The Challenge of Managing Volunteers in a Project

Six months ago I was presented with a great opportunity to be a Project Manager for a Church looking to build a new church and office complex.  As I met with the Priests and Church leaders, I was impressed with the work they already done in understanding their requirements. 

 

The Executive Committee is comprised of volunteers - parishioners interested in the future of their community and parish.  Their excitement was evident, but given the fact that they all have work and home responsibilities, I immediately recognized the challenge before me.

 

I am currently working with the Campaign Committee, a wonderful group of parishioners focused on raising the financial pledges upon which the church construction will be based.  My challenge is to prepare a forecast and plan to achieve their aggressive schedule, while anticipating the success of activities mostly out of their control.  Scheduling meetings with prospective donors is not something that can be documented as a firm commitment and I find the best I can do is track accomplishments against their best estimates of meeting with people.  Adding to the challenge is the fact that many times, a Campaign member will need to meet 2 or 3 times with a prospective donor to ensure all questions are asked and answered.   One size solution does fit all!

In the coming months,  I will document some of the challenges and solutions I have discovered as I manage this wonderful project.

The Cost of Cyber Risk

Recently, a colleague asked me to explain the cost of cyber security.   I have frequently worked on projects and issues to identify and remediate information technology related risks, but the focus has usually been on the cost of prevention.  All too often, these are the only costs discussed. 

Let's start with the common misconception that cyber risks are the responsibility of the CIO only.  An effective cybersecurity program is integrated into the larger enterprise risk management program, strategic in its focus and executed across departmental lines.

Security breaches are a growing risk concern for CFOs and CIOs alike.  The most widely published are Epsilon and SONY.  You can see a brief list of others here.

The cost of a cybersecurity breach averages about $200 per record breached, when factoring lost business, fines and litigation costs, lost shareholder value and damage to the company's reputation.  About 65% of the cost of a data breach is due to lost business.  According to the Congressional Research Service, American business have lost an estimated $46 billion due to cyber theft since 2004.

Another point to consider is that the majority of breaches are caused by people with access to the system, not unauthorized hackers.    Technology solutions have been the answer in recent years, but it is critical that businesses now understand the need to address the human element in effective security management.

Social Engineering is the term used to describe the deceptive practice used  to gather information or gain system access.  All employees need to understand what it is and how to protect their companies from these "con artists."

Considering Cloud Computing?

The idea of using the cloud is very appealing to more business leaders.  Licensing, operational support and availability are attractive cost factors that are driving its growing acceptance.  Sarbanes-Oxley, the European Union Data Protection Act, PCI DSS, HIPAA and various state privacy laws are still in play.  Business leaders and auditors need to understand the impact of who owns the controls that ensure compliance.

 Your responsibility for compliance does not go away just because you don't manage the servers, as reported by Jim Buchanan on www.cio.com.  He offers these four points to consider.

1.  What impact to your IT workload?

Check identity access management, data protection and incident response procedures.  Be aware of server locations.  Your European customer data should be on servers located in Europe.  Investigate multi-tenancy and de-provisioning, and what a vendor's offering will mean to your organization.  Encryption will be a factor  you need to consider.

2.  Standards?

Consider which applications you want to move to the cloud.  The standards for cloud computing are not mature yet.  A Forrester executive reports that "SAS70 and ISO 27001 are helpful, but they are point-in-time."  The Cloud Security Alliance is developing a GRC Standards suite that will help you assess your position.

3.  Service Level Agreements

Don't settle for a standard contract.  Even small firms can leverage their position as a new industry or regional client to negotiate terms that protect them.  Due diligence is key.

4.  Security is key

To better understand the risks of moving to the cloud, bring in the Enterprise Risk and IT Security teams up-front.  These professionals can help assess the risk and contribute to a solution, including the costs for mitigating any new risks.

Business Continuity Planning

Every business has thought about Disaster Recovery and Business Continuity Planning.  But are they prepared?  Verizon is currently facing a disruption in service due to the strike called by its union-represented workers.

Having worked for "Ma Bell" and her successors, I have been through this cycle every 3 years since 1975.  I have seen the planning as an observer and as the IT Project Lead for BCP in 2006.  

It is imperative that enterprise risks of this magnitude be identified and comprehensive plans be documented and tested before they are needed. 

Access Control is the single most time-consuming task I faced. These are controls that SOX and PCI auditors may need to review.

1. How many different applications are in scope?  What are the roles for users?
2. How will the business block unauthorized access to company and customer data from striking workers?   Deleting user accounts is not a viable solution. 
3. Can the company effectively block striking users while providing access to those pay and benefits-related sites that must not be blocked?
4. How will accounts be created for any temporary assignments, especially for management workers who need enhanced access?  
5. Managers of striking workers may need extra permissions while providing coverage, but do they create Segregation of Duties conflicts?
6. How do temp workers get trained in anticipation of the strike?  Providing access to temps is a challenge, especially in the weeks just prior to a potential work-stoppage.

This is just a sampling of  the challenges facing any IT Business Continuity planner.  The list is extensive and, in many cases, not apparent to the casual observer.  IT will be called upon to perform its magic as each department documents their plan for continuity.  A good team effort will avoid any last-minute scrambling.  The customers are better served when IT is engaged all along the way.

PCI Compliance

During a recent webinar I attended, a question was asked if PCI compliance was the same as SOX compliance.  My experience has been that many in the IT organizations presume they are the same, but there are some very significant differences.

First, SOX is a Federal law and with it comes the enforcement the FBI or other law enforcement agencies. 

Auditors use SOX as a guideline and much of Section 404 is subject to interpretation as to how to achieve compliance.  I experienced this in 2005 when I worked with 3 different external audit firms engaged to help during my employer’s initial assessment.  All had good ideas, but there was a difference in the viewpoints.

The Payment Card Industry Data Security Standard (PCI DSS) is not a law, but rather a contractual standard, requiring participating merchants, banks and credit card processors to comply. Credit card companies can change it at will; enforce it as they choose, with no appeal process.

The volume of credit card transactions will determine audit requirements and any credit card transaction is in scope, including pen and paper.  Financial sanctions are steep for failure to comply and may even deny a merchant status to process credit cards.  This is a risk to a merchant’s reputation and to their ability to execute sales transactions.

PCI compliance audit is also different.  The processes and data in scope for review are different than SOX audits.  The PCI Security Standards Council has done a great job in providing a detailed audit process.  It is very specific and straight-forward.  You can download it from their web site at https://www.pcisecuritystandards.org/security_standards/documents.php.

Welcome to my blog!

What is GRC? and what does it mean to me?

This site is my opportunity to share my thoughts and experiences as well as provide you with links to many of the GRC thought leaders and blogs sites I follow.

IT Governance, Risk and Compliance is a discipline that is evolving as more government and regulatory bodies establish laws and rules for which business leaders must comply.

-Dave Jaques