to be desired.

Since I own Microsoft Office 2007 and I have Vista Home on my new laptop, why did I install Ubuntu 9.04? For the same reason I am abandoning Yahoo mail.

Both Microsoft and Yahoo keep fixing things that “ain’t broke.”

Every time Redmond comes out with a new version of its products – be it OS or application – the User Interface (UI) is revamped. My productivity takes a serious hit when the latest and greatest is installed. As my productivity dips, my frustration level rises.

I’ve been using MS Word since V1.0 for DOS! It’s a great word processor. It never was anything more. Claims that it can be used for long, complex documents are, in my not-at-all-humble opinion so much hot air. If you are cobbling together a technical manual of 100-plus pages, with graphics and tables, get a page composition application and a decent graphics generator. Over the years I used a variety of applications – for page composition, FrameMaker, Interleaf, and Ventura (which still remains my favorite). Graphics? I’ve had Corel Draw, Deneba Canvas, and Micrografx Designer (nee’ In-a-Vision), among others. Using those apps, and Word, I’ve created long manuals, short newsletters, various length articles, brochures, and even a few resumes. By the way, there apparently are no free/low cost real page composition applications for Ubuntu.

When I tell you I LIKE Ubuntu and OpenOffice.org and Evolution (email handler), trust me, I do.

But I also will tell you they lack features and functions I take for granted in MS offerings.

Small frustration.

I created a document for my Web site (http://JohnGlennMBCI.com). I put files up in three formats: html, PDF, and text.

First, the “Web” looks for certain extenders; html, pdf, txt. Using some of those extenders confuses Ubuntu. It’s not a show-stopper, but it does slow down things. The text files are created from the word processor and saved as plain text. With Word, I can force line feeds; I can’t (seem to) do that with OpenOffice.org Writer.

With Vista, and XP before that, I could shrink an application to the ribbon at the bottom of the screen; when I do that with Ubuntu I usually loose the application and have to relaunch it. Ubuntu is fast, but why can’t I see the app in the ribbon?

There is a lot that can be said for Ubuntu and OpenOffice.org and all the rest of the FREE applications available for Linux and I suspect as I spend more time with them I’ll find work-arounds.

But for now, I feel like I’m caught between a rock and a hard spot (or anvil and hammer, if you prefer) – Microsoft is driving me up the wall with its constant mucking about with the UI (and the apps get fatter and fatter) while Linux lacks many features and functions I’ve come to take for granted.

Maybe I should chuck it all and by myself a good fountain pen. Do they still make them?

John Glenn
Scrivener & other things
Hollywood/Fort Lauderdale Florida