ABOUT:
CREDENTIAL CHECK CORPORATION™
CORPORATE HEADQUARTERS
TOLL-FREE:
(888) 689-2000
TOLL-FREE FAX:
(877) 689-1500
WEB:
www.credentialcheck.com
E-MAIL:
info@credentialcheck.com
Contact Us
|
| Welcome | Welcome to the October 2006 edition of the Credential Check Examiner! This month we look at issues surrounding the HP scandal, ways to prevent data loss, and how instant messenging affects the workplace.
As always, please feel free to reply with your comments and suggestions!
|
| |
| Ethical Workplace Investigations: A Case for Better Practices
|  In May 2006, the U.S. House of Representatives, by unanimous vote, passed HR4709, the “Telephone Records and Privacy Protection Act of 2006.” Its passage was clearly the result of the avalanche of publicity over the trafficking of personal telephone records by unscrupulous data brokers and private investigators. While the Senate will not likely take up the bill until after the Fall elections, insiders agree that the bill will likely receive the Senate’s blessing and see the desk of the president before year’s end. If this important bill becomes law, the use of most pretexting (a covert investigative technique in which an assumed identity is used to collect information) will be unlawful. Recently, the Association of Security and Investigative Regulators (IASIR) issued the following resolution: "Be it resolved that IASIR recognizes the common practice of pretext as an investigative tool in lawful investigations by both public law enforcement and licensed private investigators and security practitioners."
The issue of pretexting to obtain private records continues to grab the nation’s attention. On September 28, 2006 the House Committee on Energy and Commerce’s subcommittee on Oversight and Investigations questioned Hewlett-Packard Chief Executive Mark Hurd and former Chairman Patricia Dunn about their knowledge and involvement in an internal investigation conducted by HP security personnel. Allegedly HP hired private investigators who used pretexting to obtain the personal telephone records of several board members, HP employees and reporters. Hurd and Dunn answered few questions, but succeeded in demonstrating the devastation a poorly and possibly illegal investigation can have on the reputation of an organization and the careers of its executives. The public relations disaster that has ensued was unnecessary and unfortunate.
top
|
| The Wall of Shame: Prevent Data Loss Incidents, Don’t Contribute to Them
| So far in 2006 over 32 Million clients have had personal data exposed in 218 data loss incidents – up from 112 in 2005. That number will likely reach 300 by the end of the year. The organizations exploited included colleges, government, service providers, and companies alike. Most disturbing, the majority of these incidents were entirely preventable. Most data loss is preventable with diligence, particularly in cases from this year where a laptop theft was the root cause of the problem. To keep your organization from becoming the next poster child for what not to do, don’t start with the laptop – start with good practices. First, most organizations should never store private client information on a laptop – or even a desktop. The data should be stored on a server in a locked area not accessible to the public or most employees. For small organizations that lack a central server, store the data on an external hard drive in a locked location every night when the business closes – also not accessible to most employees. Lesson: DO NOT store private data on unprotected systems. Second, the data should be encrypted. Period. There is no excuse for stolen data to ever be compromised while numerous, often free, encryption solutions exist. Even for organizations with laptops with no private client data on them, those laptops should be encrypted. You have Intellectual Property, client lists and contact data, and inter-company information on them that are a part of your business. Protect those mobile systems as if they contained private client information. Lesson: USE ENCRYPTION. Third, use clear policies and procedures for handling, client and corporate information. The public understands that not every breach can be prevented, but a company who has taken reasonable measures to protect data is likely to be forgiven. Saying that one of your laptops was stolen and it exposed data because you never encrypted it or stored it on a server is unforgivable. Use a Virtual Private Network (VPN) to encrypt data transiting mobile systems as well. Storing private protected client data on a server is a first step. If you are not using a VPN or other encrypted connection, the data you transmit back to the home office can be monitored or stolen. Most data loss is preventable, and your organization becoming another statistic of failure is only a certainty if you fail to act. by Robert J Bagnall top
|
| | The Rising Concern of RFID Security |  Radio Frequency Identification (RFID) is an automatic identification method, relying on storing and remotely retrieving data using devices called RFID tags or transponders. The use of such RFID technology has become increasingly popular throughout the years and is commonly used in transport payments including electronic toll collection “passes,” product tracking, automotive theft protection, and correctional systems across various states in the US. Both large and small organizations alike are using this technology in the form of corporate access or “proxy” cards. Additionally, RFID tags are used in passports throughout many European countries, and its specific use in the passports of millions of Americans is scheduled to begin in October. However, grave security concerns have arisen as of late with RFID technology. At a security conference this past August, researchers from a security firm in Hildesheim, Germany demonstrated that passports equipped with RFID tags can be cloned, with ease, using a laptop outfitted with a RFID reader and a smart card writer, both of which are relatively inexpensive. Similarly, the researchers were also able to successfully copy corporate access cards. So, what are the implications for organizations? Put quite simply, this means a potential attacker could copy access cards and use the copies to gain access to an organization’s most secured rooms and/or buildings, thus creating a security breach. Additionally, for employees who travel internationally, the concern is about personal privacy and a potential attacker merely knowing that you are carrying a passport. Aside from other concerns, many fear the plausibility that American travelers could be identified and targeted by potential attackers abroad. The discovery of the security deficit discussed above has sparked additional research into the use of RFID and the overall security of such technology. top
