Don’t Let Compliance Blind you to Security

profile-picturePosted by David Hunt

The field of security is constantly growing, shifting and adapting to meet an ever changing threat landscape. To provide a degree of order in this chaotic landscape, we look to compliance standards such as NIST 800-53, PCI, HIPPA, ISO’s …. These standards provide frameworks which allow us to measure or determine the maturity of an organization’s security program. However, these frameworks need to be tempered by the current security environment or we risk sacrificing our security for compliance.

This idea was illustrated nicely at this year’s BSides Las Vegas security conference. Lorrie Cranor the Chief Technologist for the Federal Trade Commission provided the keynote speech about why we need to start training our clients and end users to reevaluate their thinking on mandatory password changes. In brief, Lorrie questioned the practice of frequent mandatory password changes, meant to prevent brute forcing (trying all possible combinations) or to lock out those who may have a shared or stolen password.

Here is what she found: Frequent password change requirements can actually make us less secure based on two separate studies. Lorrie’s message was to empower users to create good passwords and agree on what good is, while addressing common misconceptions. Questionmark OnDemand’s new portal, empowers customers to determine what good passwords are and to create customized roles based on their requirements. When configuring passwords requirements for your OnDemand users, consider Lorries advice for passwords.lorrie-cranor-image

  • Avoid common words, names
  • Avoid patterns
  • Digits and symbols add strength
  • Understand different types of attacks
  • Make them Better (Not Perfect)
  • Change them only when Required
  • Start with your Core accounts
  • Use Tools where appropriate

In this case, Lorrie did not blindly follow the path of compliance, leading to ever shorter password refresh limits. She got it right by looking at the issue from a security perspective. What are the threats to the use of passwords and are our mitigations of these threats reducing our risk? The answer, when it comes to mandatory password changes, is NO! We are actually increasing our risk in some cases. So when setting password policies in Questionmark OnDemand, it is always a good practice to regularly review your settings to ensure you are getting it right.

As with any good keynote speech, this one was a catalyst for many subsequent conversations both at and after the conference.

The dangers of security programs that blindly check compliance requirements off a list, news-driven security programs, and the proverbial not being able to see the security forest for the trees. The takeaway from these conversations was that we have an obligation to “disobey.” Not that we should break the rules but rather question them — lest we face a fate such as that which befell those in “The Charge of the Light Brigade,” a poem describing the tragedy resulting from the miscommunication of orders at the Battle of Balaclava.  in our case, we may not face a physical death by blindly following orders, but a virtual death is plausible.

Just as Lorrie asked “Why?” we should be asking it as well. As anyone who has spent time with a 3-year-old child knows, this one simple question is the key to building knowledge. We all should ask “Why?” and grow our technical and security knowledge to ensure we are not just compliant, but secure!

 

mk-cybersecurity

Big Themes, Big Deadlines: Napa News

Julie Delazyn HeadshotPosted by Julie Delazyn

We have two big deadlines coming up for the Questionmark 2015 Users Conference in Napa!

All case study and presentation proposals are due on December 10, so submit your proposals soon if you want to lock down a chance to be a speaker at the conference. The perks for you? One 50 percent registration discount per case study and a VIP dinner for all presenters.

Early-bird deadline ends December 17. Register now o save $200. Want to save more? Bring your colleagues and take advantage of our group discounts! There is so much to learn at the conference that many of our customers take on the “divide and conquer” approach by attending different concurrent sessions and comparing notes later.

grape iconThis year, we’ll focus on:

Hackers, attackers and your assessments: Protecting your assessment data

We’ll explore some of the developments and emerging threats to data security and their implications.

Can you trust your assessment results?

The conference will explore what makes assessment results “trustable” any why trustable results matter.

Checking knowledge or checking a box: Assessments and Compliance

Regulatory compliance is a fact of life – one that drives training and the need for trustable, defensible assessment.

grape icon

We look forward to seeing you in Napa—where you will also have a chance to:

  • Get vital info and training on the latest assessment technologies and best practices
  • Network with fellow assessment and learning professional
  • Learn about the Questionmark product roadmap

Oh, and did I mention this will all take place in the heart of the beautiful California wine country? We look forward to learning with you there!

9 trends in compliance learning, training and assessment

John Kleeman HeadshotPosted by John Kleeman

Where is the world of compliance training, learning and assessment going?

I’ve collaborated recently with two SAP experts, Thomas Jenewein of SAP and Simone Buchwald of EPI-USE, to write a white paper on “How to do it right – Learning, Training and Assessments in Regulatory Compliance[Free with registration]. In it, we suggested 9 key trends in the area. Here is a summary of the trends we see:

1. Increasing interest in predictive or forward-looking measures

Many compliance measures (for example, results of internal audits or training completion rates) are backwards looking. They tell you what happened in the past but don’t tell you about the problems to come. Companies can see clearly what is in their rear-view mirror, but the picture ahead of them is rainy and unclear. There are a lot of ways to use learning and assessment data to predict and look forward, and this is a key way to add business value.

2. Monitoring employee compliance with policies

A recent survey of chief compliance officers suggested that their biggest operational issue is monitoring employee compliance with policies, with over half of organizations raising this as a concern. An increasing focus for many companies is going to be how they can use training and assessments to check understanding of policies and to monitor compliance.

3. Increasing use of observational assessments

Picture of observational assessment on smartphoneWe expect growing use of observational assessments to help confirm that employees are following policies and procedures and to help assess practical skills. Readers of this blog will no doubt be familiar with the concept. If not, see Observational Assessments—why and how.

4. Compliance training conducted on mobile devices

The world is moving to mobile devices and this of course includes compliance training and assessment.

5. Informal learning

You would be surprised not to see informal learning in our list of trends. Increasingly we are all understanding that formal learning is the tip of the iceberg and that most learning is informal and often on the job.

6. Learning in the extended enterprise

Organizations are becoming more interlinked, and another important trend is the expansion of learning to the extended enterprise, such as contractors or partners. Whether for data security, product knowledge, anti-bribery or a host of other regulatory compliance reasons, it’s becoming crucial to be able to deliver learning and to assess not only your employees but those of other organizations who work closely with you.

7. Cloud

There is a steady movement towards the cloud and SaaS for compliance learning, training, and assessment – with the huge advantage of delegating all of the IT to an outside party being the strongest compelling factor.  Especially for compliance functions, the cloud offers a very flexible way to manage learning and assessment without requiring complex integrations or alignments with a company’s training departments or related functions.

8. Changing workforce needs

The workforce is constantly changing, and many “digital natives” are now joining organizations. To meet the needs of such workers, we’re increasingly seeing “gamification” in compliance training to help motivate and connect with employees. And the entire workforce is now accustomed to seeing high-quality user interfaces in consumer Web sites and expects the same in their corporate systems.

9. Big Data

E-learning and assessments are a unique way of touching all your employees. There is huge potential in using analytics based on learning and assessment data. We have the potential to combine Big Data available from valid and reliable learning assessments with data from finance, sales, and HR sources.  See for example the illustration below from SAP BusinessObjects showing assessment data graphed against performance data as an illustration of what can be done.

data exported using OData from Questionmark into SAP BusinessObjects

 

For information on these trends, see the white paper written with SAP and EPI-USE: “How to do it right – Learning, Training and Assessments in Regulatory Compliance”, available free to download with registration. Thomas, Simone and I are also doing a free-to-attend webinar on this subject on October 1st (also a German language one on September 22nd). You can see details and links to the webinars here.

If you have other suggestions for trends, feel free to contribute them below.

Tips for delivering effective compliance assessments

Headshot Julie

Posted by Julie Delazyn

Our white paper, The Role of Assessments in Mitigating Risk for Financial Services Organizations, describes five stages of deploying legally defensible assessments:

Compliance five steps

I’ve shared pointers about Planning, Deployment and Authoring in previous posts. For today, here are some tips about Delivery.

Some of these recommendations are specific to Questionmark technologies, but most can be applied to any testing and assessment system:

Delivery chartClick here to read the paper, which you can download free after login or sign-up.

If you are interested in this topic and are eager to learn more about the effective use of online assessments, join us at the Questionmark Users Conference for a full program of cases studies, discussions, presentations about best practices and instruction in the use of the latest Questionmark technologies. Sign up while there’s still time. See you in Baltimore!

 

Deploying compliance-related assessments: good practice recommendations

Headshot JuliePosted by Julie Delazyn

Last week I wrote about planning compliance-related assessments, the first post in a five-part series offering good practice recommendations as described in our white paper, The Role of Assessments in Mitigating Risk for Financial Services Organizations.

This paper offers a great deal of information about these kinds of assessments and advice about best practices for implementing a legally defensible assessment program. It describes five stages of deploying assessments — from planning to analytics — and offers recommendations for good practice for chief compliance officers, authoring experts, subject matter experts, trainers and IT specialists responsible for compliance in the organization:


Compliance five steps

Some of these recommendations are specific to Questionmark technologies, but most can be applied to any testing and assessment system.

Today, let’s look at good practice for the second of the five stages: deployment:

deployment chartClick here to read the paper, which you can download free after login or sign-up.