Using Social Security Number as a Bank ID…

SSN is not for IDThere are no laws preventing a bank or credit union of using the SS# as a bank ID. (The government remved the verbiage indicating that the SS# cannot be used as identification sometime in the 70’s.) It is just a bad idea… for a few reasons, based on a conversation I was in with legal experts.  Here are those notes:

1) It is considered personal identifiable information (PII).  PII could include:

  • Name: full name, maiden name, mother’s maiden name or alias
  • Personal identification numbers: social security number (SSN), passport number, driver’s license number, taxpayer identification number, patient identification number, financial account number or credit card number
  • Personal address information: street address or email address
  • Personal telephone numbers
  • Personal characteristics: photographic images (particularly of face or other identifying characteristics), fingerprints, or handwriting
  • Biometric data: retina scans, voice signatures, or facial geometry
  • Information identifying personally owned property: VIN number or title number
  • Asset information: Internet Protocol (IP) or Media Access Control (MAC) addresses that consistently link to a particular person

Using the SS# as the customer identifier makes this information more accessible to contractors, vendors, and others that require access to the account but not the PII. (Thin about how you are accessing your bill payment vendor. You will be passing the customer identification number. Hence you are now providing a SS# to a third party vendor.)

2) Speaking of third party vendors…you must consider how they use the customer identification number. Fiserv sometimes embeds the ID in the transaction number. Now the SS# is exposed elsewhere. I have seen other payments transfer vendors do similar things. Customers get a little sensitive about this sort of thing.

3) You now have the SS# is two places on your system. While you may contain your PII differently, the customer number is generally not considered PII. You will be forced to consider this with every interaction – printed reports, statements, etc.

4) It’s not unique, and its not even a very good identifier. The most infamous case of that was 078-05-1120, which was used on a sample Social Security card by a wallet manufacturer. At one point, more than 5,700 people were using that number as their SSN.

Fascinating.

\\ JMM

Bringing Us Together…

This is an excerpt of an email I sent to our employees.  I am proud to be a part of this organization change and milestone with Lanvera’s IT department.


We Are All ITO

Historically, “IT Operations” was one department, one team, all functions.  This model hasn’t made sense and wasn’t positioning this department to scale to the next level.  Since May 2017, we’ve seen more than a few organizational changes, restructuring functions, and changing of personnel roles.  Now the dust has settled, it’s a good time to mention our brand and mission for this year.

My team’s theme for 2018 is NIHIL SINE MAGNO LABORE.  Latin translation is “Nothing Without Great Effort”.  Steve talks a lot about our IT transformation, having achieved much, but have more ground to go.  The phoenix seen here is representative of our transformational journey.  I would like to extend this theme to all IT teams as we pull together.

To this aim, all teams fall under the department “ITO” and break out into three separate teams:  Infrastructure, DevOps, and QA.  Moving forward, teams will be identified as “ITO – Infrastructure”, “ITO – DevOps”, and “ITO – Quality Assurance”, respectively.  The goal is unification of technology services and support.

Bringing us together.

\\ JMM

Cross Training Teams in a Knowledge Culture

“Learning is a treasure that will follow its owner everywhere.”
— Chinese Proverb

There is so many things IT people need to know these days.  Gone are specializations in many organizations.  Yep, IT pros must know 20 to 30 different types of technologies to remain relevant and competitive.  In fact, as I interview younger candidates, there is evidence the new generation of IT people already have these skills and more.

And that’s just infrastructure.  All organizations expect IT people to know core business applications.  Specifically, how they relate to the organization and customer, technical work flows, monitoring, and on and on.  How does an organization tackle it all while keeping IT pros at least tuned into the periphery?

How I’ve done this historically is this idea of knowledge culture and DevOps’ “Sharing” idea, where team members present material via a TED talk.  Below is my deck on peer learning.  I hope you find it applicable.

\\ JMM

Lanvera Update: January 2018

“If you fail to plan, you are planning to fail!” – Benjamin Franklin

January marks the six months and our progress is moving rapidly on multiple fronts.

1. Developed and publicize IT’s strategic plan for 2018. This is our road map for the year, developed in December and approved by senior leadership.

2. Workstation Technology Refresh is in full swing. Moving to Windows 10 has been fairly uneventful and user satisfaction is high with the hardware decision. Although we’ve made a conscious decision to stay with legacy software productivity platforms so we can have more time considering Office 365.

