MAJOR SECURITY FLAW JUST DISCOVERED IN INTERNET EXPLORER (IE)

Users are urged to switch immediately! The problem was discovered about 36 hours ago. The flaw allows thieves to steal your password. I work with information technology and my password has been stolen before. It’s a huge hassle to say the least since I had to estimate the severity of the damage after several of my passwords were stolen. May I recommend a free application that has done a great job of protecting me since then? The application (or program) is called “Spybot.” There’s a link to it at the end of this posting.

This post was updated on Dec. 17.

The security flaw allows hackers to steal passwords. Some 10,000 websites have code that can exploit the flaw.

Here are links to several stories:

Microsoft: Microsoft Security Advisory (961051)

Microsoft is continuing its investigation of public reports of attacks against a new vulnerability in (the web browser) Internet Explorer. Blah, blah, blah... (It continues in very sterile language. The other links state the severity and urgency of the problem in plain language.)

BBC News: Serious security flaw found in IE

Users of Microsoft’s Internet Explorer are being urged by experts to switch to a rival until a serious security flaw has been fixed.

The flaw in Microsoft’s Internet Explorer could allow criminals to take control of people’s computers and steal their passwords, internet experts say.

Microsoft urged people to be vigilant while it investigated and prepared an emergency patch to resolve it.

Computerworld: Microsoft preps emergency IE patch for Wednesday release

December 16, 2008 (Computerworld) Microsoft Corp. announced today that it will issue an emergency patch tomorrow to quash a critical Internet Explorer bug that attackers have been exploiting for more than a week.

The advance warning came less than a week after Microsoft acknowledged that exploit code had gone public and was being used by hackers to hijack Windows PCs running IE.

Microsoft will deliver the out-of-cycle patch Wednesday at 1 p.m. Eastern time via its normal update mechanisms, including Windows Update, Microsoft Update and Windows Server Update Services.

The update will be pegged “critical,” the most serious ranking in Microsoft's four-step scoring system.

Even as it declared that it would release an emergency fix, Microsoft continued to downplay the threat. “At this time, we are aware only of attacks that attempt to use this vulnerability against Windows Internet Explorer 7,” said company spokesman Christopher Budd in an e-mail today.

Initially, Microsoft and other security companies believed that only IE7 was vulnerable to attack, but on review, the company confirmed that all versions of its browser, including IE5.01, IE6 and IE8 Beta 2, contain the bug.

Last weekend, Microsoft researchers said that they had seen a “huge increase” in attacks, and that some were originating from legitimate Web sites. Another researcher added that about 6,000 infected sites were serving up exploits that target the IE vulnerability.

Also today, Microsoft confirmed that attacks could be launched through Outlook Express, a free e-mail client bundled with Windows XP. Because Outlook Express renders HTML-based messages using IE’s engine, attackers could exploit the bug by getting users to open or view malicious messages.

New York Times: Microsoft Issuing Emergency Fix for Browser Flaw

REDMOND, Wash. (AP) -- Microsoft Corp. is taking the unusual step of issuing an emergency fix for a security hole in its Internet Explorer software that has exposed millions of users to having their computers taken over by hackers.

The “zero-day” vulnerability, which came to light last week, allows criminals to take over victims’ machines simply by steering them to infected Web sites; users don’t have to download anything for their computers to get infected, which makes the flaw in Internet Explorer’s programming code so dangerous. Internet Explorer is the world’s most widely used Web browser.

Microsoft said it plans to ship a security update, rated “critical,” for the browser on Wednesday. People with the Windows Update feature activated on their computers will get the patch automatically.

Thousands of Web sites already have been compromised by criminals looking to exploit the flaw. The bad guys have loaded malicious code onto those sites that automatically infect visitors’ machines if they’re using Internet Explorer and haven’t employed a complicated series of workarounds that Microsoft has suggested.

Microsoft said it has seen attacks targeting the flaw only in Internet Explorer 7, the most widely used version, but has cautioned that all other current editions of the browser are vulnerable.

Microsoft rarely issues security fixes for its software outside of its regular monthly updates. The company last did it in October, and a year and half before that.

Cnet: Critical IE 7 exploit making the rounds

Microsoft issued a critical security warning Tuesday that a malicious exploit is making the rounds and attacking vulnerabilities in Internet Explorer 7.

The risk is believed to be widespread, given that IE 7 is the latest version of Microsoft’s browser and is bundled with XP service pack 3 and also Vista, said Dave Marcus, director of security research and communications for McAfee's Avert Labs.

The AZN Trojan, which has been making the rounds since the first week of December, has the potential of infecting users’ system with a Trojan horse, or “downloaders” that can download other forms of malware onto a user’s system.

Microsoft announced it will release a security patch Wednesday via its automatic update system to patch users computers.

