Jaime Chanaga, CISSP, CISA

Here we go again.  This time Administaff, Inc. is reporting the theft of a laptop containing the names, addresses and social security numbers for 96,000 former and 63,000 current employees.

For more information go to: http://www.administaff.com/idprotection/

When will organizations get serious and do something about the lax policies and procedures in their corporate culture to prevent incidents like these? 

Technology solutions such as data encryption and password protection are only a part of the solution in protecting confidential information.  Organizations must do a better job at defining good corporate policies and procedures for ensuring that confidential information is protected appropriately.  Organizations must do a better job at educating their workforce on the policies, procedures, and risks faced in protecting confidential information.

Gap Inc. (NYSE: GPS) has announced that a laptop containing the information on 800,000 job applicants was stolen from a third-party vendor contracted to manage the information for job applicants.  (See: Gap Inc. - http://www.gapinc.com/public/Media/Press_Releases/med_pr_092807announcement.shtml)

What is corporate America thinking? Why was the personal information for 800,000 job applicants stored locally on the hard drive of one laptop in the first place? 

Personal and confidential business information should not be stored on laptop computers unless you apply strong protection for that information.  Encryption of data at the file system level is only one method of protecting confidential information that may be stored on a laptop computer. 

Gap Inc. did however require their third party vendor to implement encryption on their computer systems.  There is a mile of difference between creating contractual requirements and taking audit steps to verify that those requirements are being enforced.

If you applied for work at Gap, Old Navy, or at Banana Republic stores in the U.S., Puerto Rico, and Canada, between July 2006 and June 2007, you are encouraged to contact the Gap Inc. 24 hour Security Assistance Helpline at 1-866-237-4007. (See: www.gapsecurityassistance.com)

5. Lead with integrity
Personal and professional integrity should be at the core of a security leader’s beliefs and actions.  In today’s business climate, unfortunately corporate scandals show some executives sacrificing their personal and professional ethics.  True excellence and leadership demands executives hold strong personal and professional ethical standards.

-- From (http://blog.csoboard.com/cso/2007/07/security-excell.html)

The American Heritage® Dictionary of the English Language (Fourth Edition.  2000) defines the word "integrity" as:  "Steadfast adherence to a strict moral or ethical code."

Leading with integrity the definition of what some might call ethical leadership.  However, being a leader doesn't guarantee that your are being ethical in all that you do.  Likewise, being a person with high moral and ethical standards doesn't transform you into a leader.  However, being a professional that leads with integrity in every action you take will ensure long-term success for yourself, your organization, our community and society.

I challenge all business professionals and leaders--it is time we lead with integrity in our work and everything we do.

Jaime

4. Value people
Too often security executives fail in their leadership fail to forget that building relationships and trust with people are the secret to long term success.  Learn to build relationships based on trust with your subordinates, peers, and partners to enhance your leadership performance.

-- From (http://blog.csoboard.com/cso/2007/07/security-excell.html)

The number one reason why organizations relegate their business partners as "vendors or suppliers" is the fact most "business partners" fail to develop deep personal mutually trusting relationships with those organizations.  Business partners become more obsessed with "the next sales cycle" and forget about caring about their partner's business issues.

As a former CISO health care industry, I can remember working with some technology partners, who wasted the opportunity for building a long term mutually beneficial relationship with our health care organization.  These partners were more interested in earning sales commissions, often recommending solutions and services that did not address our most important business strategic issues.   Unfortunately for those partners, they were relegated to "vendor" status quickly.   "Vendors" who threw away their product brochures, listened to our needs, and genuinely cared about our work of healing people and helping the manage disease, they quickly became our business partners--they became our valued partners.

Early in my career path, I made the mistake of not valuing the talent, hard work, and contributions of subordinates, peers, and partners alike.   Since then, I've made a conscious effort to correct those mistakes.  Forget hierarchies and organizational charts.  Treat everyone the same, with respect, dignity, and value them for who they are.  Your life will be enriched beyond measure--as my life has been blessed.

Jaime

3. Be innovative
Innovation in security management is critical to achieving excellence.  Don’t be afraid to try new ways to protect your IT assets and organizations.   Those people determined to break your information security are using innovation and creativity to find new ways to breach your information security defenses. Don’t be afraid to innovate and be creative in protecting your information assets and organizations.

-- From (http://blog.csoboard.com/cso/2007/07/security-excell.html)

In my previous blog post, I mentioned that technology alone won't solve all of our security challenges.   Today security challenges faced by organizations are not limited to technology.  In order to effectively address ever evolving challenges, security leaders must be innovative and creative.   

One organization that has been characterized by its ability to foster innovation and creativity is the U.S. space agency NASA.  Every time I witness a U.S. Space Shuttle launch, I'm amazed at the incredible combination of science and innovation that has driven NASA to turn an impossible feat, of putting men and women into space and earth orbit, into a routine event.  NASA has found one of the timeless secrets of true long term success for any organization--the ability to harness the incredible power of innovation and creativity.

I challenge you as leaders and organizations to foster innovation and creativity in all you do.  You may be surprised at the long-term business dividends.

2. Learn from failure
Failure is a road map to success.  Learn from your failures in security management and from the mistakes of others.  Don’t be afraid of taking risks, failing, and then learning from failure.  Thomas Edison never gave up, even after 10,000 failures when trying to invent the incandescent light bulb.  Have you failed 10,000 times in your security management leadership?  If not, then don’t give up!  Learn from failure!

-- From (http://blog.csoboard.com/cso/2007/07/security-excell.html)

One of the important lessons often over looked by security professionals and executives is simple: Effective security is not achieved with technology alone. 

Senior security executives (CSOs/CISOs) often are forced into untenable positions, when business units in their organizations ask for security solutions as an afterthought to information technology (IT) initiatives.  CSOs/CISOs are then forced to provide quick technology centric solutions to those business and IT requirements--setting aside the lesson that effective security is not always achieved with technology alone.

It is your responsibility as a security professional and executive to break this cycle of reactionary effectiveness.  If we are to be effective security leaders, we must create the personal relationships within our own organizations--across business units with other leaders--to make our work a strategic part of the business.  As a security professional and executive, when was the last time you reached out to other business units to understand their business problems? 

We can add value to every corner of our organizations.  The lessons are out there for us to learn and put into practice.  If you have a lesson you'd like to share with me and the other readers of this blog, please leave a comment or email me.

Wishing you continued success in your security leadership.

Jaime

"1. Think differently
Don’t be afraid of challenging the status-quo.  True excellence as a security executive and leader demands you are willing to think differently.  Dare to think big and differently! "

-- From (http://blog.csoboard.com/cso/2007/07/security-excell.html)

When I shared the presentation "Leadership Lessons for Security Excellence", here on my blog a few weeks ago, I received many responses.  Thank you to everyone for sharing your thoughts and providing feedback.

One of those responses, an email from a friend and colleague really moved me.   My friend shared  that after working for 20 plus years in his particular industry, he felt his organization and industry didn't reward employees for thinking differently.   Today, my friend is looking forward to leaving his organization in order to be able to explore this and other interests.   

This made me think, why don't organizations reward employees for having the courage to think differently?   However, those organizations that do reward employees are highly successful.

Allow me to illustrate.   Google, who is considered one of the most admired companies, is so admired in part because Google rewards employees for being creative and thinking differently.   Rewarding employees for thinking differently is not the only factor contributing to Google's financial performance.   However in the long run, I'm willing to bet that Google will be more successful than their competitors in terms of employee satisfaction, performance, and financial bottom line by allowing their employees to think differently.

In December 2004, as a CISO for a large non-profit health care system, I was invited to participate on a CISO/CSO panel presentation during the InfoSecurity Conference in New York City at the Jacob K. Javits Convention Center.   This panel was comprised of CISOs/CSOs that included:

• Larry Brock, CISO, DuPont
• Mary Ann-Davidson, CSO, Oracle
• Chris Hoff, CISO, WesCorp
• Gerhard Eschelbeck, CTO, Qualys

Pete Lindstrom, Director of Spire Security was the moderator for the event.  During our panel discussion of how organizations could best adapt to the threats of zero-day based security risks, I took the opportunity to share one of the ways we, as a health care system, took action and thought differently.  Let me share with you what I shared then.

As a CISO in health care, I'd noticed that most health care information technology vendors had unclear or non-existent secure coding practices integrated into their software application development life cycles (SDLCs).  At the health care system were I was working at the time, we decided in conjunction with the Information Technology department to mandate detailed questions and review process into all RFPs for vendor evaluations.   We questioned vendors in detail on their secure coding practices contained in their SDLCs .   

While today most information security breaches occur at the application software layer, in 2004 most organizations (especially in the health care industry!!!) were not thinking about mitigating risks from that perspective.  In this process, by being willing to question and make vendors accountable for secure coding practices in their SDLCs, we were miles ahead of most competitors in mitigating risks, including zero-day based risks!

I challenge you to think differently.  Dare to think differently in  your work and leadership.  You may be surprised by the results.  Wishing you the best on your new vision to think differently.

On 20-June-2007, I participated as a keynote speaker at the Security Excellence Day Conference in Milan, Italy at the invitation of SanDisk (www.sandisk.com) and NSEC Srl (www.nsec.it).

The invitation only event for C-level executives in Europe was co-sponsored by IBM, Microsoft, SanDisk, Applied Identity, and NSEC Srl.  The focus of the conference was to discuss the future direction and trends for information security.  Speakers included:

• Chris Stakutis, CTO of Tivoli CDP – IBM
• Feliciano Intini, Chief Security Advisor to Microsoft Italia (blog)
• Mark Ashida, Partner at OVP Ventures
• Jaime Chanaga, CEO of The CSO Board

My presentation entitled “Leadership Principles for Security Excellence” focused on the key “soft” skills top security executives often overlook which can help enhance their leadership performance.  Here is a brief summary of the presentation and the accompanying slide deck.

Leadership Principles for SecurityExcellence

1. Think differently
Don’t be afraid of challenging the status-quo.  True excellence as a security executive and leader demands you are willing to think differently.  Dare to think big and differently!

2. Learn from failure
Failure is a roadmap to success.  Learn from your failures in security management and from the mistakes of others.  Don’t be afraid of taking risks, failing, and then learning from failure.  Thomas Edison never gave up, even after 10,000 failures when trying to invent the incandescent light bulb.  Have you failed 10,000 times in your security management leadership?  If not, then don’t give up!  Learn from failure!

3. Be innovative
Innovation in security management is critical to achieving excellence.  Don’t be afraid to try new ways to protect your IT assets and organizations.   Those people determined to break your information security are using innovation and creativity to find new ways to breach your information security defenses. Don’t be afraid to innovate and be creative in protecting your information assets and organizations.

4. Value people
Too often security executives fail in their leadership fail to forget that building relationships and trust with people are the secret to long term success.  Learn to build relationships based on trust with your subordinates, peers, and partners to enhance your leadership performance.

5. Lead with integrity
Personal and professional integrity should be at the core of a security leader’s beliefs and actions.  In today’s business climate, unfortunately corporate scandals show some executives sacrificing their personal and professional ethics.  True excellence and leadership demands executives hold strong personal and professional ethical standards.

6. Change the world
A result of adopting some or all of these Leadership Principles for SecurityExcellence will allow you to change the world around you.  As a leader you will have a noticeable positive impact on your subordinates, peers, partners, your organization, and your industry—your world.

I'd like to extend my sincere thanks to SanDisk and NSEC for inviting me to share at this event.  I welcome comments from you my blog reader on this presentation.

Pictures of the event
http://www.flickr.com/photos/nsec/sets/72157600464937201/

NSEC Press Release
Download PR_NSEC-Security_Ecellence_Day.pdf

NSEC Blog - Thank You

On Friday March 30, 2007, I wrote a blog post regarding a U.S. Department of Veterans Affairs outsourcing contract that has been grossly mismanaged.   

This weekend I was reminded that there are still people who have the courage and integrity to do what is correct, even in the face of adversity.

A reader of this blog sent me the following anonymous email:

"As one of the people working on this contract I can tell you that a lot of good, hardworking people were hurt by the 'allowing the contract to expire' part - they came in unannounced at 4:30p.m. on a Friday and told everyone to leave "and do not lock your computers" - the VA wanted to remove as much evidence of their wrongdoing as possible to pin the blame solely on SecureInfo if they could; in order to save the government careers of many of the government employees involved. It worked; and it put a lot of people out of work - people who were not made aware that the VA Central Office was using the contract as their "personal IT checkbook". I won't go so far as to say some of the contractor management weren't complicit in this act; but too many people are interpreting this news as the contractors were all bad. It was the VA that abused the contract - they know exactly where all the computers and security equipment they bought is; in storage at their primary and secondary SOC sites."

First, let me say to Anonymous--thank you for having the courage to share your viewpoint.  I'm sorry that hardworking people including yourself are the unfortunate victims of corporate and government greed and corruption.  Wishing you the best in finding new career opportunities. Please let me know how I may be of assistance to you now or in the future.

Secondly, Anonymous makes several good points.  The primary responsibility for the mismanagement of this contract lies with the Department of Veterans Affairs.  I agree with Anonymous that the majority of the hardworking men and women (information security professionals) with the contracting firms are not the ones to blame.

Anonymous brought up an interesting comment regarding how the VA told those working on the project:  "they came in unannounced at 4:30p.m. on a Friday and told everyone to leave "and do not lock your computers".

If that is true, from an IT Audit perspective I find that troubling.  For the VA to tell their contractors to leave their computers logged in (logged in with the users credentials -- i.e. user-name and password) and not return is of concern and should be investigated further if the U.S. Congress launches any investigations.   When those contractors leave the facilities, anyone could walk up to those computers and continue doing anything those contractors were doing--even perhaps as anonymous suggested:  "the VA wanted to remove as much evidence of their wrongdoing as possible to pin the blame solely on SecureInfo if they could; in order to save the government careers of many of the government employees involved."  The VA should have instead told the contractors to log out of their computers and then disabled all of their user accounts to preserve any audit trails for contractor access to VA systems and software applications.  Asking the contractors to leave their accounts logged in, opens the possibility for reasonable doubt regarding the integrity of any audit trails.