3. VMWARE NSX progessing slowly. Primarily, due to difficulties with our network provider, a subject for a future blog. Mobius has been fantastic and working with my local team. Concurrently, team members are spinning up on NSX via VMWARE’s training classes.

4. SOC2: AICPA’s Service Organization Control 2. SOC 2 is considered a technical audit, but goes beyond that. SOC 2 requires companies to establish and follow strict information security policies and procedures, encompassing the security, availability, processing, integrity, and confidentiality of customer data.

5. Knowledge Management and ORC. Hard push getting Operations Readiness Checklists for all production systems to serve as the foundation of our KM system.

\\ JMM

+++ If you read this far, you may be wondering if this is an old post. Yes. It was never published, along with the other 30+ posts in various stages.

LANVERA’s System Engineering Team – 2018

“NIHIL SINE MAGNO LABORE”
– Translated ‘Nothing Without Hard Work’

Rebuilding technology is no small feat.  It takes people who are willing to work the extra hours, have the attention to detail, put their technical skill to the test, and work with peers who expect the same.  It takes a team.

ITO SE 2018

LANVERA System Engineering Team – 2018

\\ JMM

Information Security Preventative Measures

Information Security Preventative Measures
By US Department of Homeland Security, United States Secret Service
NTX ISAA Cyber Security Conference, November 10, 2018

  1. Employee Awareness and Training
  2. Strong Filters
  3. Email Scanning (Incoming and Outgoing)
  4. Firewall Configuration
  5. Network Segmentation
  6. Software Updates
  7. Scheduled AV Scans
  8. Configure Access Control (Least Privilege)
  9. Disable Remote Access
  10. Software Restriction Policies

Please check out this conference notes and consider attending going forward.  Amazing event and a lot of content shared.

\\ JMM

“Secure” is not a binary, black-and-white thing.

“Secure” is not a binary, black-and-white thing. Instead, it’s about risk management. Instead of asking whether something is secure, it’s better to ask whether it is “secure enough for such-and-such purpose”. – Quote from Crypto Stack Exchange, August 2013

I seem to be talking a lot about security these days.  Not only in my professional life, but in my personal day to day.

I am considering shifting my family from Windows phone over to Android, despite the personal pains supporting this ecosystem that worked flawlessly for me for many years.  The security conversation in this context is rife is opinion and observation from friends and colleagues.  Everything from Android’ inherent security challenges to hackers leveraging Google Play to distribute bad wares.  Admittedly, I will lose some sleep knowing my family’s desire to load hundreds of apps.

Getting the Microsoft ecosystem connected onto an Android phone requires passwords and access to applications that will not be understood as to why.  Just going through the motions.  For example, the password vault we’ve been using in my family worked only on Windows phone.  We need to consider what tool works well in the Android space, ease of transference, and retraining my family members to use this tool.  Further, vaults need access and will prompt if it can obtain rights to reach or access areas of the operating system.  Another situation rife with chance of malfeasance.

When I researched a deck on security back at Santander, I found the above quote and it immediately returns to mind when I talk security in both spaces today.  Many organizations take a harder line to reach the goal of “secure”, damn productivity and usability.  Compliance works for larger organizations under audit scrutiny.  But many companies do not operate in those industries.  Neither do families.

Nevertheless, when I look at technologies, you have to look at the people at the helm.  Combined, risks can be pondered and formulated. And after thoughtful interaction and use cases, discussion with the people using the technologies, making the arguments pro and con, can you make the right decision for those users.  As often times, technologies are often secure enough when powered by security conscious people.

My recent thoughts on the matter.

\\ JMM

Rob England IS the IT Skeptic

“You don’t change culture team by team or app by app. You don’t get to pick and choose where you DevOps. You can do it for a while – operating bi-modally – in order to experiment, to allow new ways of working to incubate, but it is essential to converge quickly. DevOps is not a piecemeal tool, it is an organisational transformation.” – The IT Skeptic Blog, July 22, 2017

This blog isn’t about DevOps.  There are now thousands to choose from with authors off all walks.  This blog is about Rob England and his blog, The IT Skeptic.

If you haven’t read this blog, start.  It’s a must read.  In fact, I’ve spent evenings rolling through his old content to follow his train of thought in the hottest topics all IT shops struggle with:  How to do IT service delivery, effectively.  It’s an art.  It’s not simple.  And done poorly, costs organizations dearly.