Users can potentially get infected two ways, Marcus said. One is to visit a malicious Web site that already has the malware installed on the site, or visit a legitimate site, in which the attacker has inserted the malicious script to run in the background, leaving visitors unaware their systems have been compromised.

“A lot of Web sites are pushing out this exploit,” Marcus noted. Some of the infected sites include Web sites that offer free wallpaper for mobile phones to sites that feature property to product-related sites.

Microsoft is encouraging users to update their systems once the patch is released Wednesday at 10 a.m. PDT.

A SUGGESTION

If you still use IE, stop using it until you learn that it’s safe once again. On the other hand, why not just switch to another web browser? It wouldn’t be a bad idea to make any of these other browsers your primary browser and use IE only as your secondary browser.

These browsers are listed in order of popularity. All of them are safer, relatively speaking, than Internet Explorer. Another bonus: all of them work faster than IE.

1. Firefox
2. Opera
3. Google Chrome
4. Apple Safari

Earlier, I mentioned my bad experience with stolen passwords. I looked around for an anti-spyware program and found Spybot. I recommend Spybot. I find it so useful that I donate to it. The application is free and it serves me well.

HOW MUCH DO PHYSICIANS EARN?

If you’ve ever wondered what doctors make, your curiosity will be satisfied with this post.

In general, physicians earn the most of any occupation. The occupation covers a broad range of specialties and the average compensation of a physician depends heavily on his or her area of specialization.

These 2008 figures came from the American Board of Medical Specialties (1). Seventy specialties are listed. Alphabetically the list starts with Allergy & Immunology and ends with Vascular Surgery. Dollar-wise, the specialists who earn the most money are Orthopedic Surgeons (spine specialists) who averaged $612,000. The “paupers” are Pediatricians who specialize in pulmonary diseases. They only averaged $173,000.

The “n.a.” means that the data was “not available.” Also, you can click on the charts to enlarge them. To return to this window, click on the [back arrow] key of your keyboard.

Before you send your kid to medical school, realize that doctors do earn their keep, i.e., they work hard and, before that, they trained hard, for a long time, to get to their position. And the education doesn’t stop. Make sure your kid realizes that also! Still, in the context of today’s compensation for some business executives (mostly CEOs of large US corporations, I think doctors are more deserving of their compensation than many of these executives.

FORMAL EDUCATION

Nearly all students that enter medical school have a bachelor’s degree. In fact, many of them have graduate degrees. Their first two years are spent in classrooms and laboratories. Their last two are spent working “hands-on” with patients under supervision. After four years of medical school, graduates begin their “residency.” This is on-the-job training at a hospital. During residency, students begin their post-graduate education in a specialty of their choosing. Residency can range from three to five years depending upon the chosen specialization. For those seeking to specialize even further, there are “fellowships” that take more years. Internal medicine, pediatrics, and general family practice require three years of residency. If the doctor chooses to specialize further—for example, gastroenterology, which is a subspecialty of internal medicine—another one to three years will be required (2).

So let’s add that up. The least specialized doctors have a bachelor’s degree (four years), a graduate degree (four years), and several years of residency (at least three years). Incidentally, the first year of residency is typically called “internship.” Compare this to an academician. A college professor must have a graduate degree—a master’s or a doctorate. That means that s/he spent four years earning a bachelor’s degree and another two to four or even five years earning a graduate degree. Comparing the two, the least specialized doctors have at least 11 years of formal education while the least specialized college professors have at least six years of formal education (seven years is more realistic). These same doctors, on the other hand, make at least $170,000 on average, while college professors earn about $75,000 on average (3). All things being equal, those extra four years earn the doctor almost an extra $100,000 a year on average! Consider, however, that many college professors work only ten months of the year and many doctors work 50 to 60 hours a week (and 12 months a year)! At a minimum, I think someone thinking of becoming a physician should look beyond the money and consider the lifestyle choice as well.

SPECIALIZATION — AND YOU, SIR, ARE YOU A PROCTOLOGIST?

Like any technical discipline, medicine has a vocabulary of its own. There are a couple of obscure terms for specialties. One is “Intensivist.” This is the term for a physician who specializes in the care of critically ill patients, usually in an intensive care unit (4). “Perinatology” is another one. According to John Hopkins Medicine, one of the most prestigious medical institutions in the world, “perinatology is a subspecialty of obstetrics. Physicians specializing in this area are called Perinatologists, these are doctors who have had extensive training in the field of high risk obstetrics. Perinatologists are concerned with the care of the mother and fetus at higher-than-normal risk for complications” (5).

You should also know that Intensivists make an average of $296,000 and Perinatologists, $357,000. Now you know...

