BPM in Action

When it comes to risk and security management for BPM and more broadly, users represent both the greatest allies and the largest potential problems. After all, if a business can convince its users that it’s in those users’ best interests to contribute to maximizing security and minimizing risk, everybody wins (except the bad guys.) But this is much easier said than done.

Of course, this is really yet another process problem. Said problem has historically been is exacerbated by solutions and policies that come across more like “Big Brother” than like aids to greater user flexibility and productivity. However, users find themselves increasingly surrounded by and reliant upon technologies to do their jobs (and live their lives outside of work). As this trend continues, they become more receptive to being engaged in the protection and security of the resources they use.

So, how best to take advantage of this? Well, some useful steps include informing users of the risks at which they can place corporate intellectual property out of ignorance or lack of attention. (Remember bringing in that file your kid downloaded I mentioned previously?) Another set of useful steps might focus on communicating regularly to users that protection of corporate information is in their own personal, selfish interests. When information isn’t at risk, it’s more available, accessible, and trustworthy, which makes those using it more productive.

It can also help tremendously if those responsible for managing and overseeing the processes affecting information protection and security communicate more regularly with users. Such communications can combine summaries of relevant external and internal news and events with specific recommendations and tips, all intended to increase user awareness. A weekly e-mail, periodic posts on the company intranet, sessions at company meetings – all of these present opportunities to “market” and “sell” information protection processes.

There are a wide range of tools that can help address the security challenge as well. More to come…

Posted by mdortch in BPM • Business Knowledge Management • Security  |  Permalink  | Comments (0)  | TrackBacks (0)

Well. It’s been a while. Hope you’re well – you look great!

Anyway, sorry it’s been a while since you’ve heard from me…unless you’re not, in which case, never mind. A new job, several conferences, blah, blah, blah. And now, back to business.

As I’d been ranting previously, best practices argue strongly for starting from a sound set of first principles with BPM – making sure everything’s working, fixing what’s not, trying to figure out what people are actually doing, those sorts of things. The goal is to reach a Nirvana-like state of continuous improvement, but before that can happen, some incredibly important first principles and best practices should be focused on the twin challenges of risk and security.

(At many enterprises I’ve seen, these are taken together with issues related to regulatory compliance, forging what I have called and heard called the “three-headed monster” of compliance, governance, and risk (CGR) management. However, as many of you likely work at enterprises where compliance and governance are not (yet) as immediately pressing as risk and security management, so I will focus here on those two issues.)

It used to be that where IT and, to some extent, business security were concerned, the primary goal was to “keep the bad guys out.” Today, the most consistently bedeviling security challenges are from internal users, many of them authorized and legitimate. Many a virus has been introduced into a company by a legit user bringing in something they got from one of their kids, who got it at school or from YouTube or Facebook – something that turns out to be a carrier of a virus or some other malware.

So security policies and practices must be implemented and/or enhanced to address this reality, as well as striving to forestall threats from without. In some cases, companies implement solutions that prohibit the loading of any and all external media into the network, or the automatic quarantining of such introductions for inspection and validation. If there is insufficient budget and/or bandwidth to explore, select, and deploy such solutions where you work, it’s still a good idea to implement and enforce policies that discourage such introductions among authorized users.

This is only part of the larger security/risk management picture, however. A bigger, more important, and more tricky part is getting users to understand and accept that these are issues that matter to them, and that they can play major roles in addressing effectively. More on this soonest!

Posted by mdortch in BPM • Business Knowledge Management • Security  |  Permalink  | Comments (0)  | TrackBacks (0)

I have of late been following numerous parallel event and development tracks regarding BPM and related areas of interest. One of the things that becomes increasingly clear to me is that there are a lot of companies and decision-makers out there who are seriously on the fence, behind the curve (or the 8-ball), and/or all of the above regarding BPM.

I understand. BPM is challenging and complex. One of the primary reasons for this is that it is neither fish nor fowl – or, perhaps, it's fish that thinks it's fowl, or vice-versa. (I'm already confusing myself here, but will press on valiantly nonetheless.)