As both a security professional and IT auditor, I cannot believe that the hardworking men and women at the contracting firms had any malicious intent to defraud our government.  However, I do believe that the conduct by the VA and the management at the contracting firms need to be further investigated for their actions and mismanagement by the U.S. Congress.

Once again I will reiterate my call for a U.S. Congressional investigation to bring forth the facts and lay blame on those responsible for mismanaging and wasting our government's financial resources.  Our men and women in uniform who serve honorably in our armed forces deserve to have a VA that is a faithful steward of the resources given to them to administer for the benefit of our veterans.

OK. I'll stop preaching to the choir.  If anyone has any further comments on this topic please write to me and post a comment on this blog.  Thank you for sharing.

On February 26, 2007, the Office of Inspector General (OIG) for the U.S. Department of Veterans Affairs (VA) issued a scathing report (http://www.va.gov/oig/52/reports/2007/VAOIG-04-03100-90.pdf) on the fraud and abuse committed by the Department of Veterans Affairs regarding a $250 million Information Technology (IT) security contract. 

According to the OIG Report the IT security contract was defined as:

"The purpose of the VA-CIRC (Central Incident Response Capability - CIRC) contract (contract) was to provide state-of-the-practice incident handling and response capabilities for the entire VA. VA had to expand the existing CIRC to a broader, world-class operational CIRC and Security Operations Center (SOC) environment to assure confidentiality, integrity, availability, and privacy of information and services for Veterans.

The contract also became VA’s mandatory source for Managed Security Services (MSS). The Request for Proposal (RFP) described MSS as: acquisition, installation, integration, configuration, and monitoring of VA’s enterprise infrastructure; vulnerability assessment and penetration testing; cyber security intelligence gathering and support of network operations; and supporting the Enterprise Cyber Security Infrastructure Project.

The procurement action was a 100 percent small business set-aside contract authorizing and encouraging joint ventures or teaming arrangements. On July 19, 2002, VA awarded a contract to Veterans Affairs Security Team, LLC. (VAST), a limited liability corporation incorporated in the State of Texas. VAST was formed by members of the joint venture that included SecureInfo Corporation, AEM Corporation, ADTECH Systems, DSD Laboratory, SEIDCON Incorporated, and TEAMBI Solutions Incorporated, all of which are small businesses. Compaq, SAIC, and SIGNAL, large businesses, were added to the VAST team, but were not identified as members of the joint venture.

The $102.7 million fixed-price contract included $82.9 million for recurring labor and $19.8 million for equipment and supply cost spread evenly over a term not to exceed 10 years. By March 2005, when the contract was allowed to expire, VA expended approximately $91.8 million (89.4 percent) of the total contract value."

Key findings of the report:

1.  Poor planning, contract award procedures, and contract administration resulted in lack of funding in 3 years. No surprise here.  Contract originally awarded in 2002.

2.  Contract awarded to Texas LLC, which was created (incorporated) 7 days before contract was awarded. Since member companies of joint ventures formed LLC they all have limited liability protection.  According to the OIG report:

"On July 19, 2002, a contract valued at $102.7 million over a possible 10-year time period was awarded to VAST. VAST was a limited liability corporation, incorporated in the State of Texas on July 12, 2002, just 7 days before the contract was awarded. The primary corporation behind VAST was SecureInfo, a small business located in Texas."

"Because the contract was awarded to VAST, not the joint venture or business entity in the joint venture, the individual companies who comprised the joint venture were protected from liability. Our review of VAST’s corporate and bank records revealed that the corporation had no assets, which may have left VA with no grounds to recover overpayments, which we estimate could be as high as $8.5 million." 

This is an outrageous example of the fleecing of Veterans and our national treasury by money hungry corporations. Is anyone as outraged by this legal maneuvering and financial fraud?  The VA and those corporations behind these legal entities should be held accountable!

3.  Original $102.8 million fixed-price contract modified to potential value of $250 million in size.  Additional work for $48.6 million completed outside of original contract scope due to contract modification authorization.

4.  $35 million for equipment and supplies unaccounted for.  No inventory of any equipment is available. According to the OIG report:  "VA does not know what equipment it has or where it may be located."

It is outrageous and really makes me upset that this type of fraud and waste is ongoing at a time when the United States federal government is facing funding shortages for Veterans services.  We have men and women who serve honorably in our armed forces coming home from theaters of war and the VA a government agency charted to provide services to them is wasting taxpayer dollars on contracts that have no accountability?  That is inexcusable.

I urge anyone reading this blog story to contact your U.S. Congress Representatives to express your opinions and demand further investigations of the VA's conduct and the companies behind VAST LLC be investigated also for their role in this egregious case of fraud and waste of taxpayer and Veterans resources.