The average (i.e., mean) compensation of these 70 specialties is $301,000. The starting compensation for physicians is usually significantly lower than their average compensation. For example, the group whose average compensation is closest to $301,000 is the specialist in Hematology & Medical Oncology. Their average starting compensation was $222,000. These doctors work with disorders related to the blood and cancer. Laymen will recognize anemia, blood transfusions, bone marrow transplantation (ouch!), hemophilia, and leukemia. Hemophilia, incidentally, has a nickname. It's called “the royal disease” because it altered European history beginning with Great Britain’s Queen Victoria (6).

Finally, what are Proctologists? Well, Proctologists are surgeons. Specifically, Proctologists are surgeons that specialize in the colon and rectum. The colon and rectum are serious body parts. According to the Mayo Clinic, over 150,000 cases of colorectal cancer are diagnosed every year (7). “Colorectal” refers to cancer of the two organs: the colon and rectum. Worldwide, colorectal cancer is the third leading cancer among men and the fourth, among women (8). There is a sub-specialty of medicine devoted to them. Proctologists belong to either the American Board of Colon & Rectal Surgery or the American Osteopathic College of Proctology.

REFERENCES

(1) - “Setting the Standard for Medical Care.” Retrieved December 8, 2008 from http://www.abms.org. (The exact webpage is available to subscribers only.)

(2) - Your Doctor’s Education. (2000). Journal of the American Medical Association. JAMA Patient Page, 284 (9).

(3) - [Type “Professor” in the keyword field] Retrieved December 2, 2008, from http://swz.salary.com.

(4) - “Definition of Intensivist.” Retrieved December 2, 2008, from http://www.medterms.com/script/main/art.asp?articlekey=23392.

(5) - “What Is Perinatology?” Retrieved December 5, 2008 from http://womenshealth.jhmi.edu/perinatology/index.html.

(6) - Hemophilia: “The Royal Disease.” Retrieved December 11, 2008 from http://www.sciencecases.org/hemo/hemo.asp.

(7) - “Colon Cancer” Retrieved December 11, 2008 from http://www.mayoclinic.com/health/colon-cancer/DS00035.

(8) - “What is cancer of the colon and rectum?” Retrieved December 11, 2008 from http://www.medicinenet.com/colon_cancer/article.htm.

HOSPITAL ERP

Enterprise Resource Planning software like SAP's unifies traditional management functions within a coherent, integrated system. ERP software enables everyone in the company, for instance, to view a status report on operations at any given time. (And of course, the view depends upon the authorization of the viewer.) The report can present an overview and also dig in for more detail. When you visit the industry solutions page of SAP however you will see that there is none for the healthcare industry. Hospitals exemplify organizations that need specialized ERP. In the healthcare industry, the big ERP players are companies like Siemens and Hitachi. Presented below is a story about the way that Hitachi changed the information flow in one of the largest ER (emergency room) in the US.

THE THREE MOMENTS WHEN YOU'RE MOST AT RISK FOR FAULTY ESTIMATES

Good news, bad news. “I finished the project.” “But we went over the budget.”

Two reasons account for most cost overruns. These are Scope Creep and Faulty Estimating. Scope creep occurs because the Project Manager (PM) didn’t control change requests made to the original project plan. An approved change always comes at a cost and, therefore, a change that is approved must be accompanied by additional funding. Faulty estimating is the other usual reason for cost overruns. In this case, the budget was incorrectly calculated at the start. There are three moments during the project life cycle that the PM is particularly vulnerable.

This article discusses those high-risk moments.

Moment #1: At the start of the relationship

It’s one of your first meetings with the client. Naturally you want to start the relationship on the right foot. Pleasantries are exchanged after introductions are made. Both sides talk and walk “gingerly.” Nobody wants to rock the boat.

This is the first high-risk moment. In this situation, a Project Manager (PM) is likely to commit the first grave error—accepting client statements at face value without verifying them. Everyone on the project team is equally likely to make that mistake. It’s up to the PM to catch it, however, since the PM is ultimately responsible and accountable for the project's outcome.

(Incidentally, why does it seem that the Subject Matter Experts (SMEs) are the second most likely members of the project team to commit the mistake? I think this occurs because their stature as experts puts them in a particular frame of mind.)

Acknowledge every statement or assumption that they make but tell them that you will verify each one. There are many tactful ways to communicate this, beginning with the truth, and that is to check because both of you—the client and yourselves—want to accomplish the objective effectively and that correct assumptions are necessary for that to happen. Acknowledge it like the Japanese. During negotiation, they will say “hai!” Although it means “yes,” during the initial meetings, this yes simply means that they acknowledge receipt of a point and not agreement with that point.

You, the PM, must be firm about this. Do not concede to pressure from executive stakeholders (e.g., your Sales Vice President or the client’s executive). Since you are responsible and accountable for the project's outcome, you have the authority and power to perform the necessary steps. You will return to this theme again and again. Like the American colonists who sparked the Revolution against Great Britain, you must be represented if you are going to be taxed. In this case, the metaphor is that you must have the power to do the necessary things to create the desired outcome if you will be held responsible and accountable for that outcome.

Finally, do what you said you would. Confirm all assumptions. Verify every assumption that they make. And verify every assumption you and your team also make. Some assumptions will be difficult to verify but verify them anyway. An example of a difficult assumption is the client's contention that they already have the necessary computer workstations for the project. Confirm that and get that confirmation in writing signed off by the appropriate party.

Moment #2: When you negotiate with your project sponsor

You've finished the preliminary project plan. Now you're sitting with your sponsor. This is the moment for you to firmly explain that, to be prudent, we should follow PMI methodology and create a contingency allowance as well as management and contingency reserves.

The third edition of the PMBOK identifies two types of reserves. A Management Reserve is a portion of the approved project budget, controlled by management that is reserved for unidentified or unexpected work inside the scope of the project. This reserve is excluded from the baseline until it is utilized. Another accepted definition: A Management Reserve is a designated amount of time and/or funds held to account for parts of the project that cannot be predicted. These are sometimes called “unknown unknowns.” Use of the management reserve generally requires a baseline change.

A Contingency Reserve is an amount (of dollars and time) held by the project sponsor for possible changes in project scope or quality. All scope and quality changes to the project will affect the project’s cost and schedule and this reserve will cover those. Another definition: A Contingency Reserve is a designated amount of time and/or funds held to account for parts of the project that cannot be fully predicted. These are sometimes called “known unknowns.”

The PMBOK also recognizes the concept of a Contingency Allowance. It is a specific provision meant to cover variations in the expected cost or schedule, but not scope or quality. The scope of the project may not change but unforeseen factors may change the budgeted cost and schedule.

These three concepts are now illustrated.

First is the Management Reserve. Assume a project’s objective is to wire a building’s electrical subsystem. If the area is unexpectedly hit by an earthquake (an unknown unknown), the ensuing clean-up and repair is a major activity involving numerous tasks (e.g., checking the building’s structural integrity). Covering these unknown unknowns is the reason for the Management Reserve.

Second is the Contingency Reserve. When the scope or quality of a project is officially changed, there will be additional tasks. These additional tasks are not unidentified or unexpected, as in the previous case. The Contingency Reserve is used to cover the cost and time of these additional tasks. Continuing the previous example, assume that from experience, you are certain that there will be some electrical rework, but the amount of rework and when it will occur in the project are unknown.

And third is the Contingency Allowance. Assume a project whose objective is to migrate a company’s IT operations to a new data center. The objective is straightforward—move operations from point-A to point-B. Since there’s only one Point-B whose purpose is to become the new data center, it’s unlikely that the scope of will change. However the cost or schedule easily could. It might require more man-hours than expected to shut down and restart the company’s data servers. These are the surprises that the Contingency Allowance covers.

To reiterate, therefore, the Management Reserve is held and released at management’s discretion to deal with unknown unknowns. The Contingency Reserve is held and released by the project sponsor (usually) to deal with known unknowns. And the Contingency Allowance is a wise precaution that the PM should create to deal with potential changes in cost and schedule.

Moment #3: At the start of the actual project

Complete your documentation before starting the project. This is easier said than done. PMs are usually pressured to begin with the assurance that the documentation will follow. When your boss’s boss makes that assurance, you frequently have no choice. What you can do, however, is get that assurance in writing. If the signed documentation isn’t delivered, you should firmly exercise your power and explain that it won’t be proper to hold you responsible and accountable if your right to act appropriately is curbed. Once again, reiterate that you have to exercise the power to do the necessary things to create the desired outcome if you will be held responsible and accountable for that outcome.

Your documentation should be meticulously prepared and organized. Contracts should be intact copies, email should be filed, and so forth. Remember those assumptions that you verified? Keep the evidence of verification. Remember those reserves and allowance you created? Know the warning signs and the steps you’ll need to take to avail of them.

Finally, note that you can only prepare so much. Be cognizant of those moments above and you’ll be off to a strong start!

COMING SOON: HEALTHCARE REFORM IN THE NEXT FOUR YEARS!

And that’s regardless of who becomes the next President. I don’t think I’m being overly optimistic since the signs are there.

The momentum that started with HIPAA, the escalating spiral of healthcare costs, and the fact that about one out of every six Americans does not have adequate health coverage have made healthcare reform a priority in the next administration.

According to the Commonwealth Fund, a New York-based private foundation whose mission is to promote a high-performing healthcare system:

In 2007, nearly two-thirds of U.S. adults, or an estimated 116 million people, struggled to pay medical bills, went without needed care because of cost, were uninsured for a time, or were underinsured (i.e., were insured but not adequately protected from high medical expenses).

(Losing Ground: How the Loss of Adequate Health Insurance is Burdening Working Families, August 2008)

Both Democrats and Republicans agree on the objectives but differ on the ways to achieve those objectives. Nevertheless the following bills are actively being legislated. They’re listed in the approximate order of their progress. A Senate bill is abbreviated as SB and a bill from the House of Representatives is abbreviated HR. Clicking on a link will open a new tab or window containing the PDF copy of the document.

SB 2408/HR 4295: The Medicare Electronic Medication and Safety Protection Act.

As it’s currently written, this act has both carrot and stick. On the one hand it encourages physicians to use e-prescriptions by offering a bonus payment equivalent to one percent of every claim submitted that is based on an e-prescription. On the other, it would impose a pre-claim financial penalty on physicians who still hand write prescriptions in 2011.

This bill was introduced in December 2007 by Senator John Kerry (D-Mass.) and co-sponsored by Republicans John Ensign (Nev.), Norm Coleman (Minn.), John Cornyn (Tex.), and fellow Democrats Charles Schumer (N.Y.), Richard Durbin (Ill.), and Maria Cantwell (Wash.).

HR 4296 is the House version of the former and is called the Medicare Electronic Medication and Safety Protection (E-MEDS) Act of 2007.

It supplements HR 4295 by requiring physicians that participate in Medicare to e-prescribe.

HR 2991: The Independent Health Record Trust Act.

This could be the big one! It requires the national healthcare system to provide for the establishment of a nationwide health information technology network.

There are two more bills winding their way through the Senate and the House, respectively. These bills elaborate further on the need to develop a national interoperable health information network.

The Senate bill is SB 1693: The Wired for Healthcare Quality Act.

The House bill is HR 6357: PRO(TECH) Act of 2008: Promotion of Health Information Technology.

Finally, credit must also go to the federal government for actively working to develop the network of the future. Click here to see the program's status.

SHIFT PATTERNS

Scheduling work shifts is one of the most common and underestimated problems of modern organizations. It’s a vexing problem that can torpedo a system’s effectiveness. These are lessons learned from a recent project that needed a scheduling solution in order to be considered a success.

A department’s workload determines the shift patterns that it can adopt. Any scheduling decisions need to start with a clear understanding of the workload.

The workload needs to be converted into a number. This is the number of staff members that are needed to perform the workload. A level workload is easier to schedule than a seasonal or variable workload.

AREAS OF CONCERN

Scheduling difficulties always occur around holidays. After holidays the second most common area of concern is absences. The two remaining areas of concern are events that disrupt the staff from meeting the workload. These are training and breaks. Team training can be especially challenging. Breaks that occur due to staff fatigue will occur frequently in environments that have two or three shifts.

A significant difference exists between anticipated and unanticipated events. For example, many problems associated with training can be avoided by furnishing advance notice to the concerned staff. People generally dislike workplace surprises and they will appreciate any advance notice. Notification must be significant however. Being notified one, two, or three days is frequently inadequate. These notices are especially inadequate if the days span a weekend. Staff members will usually perceive this type of notice as last-minute maneuvers instead of advance notice.

HEALTHCARE-SPECIFIC CONCERNS

Horror stories abound about wrong limbs being amputated or procedures being performed on the wrong patients. When these cases of mistaken limbs or mistaken identities are investigated, a contributing factor is frequently miscommunication, or missed communication, between physicians or nurses who work in different shifts. The handover from one shift to the next is typically transmitted through written notes. Verbal information happens too infrequently, too randomly, and too incompletely to be considered unreliable.

The problem is exacerbated by two things. First is the mental and physical condition of the incoming shift worker. And second is the number and type of the incoming shift worker. Second- and third-shifts are usually populated with the more junior staff members. Among doctors these would be the new residents. Among nurses these would be the recent graduates. This situation means that the organization has less experience and less training at night. It’s a fair statement to make that from 5 pm to 7 am, most organizations have less of everything: less experienced and less trained workers and fewer of them at that. Conversely, it’s also fair to state that patients face more risk between those hours.

What can be done about this? Not much realistically. Statistics show that mortality rates are much higher during these hours. Patients can do their part by speaking up but too often patients are unable or unwilling to do that.

IMPLEMENTATION

After shift patterns have been created, the next step may either have the most problems or none at all. These extremes—problem-ridden or smooth sailing—will depend upon the terms and conditions of employment and the current state of labor relations. At many organizations, the terms and conditions of employment were written by people who are unfamiliar with the nuances of second- and third-shift conditions. Lawyers may work late into their evenings but I don’t know of any who work at 24 x 7 law firms. At many organizations, the current state of relations between management and rank-and-file dictates the ease or even possibility of implementing shift pattern problems. One can be repeatedly frustrated by these two issues. For example, common definitions may prevent any agreement. Days and weeks tend to have different connotations for second- and third-shift workers. Fortunately, or unfortunately, the prevalence of part-time workers sidesteps these two issues.

GENUINE CONSIDERATION LEADS TO EFFECTIVE SOLUTIONS

With all these said, the most important factor in solving shift-related problems is consideration. Shift patterns affect people’s lives. Genuine consideration for the impact that abrupt or excessive changes make to people’s lives goes a long way in creating suitable shift patterns.

LESSONS FROM CONDUCTING A SECURITY GAP ANALYSIS

There are many reasons for ensuring that you have a secure information system. It becomes a question of how instead of why. How do you create and maintain a secure system?

I participated in my first security gap analysis project in 2006, blogged it that year, lost that blog, and found my notes again. It was an eye-opening experience especially since it was conducted in one of the largest hospitals—whether public or private—in the country. It serves the second most populous county in the U.S. According to 2006 US Census Bureau estimates, the county had 5.3 million residents—larger than the populations of 29 individual U.S. states or the combined populations of the six smallest US states.

There are many reasons for ensuring that you have a secure information system. It becomes a question of how instead of why. How do you create and maintain a secure system? Starting with what you have, the first step is to create a baseline—a model of your expectations about the security of your information system. If your business belongs to one of several industries that are governed by laws and regulations then you should start with the security requirements of those same laws and regulations.

A hospital, for instance, would be directly governed by the Health Insurance Portability & Accountability Act (HIPAA). It is also subject to other regulations like the eDiscovery rules but we will keep it simple by focusing on HIPAA alone.

The second step is to categorize the sensitivity of your data, identify its source, its location within the system, how its accessed, and who can access it.

Sensitive data can take the form of intellectual property. For a hospital, sensitive data is frequently legally protected. An example is the X-ray images of a patient.

Armed with this information, you can begin your gap analysis. Before this discussion goes further, it must be understood that gap analysis is an ongoing process. The environment is constantly changing. Your information system is constantly changing with it and, naturally, your security gaps are changing as well.

Comparing your actual practices with security requirements will identify the gaps in your system. Once identified, the gaps can be prioritized (by severity, for instance). Then a plan can be created for eliminating (or at least minimizing) those vulnerabilities.

Gap analysis is a specialized form of risk analysis. Risk analysis recognizes the fact that risks are everywhere and that you have limited resources to deal with them. The goal of risk analysis, therefore, is to learn how to deploy your resources in the most effective manner to eliminate or minimize the worst or most likely threats.

It is best to approach gap analysis as a project and like any project, senior management must support it. Security gap analysis must be conducted on a regular basis. It must be thorough and objective. The degree of thoroughness will establish the scope of the analysis. Will the project include physical as well as electronic security? Will it be limited to customer-facing applications?

Objectivity requires a fresh set of eyes. It wouldn’t make sense for an accountant to audit himself. It makes a lot of sense therefore to hire an outside firm to lead the project.

These are the lessons I learned when we conducted a security gap analysis at one of the largest hospitals—whether public or private—in the country.

Our presence was announced with a bang! When you stage a systems break-in, attack the system like a team of hackers would. A team attack is just as likely to happen in real life as a solitary attempt would. The ease and speed of our break-in convinced the hospital’s administration of the risks it faced.

Your project team should have members from different disciplines. I came away convinced that if the core team could only have two groups then the two should be your IT and your HR departments. Why HR? It’s because people will be the primary source of vulnerabilities.

Hospitals are very politicized organizations. In addition to having senior management’s blessing, we created a RACI matrix that was jointly accepted by all department heads.

RACI stands for Responsible-Accountable-Consulted-Informed. A RACI matrix will identify the authority and responsibility of all roles involved in the project. We had determined that our scope was going to be limited to electronic security and to customer-facing applications only. Due to the size of the hospital and the number of applications it ran, our gap analysis focused on the two most heavily implemented applications: lab and accounting.

This was the first gap analysis conducted on this hospital and the spotlight was on it. (And did it ever need it!)

WE ANALYZED THE GAP IN FIVE AREAS

FIRST AREA

AAA – Authorization, Access, and Accounting on an enterprise level. This included single sign-on, a primary aspect of federated identity. Our goal was to standardize the security infrastructure. We discovered numerous instances where Nurse-A could log in at Station-1, stay logged in while logging in again as herself at Station-2, and be granted a different access level.

All current authentication processes were reviewed. Possible vendor solutions were evaluated. A general implementation plan was developed.

SECOND AREA

Awareness. How security-conscious are the employees? Did they know about the different security levels of information?

1. Unclassified
   
2. Classified
   
3. Confidential
   
4. Restricted
   
5. Secret
   
6. Top Secret

Our goal was to heighten the security awareness of workers throughout the organization. Make it clear that this is everyone’s responsibility and request for their cooperation. A regular familiarization course was developed and all employees have to attend it every six months. A hotline was also established.

THIRD AREA

Incident Notification & Response. The security awareness course and the hotline are just two of the responsibilities of a new IT-based group. Our goal was to create a first-response team and proactive overseer of enterprise security. They did not make policy; instead they implemented it. At the same time, they tracked actual user practices, compared it to best practices, and submitted progress reports to the Chief Security Officer (a position that was newly created).

FOURTH AREA

Technical Security. We conducted a comprehensive review of the existing security framework. The framework covered firewalls, DMZs, intrusion detection & prevention tools, and the like. Security logs were audited. Patch management was taken seriously. Password policies were enacted. Our goal was to optimize the hospital’s technical security. These efforts were primarily focused at the hospital’s data center. Technical security briefly touched on Disaster Recovery but DR was going to be a separate project.

FIFTH AREA

Best Practices. Our objective was to train users to work using best practices. This was easier said than done since this was change management and most of the staff were lifers, i.e., employees of long tenure. We had to start over several times. In the end, we learned that the best way to coax them to accept change was to first listen to them. This is the area where our business analysts really proved their worth!

CONCLUSION

Several areas above, e.g., Technical Security and Best Practices, were longer and more difficult than expected. The entire project took eight months—two months past schedule and 40% over budget! The core project team consisted of three full-time members. I was one of them.

Would I consider it successful? Yes. We achieved the project's goals. Were the customers happy? The end-users were. Management was not. From the beginning, we articulated to senior management that they had an unrealistic schedule especially because they were ripping out an old application software system. Delays cost money.

At the project onset, they practiced an all too familiar but ill-advised tactic. They asked us for a "realistic" budget. We were outside consultants. Specifically we were the subcontractors of a (politically-connected) contractor. We used parametric and bottom-up estimates, got the agreement from our contractor, and we jointly submitted it to hospital management.

I remember the incident vividly. We were in the office of the hospital administrator. He glanced at it, asked us a few questions, crossed out our figure, deducted 30%, and wrote that down and signed off beside his scribbled amount. Furthermore, he slashed a month of our projected schedule.

TAG CLOUD

This shows the blog's content, organized by word count. Larger words appeared more frequently in the blog.

analysis approach archive architecture availability benefits best practices business continuity central change CMDB communication companies configuration content database delivery disaster recovery disk documents EMC excellence Fibre Channel files framework Gartner HBA healthcare HIPAA hospital IBM implementation improved incident Information Lifecycle Management infrastructure iSCSI ISO ITIL level location management modification NIST node operation order organization parent path ports practices print problem processes project provider RAID records redundancy release resolution risk management search security server service level software standards storage support team technology testing user value

created at TagCrowd.com

ITIL: MY INTRODUCTION. PART-2 OF 3

Earlier I mentioned how impressed I was with the value that ITIL can bring to any organization. My positive impression led me to research it a little more—just enough so that I would get the big picture.

The beauty of ITIL, as mentioned previously, lies in its customizability. It specifies the framework, which means that while ITIL reveals the main outline of each best practice, it leaves substantial parts of the solution for you to fill in.

It should be possible to implement ITIL’s best practices using nothing more than Microsoft Office and a team of really dedicated evangelists. In order to implement these best practices, an organization needs a software tool, a team of evangelists, and a project plan.

ITIL needs a central repository for the knowledge and lessons learned by the organization. This repository takes the form of a database called the Configuration Management DataBase (CMDB). It is conceivable therefore, to use MS Office’s Access database for the CMDB. Of course, you should at least have a back-end SQL server to support it.

But don’t do it unless you have a small organization like a medical practice that has 10 physicians working together in one, maybe two, locations. Or, to put it another way, don’t do it unless the organization has an IT staff of two or three. I’m titillated by the idea but that would be a shoestring operation and wages may outweigh the cost of purchasing a dedicated ITIL software package. In short, I think it is feasible even though I have never heard of an implementation in such a small scale.

In order to implement ITIL effectively, the organization must maintain that CMDB and leverage it aggressively to share information to everyone in the organization about changes to existing processes, best practices that were adopted, standards that were set, timelines, etc. It is also important for the project team to roll out ITIL’s best practices in a sensible manner. The best practices should target related functions so that the improvements are quickly felt by the user organization. That will make it easier to adopt and, ultimately, shorten the time before the organization reaps the benefits.

WHAT ARE BEST PRACTICES ANYWAY?