BPM is a set of human-centric business problems that often masquerade as or are confused for decisions and issues focused on IT solutions and systems. And vice-versa. Moreover, effective IT decisions must be made within a context defined by effective business processes.

So, to get BPM right, it is often necessary to go back to basic first principles to make the best possible decisions. One of those basic first principles comes in the form of a single compound question – what is BPM, and how is it supposed to help our business run better?

Well, I'm glad I asked me that, and hope you are or soon will be glad, too. After much cogitating about first principles for business and IT operations, here's what I've come up with so far.

At its core, BPM is really intended to answer some basic questions, in the order listed, cyclically and on demand as needed.

1. What part or parts of the IT and/or business infrastructure are not working, and can they be fixed non-disruptively? If not, what should be done instead? If so, in what order should they be fixed, and what resources are needed to fix what's broken?

2. Once all critical infrastructure disruptions are addressed, are all elements of the infrastructure providing optimal support to all business-critical applications, goals, requirements, and services? If so, how do we know this, and how can we demonstrate and measure it? If not, how do we know that, and how can we determine how best to fix the situation?

3. Throughout the life cycle of business and IT infrastructure elements and the resources they consume and support, business and IT practices and infrastructures must minimize risk, maximize security, and ensure business-mandated and regulatory compliance. To achieve these goals, do we always know who is using what IT and intellectual property (IP) resources, when, where, why, and how?

4. As basic business goals and requirements are being met, how best can the business and IT infrastructures be improved to enable and support future goals and requirements? And how can this cycle be repeated and refined in ways that lead to continuous positive transformation of business and IT processes and practices – starting again from the beginning of this list?

I'm going to be devoting more time and space here to delving into these and other related basic issues that must be addressed effectively if BPM is to have any real business value. I'm hoping these excursions will provide, over time, an increasingly rich and helpful context within which more specific BPM decisions, both operational and technological, can be made more effectively. We'll see. Stay tuned…

(PS: Yes, the headline of this post is a clumsy, annotated paraphrasing of the late, great Edwin Starr's classic, "War." And yes, we all really, really need to get out and hear newer music more often…)

Posted by mdortch in BPM • Business Knowledge Management • IT Infrastructure Management • Security  |  Permalink  | Comments (0)  | TrackBacks (0)

According to an Information Week story posted today, the U.S. Department of Veterans Affairs, otherwise known as the "VA," has updated the details of the lost hard drive announced in January. At that time, the VA said a hard drive lost from its Birmingham, AL Medical Center contained approximately 48,000 veterans' records, with as many as 20,000 unencrypted, despite explicit policies requiring such protection.

In February, the VA said the January numbers were a little off. The lost drive could have actually contained personal information about as many as 535,000 people, and about as many as 1.5 million physicians not affiliated with the VA.

Now comes a report dated June 29 from the VA Office of Inspector General (OIG). According to the report, the IT "specialist" who lost the hard drive deleted and encrypted files on his own system, to hide and to minimize the extent of the information lost with the hard drive. Said specialist only confessed after confronted with information from a forensic analysis the VA OIG had performed.

Further, the report states that the lost hard drive might not have even been lost, had incumbent physical and electronic security policies been followed and enforced. Policies such as encrypting sensitive data, something a local VA administrator apparently decided was unnecessary, if he just asked his workers not to remove the hard drives from the office. Which they did. And to lock them in a safe when not in use. Which they did not. Which likely wouldn't have mattered, since the safe had no access log, nor partitioned access, which meant that every employee who did use the safe had access to every other employee's hard drive. Or at least, the hard drive of any other employees who had bothered to lock their hard drives in the safe.

This laxity in policy enforcement also extended to the unnamed IT specialist. He was also given sufficient access to supposedly private personal information that he could extract information from medical records into a research database. Access he did not need and should not have been granted.

So, what have we learned?

1. Security policies are exactly like business processes. Without consistent documentation and enforcement, and frequent "re-inculcation" among users, they are basically useless.

2. Electronic and physical security policies and processes require close integration and synchronized management, if either is to be truly effective.