I do not have a recommendation where to start.  If you read his last blog, currently on December 5, 2017, it’s titled, “Project Management was the worst thing that ever happened to IT“… Wow.  And right on target.  Do organizations think this way?  Most can not.

\\ JMM

Companies Expect Updated Information Security Documents

“Below is a list of documents that is requested by a vendor management company.   Information Technology needs to be able to provide these documents on demand:

-Information Security Policies (Current)

-Cyber/Network Security Policies with Testing Requirements and Results (i.e. Vulnerability and/or Penetration Testing) (Current)

-Incident Response Policies with client notification protocols (Current)

-Disaster Recovery/Business Continuity Plan(s) (Current)

-Disaster Recovery Testing Results (Current)

Whether it is a partnership, vendor relationship, or just being a customer, it’s no longer unusual to get asked how companies treat security.  Risk Management survey’s include questions like, “Has your company been hacked in the last 12 months” and “What was your incident response plan to the breach”.

Where to go to get this stuff?  Where do you keep it?  How to manage?  Many larger companies hire the talent to write it.  Alternately, resources exist that can help with what is needed to cover.  Here are a couple of resources:

I have used all three in my career with success.  Managing these documents should be no different than other IT policies.  In other words, manage collectively with yearly reviews and periodic changes as the organization matures.

What tools or resources have you used to help write security documentation?  Drop me a link to add to the list!

\\ JMM

Challenging IT “Enablement”

“I don’t want my guys to be technical. That’s your team’s job.”

Imagine if Information Technology pushed “day-to-day support” to the business. Before you shoot this idea down, the concept is already actively being embraced by many smaller technical companies. Go read “A Year Without Pants”, by Scott Berkun, the story of WordPress.com where this idea and other evolutionary collaborative work space ideas has roots.

I call it, “IT Enablement”.  A focus on giving people the tools and trust, with strong oversight and governance from IT.  The alternative is zero trust, which is the popular direction for a majority of risk-adverse IT organizations.  Enablement is a philosophical challenge to today’s status quo and not embraced by many.

As with all disruptive ideas, success is determined through buy in and culture. So, when a strategic directive to eliminate the necessity for a help desk landed, we responded with goals to enable business units with a heightened degree of endpoint control while IT provides just governance and security controls.

Long story short, this direction bombed. I wish to write to talk briefly about what happened and why.

Problem 1.  A Misunderstanding.  As what often happens in leadership meetings, it’s often not what’s said, but what wasn’t.  In the discourse, I realized that my interpretation of what our senior leaders want translated to situations that put IT directly in opposition with our conventional business leaders.  How so?  Read on.

Problem 2.  An Revolution.  As this new direction took flight, did I prepare leaders?  Socialize this direction?  Align to goals or strategy?  Not satisfactorily.  In fact, the culture shift attempted occurred at the send of an email:  Effective immediately, support responsibilities are owned by our end users.  And as you might have guessed, leaders did not embrace.  In fact, we were criticized in town hall and by other leaders.  A series of ouch moments.

Problem 3.   Road map to Transformation.  About this time, IT leaders met and realized the bigger challenges in front of us, based on our misread and failed embrace of technical ownership.  The ‘digital transformation’ was born.  Here is our transformation road map:

Solution 1.  Simplify The Landscape.  From policies, standards, and procedures to technology, software, and networking.

Solution 2.  Monitor & Transparency.  Every single thing in IT should be measurable.  A tool will not just focus on measuring and reporting, but giving our technical support teams access for transparency.

Solution 3.  Education and Consult.  Information Technology should be consulting our business leaders, educating our people, and establishing the knowledge culture.  A baseline of technical skills and measuring the values of providing.

The goal:  To eliminate the help desk (Level 1) by 2020.

This blog took me more than a few weeks to write.  How to talk about a subject like this is not easily done nor written about.  And our journey about this topic consumed 3-4 months.  Upon reflection, it was a difficult time.  However, it was worth the attempt, I learned quite a bit from many leaders with legitimate perspectives, turning this fail into learning moments.

If you have successfully put to rest your IT help desk and embraced Enablement, please write me.  I would love to learn how you did it and challenges faced…

\\ JMM

%d bloggers like this: