Skip to main content

Updating Policy with Technology to Stay Competitive | Week 7

Without a proper policy review process in place, companies can find themselves at a serious competitive disadvantage in the marketplace. In this post I will review how lacking to review and retire or update outdated policies can stifle innovation and slow productivity. I will focus mainly on one example that I’m certain many companies are behind the eight-ball on, and that is the move to the cloud. 

The year is 2002. After a few years getting themselves established, building a modest customer-base, and looking to build out the technology infrastructure in their new office space, one of the founders decided it would be neat to name the company network drive after a cartoon character. Flash forward to 2019, and the year-long process of retiring the “Tweety” network drive is nearing its conclusion.  

For nearly 20 years thousands of employees who have come and gone through the doors found themselves using the term “Tweety” in everyday context. Backups, shared files, critical documents, training resources, everything needed for the operations of a billion-dollar cloud-based healthcare company relied on an on-premise network drive called “Tweety.”  

Now you are probably asking me, “why would a billion-dollar cloud-based company be using on-prem storage named after a cartoon character for 20 years?” The answer is simple, policy. HIPAA regulations strictly enforce the proper storage and access controls regarding PHI and PII. Policy set these controls years ago for our on-prem storage. When cloud storage took shape, our policies were written in a way that prevented them to be considered within our company. As cloud storage progressed, we found ourselves living in the Stoneage because changing policies would introduce risks.  

It wasn’t until about a year ago enough was enough. We reviewed and rewrote our outdated policies. We signed a business associate agreement with Microsoft to move to Onedrive and Office 365. We updated our security controls, retired old servers, and dedicated the time, money, and resources into this project. The last phase which was just completed was a third-party audit.  

In the past few years leading up to this change the strain on productivity was obvious. Employees were used to working one way on their home computers, and then have to go back in time 10 years when working from their company computers. Lessons learned from this endeavor, don’t wait and hope new technology would just go away if you ignore it. It bogs down performance and puts you at a disadvantage in the market.  

Comments

Post a Comment

Popular posts from this blog

A Balancing Act: When Security Controls Disrupt Operations | Week 10

In an ideal world security controls should integrate seamlessly with business strategy and through policy and procedure support operations.  In reality however  security controls often disrupt operations. From a user perspective an Information Security Department is simply a group of people sitting behind computers all day saying “no” to everyone. Although that is sometimes the case (“no” is a common word in their vocabulary from what I have seen), there are reasons behind it.   This week I want to share a story of how a change in policy and procedure by one security department, disrupted current operational workflow in another. Our AV engineering team works with integration vendors to build out the videoconferencing infrastructure through our offices. One day our director of security decided this  vendor  had too many badges assigned to them and wanted to reel back access to physical locations by limiting the badges to 2.    The reasonin...
Post a Comment
Read more

A Test of Physical Security - A Real World Example | Week 5

I would like to build off last week’s post by sharing a real-world example of how no matter how many security controls you have in place, employee engagement and adherence to policy will inevitably determine their effectiveness.   The organization I work for have two separate departments, one for data security (think workstations, servers, etc.) and the other for physical security (think door/badge access, security cameras, etc.). Both departments are completely separated from each other and operate in their own silos. One day the security operations center who manages the physical security of our buildings decided to run a penetration test. They hired an outside contractor, gave him a “lost employee bade” with basic access, and told him to see what he can gain access to in a day before getting caught.    So  off this contractor went wearing a badge without his picture on it, no knowledge of the key combination to use with the badge, but simply followin...
Post a Comment
Read more

Bitlocker, Filevault, JAMF, and KACE – Auditable Encryption Verification | Week 9

As you can clearly tell from my previous posts, I am a big fan of automated controls. This week I want to share with you a story of a recent computer upgrade. I had an old 2013  Macbook  Air. Our Desktop Engineering team was tasked with rolling out the new OS, Mojave, to all outdated Mac systems. Now my Air was a test Mac I got years ago and never really had much need to upgrade. Through automated controls, specifically a tool called Casper JAMF, our Desktop  Eng  team was able to tell that my Mac was outdated and needed an upgrade.   They reached out to me, set up a time to update, and realized that the hardware was simply too old for the new OS. To accommodate they initiated an update procedure. A new  MacbookPro  was imaged, updated, and given to me. They jumped the gun when they distributed it to me in production however and the disk encryption,  FileVault , was not completed before it left the secured image lab. Once again, the JAMF s...
Post a Comment
Read more