3. Enough is enough. That is, don't provide anyone access to more information than they absolutely need to do their jobs. Especially if any or all of that information is considered personal and private.

4. Process management is continuous. Anytime anyone thinks any process is completely managed and requires no more oversight, something bad is about to happen. Especially if there's a poorly managed IT specialist involved…

Posted by mdortch in BPM • Current Events • Security  |  Permalink  | Comments (0)  | TrackBacks (0)

It has been said many times – particularly in regard to designing, engineering, and manufacturing things like cars – that "the French copy no one, and no one copies the French." Well, after today, we'll just have to see.

News reports today indicate that French government officials have recommended banning BlackBerry devices from government offices and ministries, supposedly including the prime minister's office and the presidential palace. The worry is that since e-mail sent from the devices passes through servers located in the United States and Great Britain, e-mails containing proprietary or sensitive information could end up in the hands of the U.S. National Security Agency (NSA).

Research in Motion, Ltd., (RIM) makers of BlackBerry devices and supporting systems, claims that such intrusions are all but impossible. The company said in a statement that its e-mails are more heavily encrypted than Web sites used for online banking, reports said. The BlackBerry Enterprise Solution has been certified as acceptable by security agencies in Austria, Australia, Canada, New Zealand, and the U.S., with certification under way in Germany and the Netherlands, RIM added in its statement.

Nonetheless, France seems intent on banning the devices. Other reports indicate that unnamed French officials are already using the devices in secret, having found proposed alternatives lacking. Still others indicate that the French are not the first to express this concern. U.S. representatives at the recent G-8 summit in Germany were advised not to bring along their wireless handhelds, to avoid eavesdropping by our friends, the Russians, those reports said.

What are the BPM-related lessons here?

1. Protection of intellectual property (IP) always, always, always trumps the convenience of near-instant communication.

2. Technologies that do not meet an organization's security and/or IP protection requirements should be proactively banned, or removed from the environment as soon as possible once critical shortcomings are discovered.

3. Of course, the most important element of such a strategy is a careful, comprehensive assessment and prioritization of those critical IP protection and security requirements – ideally, before any potentially non-compliant solutions are considered, let alone purchased and deployed.

4. As I've said repeatedly after hearing it years ago from an IT decision-maker at a large financial services firm, "culture eats process for lunch every day." This means that once users find a solution useful, it's going to be difficult if not impossible to ban that solution completely. Which is why early assessment and understanding of critical criteria, and avoidance of candidate solutions that don't meet them, is so very important. Even to and in France. And, possibly, your enterprise as well.

Posted by mdortch in BPM • Business Knowledge Management • Security  |  Permalink  | Comments (1)  | TrackBacks (0)

I read with fascination and horror a recent posting by Bennett Hasleton, a freelance programmer based in Seattle who also happens to maintain the Web site and mailing lists for a group called Peacefire.org. That organization advocates for freedom of speech for and against censorship of younger people (who, perhaps coincidentally, are typically too young to vote). The organization has provided useful information for numerous anti-censorship campaigns and lawsuits, some of which have been successful.

But that's another story entirely.

The recent posting by Mr. Hasleton's that thrilled and chilled me appears at Slashdot.org, and is entitled "Why are CC Numbers Still So Easy To Find?" It basically lays out how easy it is to find active, working credit card numbers online. The article also lays out how easy it would be for the credit card companies to curtail or eliminate the problem, via simple alterations of business processes and perhaps a Perl script or two.

That's not the chilling part, though. The chilling part is that when Mr. Hasleton tried to be the good Samaritan, and point out the problem to the credit card companies, most of what he got was "no comment." And when he gave them actual cardholder information, only one, American Express, bothered to contact the cardholder and advise them to change their card numbers.

I'm not finished being chilled, however, and neither should you be. According to comments posted by other readers of Mr. Hasleton's article, merchants are at least as responsible for the fraud that results from credit card number theft as the credit card companies' inability or unwillingness to address the issue. That's largely because merchants are frequently too ignorant of regulations and/or technology and/or the scope of the problem – or too cheap – to take the data protection steps proscribed by already-existing standards. Those would be the Payment Card Industry – Data Security Standards, or PCI-DSS. Penalties for non-compliance can include huge fines, and the inability to process credit card payments, but non-compliance obviously still exists.