|
| | Instant Messaging in the Workplace |  The world of instant messaging (IM), once dominated by teens and college students, has begun to take the corporate world by storm. Workers are increasingly using commercial instant messenger services to communicate with fellow employees, as well as with individuals outside of their workplace. According to the 2006 Workplace E-Mail, Instant Messaging & Blog Survey from American Management Association (AMA) and The ePolicy Institute, 35 percent of employees are now using instant messaging at work. In addition, 50 percent of these users also reported that they have downloaded free consumer IM tools from the internet to facilitate chatting. What are people chatting about and what types of content are passing through workplace networks? The 2006 AMA/ePolicy Institute Survey revealed that 26 percent of communication contained attachments; 24 percent included jokes, gossip, rumors, and disparaging remarks; 12 percent consisted of confidential company, employee, and client information; and 10 percent incorporated sexual, romantic, and pornographic material. What does this mean for corporations? By allowing for real-time interaction, messenger services do have the ability to increase productivity and efficiency, but only if they are used correctly and securely. IT managers are becoming increasingly concerned over the ability of an IM service to create a gap in the security wall put in place by company installed firewalls. Also a concern is the amount of bandwidth being utilized by messaging and chatting services. Another challenge for companies is the fact that consumer instant messaging services do not provide services such as archiving, auditing, encryption, authentication and the logging of communications. These services are necessary to ensure corporate compliance under The Sarbanes-Oxley Act of 2002 and the SEC Rule 17a-4. To comply, an organization must have the ability to control who individuals can instant message, to log and archive those messages and a systematic method to review those messages. As a response to the security and manageability concerns faced by organizations, numerous programs have been developed to aid organizations in implementing compliant and secure messenger services for their employees. These programs generally are classified as those which will work with existing consumer IM services or those which will provide a comprehensive, stand-alone instant message service for the organization. One thing for sure, instant messaging will continue to push its way into the corporate world. Resources and programs are available and will continue to evolve assisting organizations with the challenges instant messaging presents. Proactive organizations have already begun to manage this issue. For more information on the AMA study, click here: http://www.amanet.org/press/amanews/2006/blogs_2006.htm. top
|
| | Re-communication: A Key Component to Your Whistler Blower Hotline | Perhaps the most important part of having an Anonymous Incident Reporting System (AIRS) is making the employees aware of the service, the purpose of having it, and how to use it appropriately. It is vital to not only conduct an initial adverting/communication campaign but to establish a routine schedule for continued communication. Organizations that set up new AIRS often do a large initial communication campaign for their employees but as time goes by those employees forget that they have this service available to express their concerns. Employees who might have initially received materials have subsequently thrown them out or misplaced them. Turnover in the workforce is also an issue where new hires may not be aware of the service unless they are properly communicated with. Conducting a re-communication campaign is also a perfect time for organizations to re-emphasize their current policies and procedures for bringing forward concerns. It may be beneficial to emphasize that the system is an added benefit to current policies and procedures – not necessarily a replacement. Here are some suggested ideas for a re-communication campaign: - Publish articles in the company newsletter
- Display posters or informative material in high traffic areas
- Send out email announcements and include information in employee handbooks
- Add links and information on the organization’s Intranet and external Website
- Train mid-level managers so they can effectively communicate to their employee base
- Distribute wallet cards and employee brochures to employees
top
|
| Quote of the Month: "What may be done at any time will be done at no time. "
-Scottish Proverb
|
| | Human Resources Tip: Review Your Policies | It is almost unheard of to find an organization that does not have policies around sexual harassment, discrimination, and workplace violence, but far too common is the organization that has stale policies and procedures that have not been reviewed.
An organization’s policies and procedures are essential to it’s’ protection and compliance. With so many laws changing and evolving, compliance with OSHA, FCRA, HIPPA, and other regulations can be challenging. Furthermore, an organization’s policies and procedures are the first line of defense against employee misconduct. Having strong policies and procedures in place facilitate corrective and disciplinary action against troublesome employees.
If an organization is not at least periodically reviewing and updating their own policies and procedures, they are in severe jeopardy of liability and exposure. For example, how many companies had business continuity or disaster recovery plans prior to Hurricane Katrina? Answer: not enough. Recommendation: review your policies and procedures at least yearly, and ideally every six months if possible.
top
|
| | Contact Information | If you are interested in obtaining additional information about these articles or the services offered by Credential Check Corporation, please contact one of the following individuals:
Thank you! We'll see you next month!
top
|
|