If a user’s desktop starts malfunctioning, does the organization have a procedure that the user can follow confidently? In other words, can the user pick up the phone and call a service desk to report that her desktop isn’t working? And, when someone from IT picks it up, will she receive a loaner until her desktop is fixed and returned to her? Will the majority of her files be accessible through that loaner because the staff has been trained to save all of their files to a central server?

Those are all practices. In fact, those are all best practices. Note several things. First, the user has confidence in the procedure. Second, the process of receiving the loaner and setting it up for the user should take an hour or two—a quick response, in other words. And third, the user’s ability to access her files is possible only because of another practice, namely, saving user files to a central server.

None of these practices need special software to implement, correct? But how many organizations can execute this process consistently? Not many, would you agree?

This is why ITIL was developed. It is a compilation of the best practices for each conceivable function of the IT organization. These practices have one common goal—maximizing the value of IT’s services to its parent organization. ITIL accomplishes this by establishing a common language of terms and a set of service standards.

THE BIG PICTURE

The big picture I mentioned earlier consists of five major domains:

Service Support, which includes

1. Service Desk
2. Incident management
3. Problem management
4. Change management
5. Configuration management
6. Release management

Service Delivery

1. Service Level management
2. Financial management of IT services
3. Capacity management
4. Availability management
5. IT service continuity management

Business Perspective

Information & Communications Technology Infranstructure management

Software asset management

See Part-3 of 3 for an overview of the individual components.

ITIL: WHAT SURPRISED ME ABOUT IT. PART-1 OF 3

ITIL stands for the Information Technology Infrastructure Library. I’ve been involved with IT infrastructure for most of my career. After my introduction to ITIL last year, I realized how much better our past implementation of various systems could have been. That is how useful ITIL is, in my opinion.

ITIL is a compilation of what we now call “best practices.” The practices were compiled by a government agency of the United Kingdom. The agency, originally called the Central Computer & Telecommunications Agency (CCTA), began a library in the early 1980s of processes that computer departments should use in order to maximize the contribution of their services to the parent organization. ITIL provides a systematic approach to delivering IT services.

The beauty of ITIL lies in its customizable framework.

I was involved in a subset of the second version of ITIL, namely Service Support. This domain focuses on the process required to keep operations running on a day-by-basis.

It explains how the Service Desk owns and supports Incident Management. It is the foundation for supporting user issues and requests.

Problem Management is the other half of Service Support. It analyzes the root cause of problems to eliminate or mitigate them, once and for all.

Change Management uses a structured process to ensure that changes meet business and technical criteria. This reduces risk and minimizes the impact of change on the organization.

Release Management provides a framework for coordinating, controlling, and physically introducing change to the organization.

Configuration Management provides the foundation for all Service Support and Service Delivery processes. It uses a database (called the CMDB for Change Management Data Base) to track and monitor the organization's software, infrastructure, and documentation. It also documents the relationship between incidents, solutions, changes, and releases.

A COMMON SENSE APPROACH

ITIL uses as common sense approach to delivering IT services. It synchronizes the delivery of all IT services towards the common goal of delivering service value to the organization. ITIL is currently in its third version. Its content revolves around five core competencies:

1. Service Strategy
2. Service Design
3. Service Transition
4. Service Operation
5. Continual Service Improvement.

BENEFITS TO THE ORGANIZATION

ITIL benefits its parent organization in these ways:

1. reduced costs
2. improved IT services through the use of proven best practice processes
3. improved customer satisfaction through a more professional approach to service delivery
4. standards and guidance
5. improved productivity
6. improved use of skills and experience
7. improved delivery of third party services through the specification of ITIL or ISO 20000 as the standard for service delivery in services procurements.

TYPICAL ADOPTION PATH OF ITIL BY ORGANIZATIONS

Gartner is a respected name in the field of technology consulting and research. According to Gartner, most organizations dip their toes in ITIL in the domain of Service Support, as our client did. Its involvement began in the area of resolution management. Managing resolutions, i.e., issues aka problems, has two disciplines: incident management and problem management.

After becoming comfortable with resolution management, companies typically add control processes, namely, change management and configuration management. From there, companies move on to release management, and as the organization matures, it shifts its focus on the processes of delivering services and improving services, i.e., service level management and availability management. This, according to Gartner, is the typical path followed by many companies in their adoption of ITIL practices:

1. Resolution Management
2. Change Management
3. Configuration Management
4. Release Management
5. Service Level Management
6. Availability Management

Companies typically follow an evolutionary process in adopting any new technology or set of practices. It is well worth it. ITIL fulfills an important need. In most organizations, IT processes are chaotic and ill-defined, poorly or not documented, nor standardized. The ultimate reward, as the individual company matures along the ITIL path, it begins using basic repeatable processes to maintain and improve its service delivery functions.