Merchants suffer, too. Every time a fraudulent transaction succeeds, a consumer's liability may be limited to $50, but the merchant can lose the merchandise and its full purchase price (plus transaction fees) to the credit card issuer. Merchants argue darkly that this is the real reason why the credit card companies do little to nothing of substance to curtail the problem of unprotected credit card information.

(Clueless IT people share some of the blame here, too, at least according to some posting comments to Mr. Hasleton's article. A strong precedent was set by the "cottage industry" that exploded around compliance with regulations such as Sarbanes-Oxley (SOX). Nonetheless, despite the obvious money to be made consulting with businesses about PCI-DSS compliance, there seems to be little awareness of or interest in providing such help among IT people.)

So there's more than enough blame to go around, and enough worthy recipients of it, where credit card information exposure and resulting fraud are concerned. And there are obvious lessons here, for companies that accept and issue credit cards, and for companies and individuals that use them.

1. Guard your credit card information (and/or that of your customers and/or business partners) as if it were cash. Lots of cash.
2. Demand documentation that your credit card information (and/or that of your customers and/or business partners) is being protected at every point in the value chain that involves you (or your customers and/or business partners).
3. Be aware of the regulations and industry guidelines intended to govern protection of sensitive information in your business and/or industry – and follow them. If you're in IT, make sure the appropriate businesspeople are involved and aware. If you're a businessperson, make sure IT is involved and aware.
4. Be transparent. It's not enough to say you're protecting sensitive information. You must be able to demonstrate that you are doing so effectively and consistently, to avoid the ire and suspicion of business partners, customers, prospects, regulators, and other stakeholders. Put shredders next to the desk of each credit card application or transaction processor if need be.

Effective and enforced business processes at any of several places along the history of every ultimately fraudulent credit card transaction would have likely killed that transaction long before its completion. Bad BPM costs money, directly and in damage to corporate perception and reputation. And who knows how much that really costs?

Posted by mdortch in BPM • Security  |  Permalink  | Comments (1)  | TrackBacks (0)

As reported by ebizQ, OutlookSoft Corp. announced the availability of a new Business Process Flows (BPF) Marketplace. This is basically a "community repository" that gives users of the company's OutlookSoft 5 performance management solution new choices. Those users can configure BPFs for their enterprises based on the BPFs included with the software. Or they can browse the BPF Marketplace for BPFs constructed by others, but closely aligned with specific business requirements at those users' own enterprises.

BPFs, according to OutlookSoft, add performance management features to traditional workflows and managed business processes. BPFs can therefore help users spend less time tweaking software, and more time actually managing and optimizing their businesses.

By my lights, OutlookSoft's BPF Marketplace is both a potentially valuable announcement for OutlookSoft users, and another harbinger of the continuing confluence of business analytics, intelligence, and process and performance management and optimization. (Whew!) BPFs are, in fact, elemental "maps" of business processes and their interdependencies. So they should aid any efforts to capture and document business processes, or to assess their effectiveness in real life.

In addition, the ability to seek out BPFs that can be easily adapted to specific needs and goals could help many OutlookSoft users achieve some highly desired but often elusive goals. These include "out-of-the-box" business value and more rapid "time to success" and return on investment. So if your company's an OutlookSoft user, you should definitely check out the BPF Marketplace. If your company is not an OutlookSoft user, you might want to check the software out – and to ask your current performance and/or process management and/or optimization software vendor about their plans, if any, to offer anything similar. And as always, I'd be passionately interested in what you're told and how you react, so please let me know.

Meanwhile, since it's almost time to file your tax returns (or extension requests), did you know that cosmetologists are required to have government-issued licenses, but that tax preparers are not? This may help to explain why the U.S. Department of Justice is suing 24 people at five Jackson Hewitt Tax Services franchises. Franchise owners and their colleagues allegedly fostered an environment that encouraged the filing of fraudulent returns, and then turned a blind eye towards the fraud, according to numerous news reports. The Justice Department claims the fraud resulted in more than $70 million in revenues lost to the U.S. Treasury, and seeks to bar "the franchises and other defendants from preparing tax returns for others."

Jackson Hewitt, which has more than 6,500 locations nationwide, claims that the 125 supposedly involved in the shady practices represent only about 2 percent of the company's total revenues. I infer that this is supposed to indicate that the problem is not that big a deal, at least to the company's overall financial performance. However, I believe that those who are caught and punished for filing the fraudulent returns might have different views of the severity of this problem – a problem caused, I affirm, by failed and inadequately enforced business practices.

In related, similarly disturbing news, more than 500 U.S. Internal Revenue Service (IRS) laptops are reportedly missing, while many others are poorly protected by weak, easily cracked passwords, according to news reports. The IRS says there have been no reported cases of private personal or financial information being compromised or stolen as a result of these problems. To which I add one word: "yet."

Make sure business processes at your business reflect ethics that wouldn't shame your parents, partners, or spouses. And make sure those processes come with consequences, and are enforced, and are clearly documented. And also make sure that every user of every computer understands the need for both strong passwords and constant vigilance over corporate intellectual property (IP) – especially where personal or private information is concerned. And a happy, relaxing Tax Time to you and yours!

Posted by mdortch in BPM • Business Knowledge Management • Security  |  Permalink  | Comments (0)  | TrackBacks (0)

So I've gotten my first spam blog comment, and it reminded me that I've been thinking a lot lately about the connections between BPM and security. In a lot of ways, security is one of the most process-intensive IT-related areas in an enterprise. After all, there are processes, both implicit and explicit, for identifying, then authorizing or denying access to everything in the IT infrastructure, for everyone who tries to gain access.

Another BPM-security connection: both must be woven tightly into IT infrastructures, to be as pervasive and ubiquitous as necessary to provide enterprise-wide coverage. In addition, each needs to be non-disruptive to the point of invisibility.

Of course, security includes many important elements and "moving parts," not all of which are equally well managed by clearly defined and comprehensively enforced processes and policies. For example, spam is a threat to enterprise security, or at least to worker productivity. However, as my ebizQ colleague and "blog buddy" Elizabeth Book wrote a few days ago, truly effective enterprise-wide spam and malware management is, to say the least, a process-intensive set of challenges. Ditto for other security-related issues such as identity and access management (IAM) and network access control (NAC). Add in the triple threats of compliance, governance, and risk, and security becomes even more critical and challenging – as do the processes that define and enable it.

So, how best to address and perhaps take advantage of the various things that connect BPM to security? Here are a few high-level ideas and suggestions.

1. Assess current security practices and solutions for their effectiveness and pervasiveness.
2. Where successful security practices and solutions are identified, ensure that the processes used to define, deploy, and govern those practices and solutions are clearly defined and well documented.
3. Use these as elemental templates and models for other processes, in security and in other business and technology areas.
4. Ensure that all BPM efforts and supporting information are themselves adequately protected from IT and business threats.

Every BPM initiative should include comprehensive and detailed security features. In addition, every security initiative should be based on consistent, enforceable, and well documented processes which are aligned with those that support other critical IT-enabled business initiatives.

Everyone involved in BPM should forge a good working relationship with the chief security officer, chief risk officer, or equivalent person in their enterprise. Good security requires good processes, and good BPM requires good security.

For more, check out "Best Practices for IT Infrastructure Management and Business Alignment," "Managing and Measuring Security in the Enterprise," "The Business Drivers Behind IT Initiatives," and "Top 10 Tips to Minimize Risk" in the RFG section of the ebizQ Analyst Corner. And for goodness' sake, if you don't already, subscribe to the ebizQ weekly security update. And please let me know how BPM and security are aligned – or not – at your enterprise or your customers' sites.

Posted by mdortch in BPM • Security  |  Permalink  | Comments (0)  | TrackBacks (0)