Search in ISMS Guides


Monday, August 13, 2007

Project Managers Need To "Manage The Boss"

Most people have one. Yet attending to their demands and idiosyncrasies can be nerve-wracking. Wise people engage good boss management strategies. After all, bosses are not exalted and invincible gods. They are human beings with special roles and authority as well as the requisite levels of human weaknesses, problems and pressures.

Assess Leadership Style

Recognize leadership skills inherent in your own boss. This assists you to better understand your boss. You also benefit by becoming a better manager.

Leader #1: The Press Leader

These leaders pretend to be drill sergeants. Low self-esteem and a strong fear of failure drives them. They are impressed by outward displays of project management and busyness.rather than by results. The leader treats people as expeditors who obey orders. They tolerate no mistakes. Trivial details snare their energies and attention. They oversupervise and manage by punishment.

How to handle The Press Leader: Quickly discover on-the-job limits. Determine whether your boss is simply tough or ruthless. The tough leader precisely delegates authority balanced with appropriate responsibility. The ruthless one disregards human factors. If you choose to resist the press leader, do it privately, not within view of colleagues. This way your leader will not lose face. Support your position with plenty of evidence. Otherwise you lose.

Leader #2: The Laissez-Faire Leader

This leader abandons staff. These leaders provide little or no support in tough times. They stipulate little of what is expected of employees. They provide virtually no project management guidance on how to accomplish tasks. While the Press Leader may hover over an employee's shoulder, this leader does nothing to train or guide. The Press Leader overmanages. The Laissez-Faire Leader overlooks.

Managing The Laissez-Faire Leader: The individual who is self-motivated and needs little praise will work well under this type of leader. This leader craves facts such as costs, statistics and research findings. Provide these facts and figures for your boss, while at the same time trying to stress some human elements. Encourage your boss to clarify exactly what is to be accomplished.

Leader #3: The Participatory Leader

The Participatory Leader is adept at communication procedures. Under this type of boss, employees are given precise feedback and recognition when deserved. The Participatory Leader strives to involve employees in the assessment process. He or she is inspirational and innovative. The Participatory Leader customizes the type and amount of feedback required for each employee.
Managing The Participatory Leader: The most effective way of dealing with the Participatory Leader is to feed back the same techniques that he or she uses with subordinates. Keep them informed of what does and does not work. Since this type of leader is interested in results, your opinions will be heeded.

Leader #4: The Develop Leader

This leader goes a step beyond the Participatory Leader. The Develop Leader fosters staff self-esteem, autonomy and competence. Techniques for success are isolated and taught to subordinates as the need arises. The Develop Leader empowers staff and nurtures a feeling of reverence, not in the boss, but in employees themselves.

There is often a high staff turnover rate for employees of develop leaders. But it is a good one because it is upward. Because this type of leader creates such a high level of competence amongst the ranks through professional development and project management, there is always someone to take over when someone moves up.

Keep Your Boss Happy

- Learn what your boss expects and values.
- Strive for high quality results.
- Solve as many problems as possible without the help
of your boss.
- Keep your boss informed.
- Be your strongest critic.
- Get regular feedback from your boss.
- Differ with your boss only in private.
- Save money and earn revenue.
- Be a good leader yourself.
- Promote only valuable ideas.
- After all. Your boss is not interested in the storms you encountered, but whether you brought in the ship.

About the Author

Canadian Management Centre offers a variety of professional development, project management, marketing and management training seminars.

Article Source: Content for Reprint

10 Hot Areas for Employee Theft

Preemployment screening. Enough cannot be said about hiring quality employees. However, as you are reviewing their resume or application that studies show that nearly one third of all resumes and applications contain inaccurate information. This could be embellishing their experience, adjusting their dates of employment to appear to have been employed regularly, or leaving blank questions regarding criminal convictions.

Read the information and then go back through and pick through each line in detail. Ask yourself (and then the applicant)

Why there are gaps in employment? Were they unemployed or hospitalized or were they in jail during that time.

Why do they only list the year's of employment and not, at least, the month?

Look at the SSN to determine if the issuing state is reasonable. These numbers can be checked to determine where they were issued. If the application says they are a life-long resident of California, why would they have a Florida issued Social Security number?

Does the education seem reasonable? Did they graduate around the age of 18? Did they go straight into college? If not, there should be employment history for that time.

Are the previous employers no longer in business? This is either a run of bad luck or an attempt to prevent reference checking.

Criminal Background checks are essential in today's workplace. Access to convictions is available through so many public and private entities that to not conduct one may be considered negligent if this was not determined and that same employee committed a criminal act. Hiring someone with the full knowledge that they do have convictions is an extremely high risk. Many companies ask only for felony convictions to be disclosed on their applications. This too, is a risky practice. Misdemeanor crimes such as carrying a concealed weapon, assault, stalking and some narcotic offenses are pertinent to your company. A company is entitled to know of all convictions as an adult. Lastly, suspended sentences and deferred adjudication ARE convictions. They are a form of probation that required a guilty plea. To make this clear to applicants, a statement should be included on the application that these types of sentences must also be disclosed. Keep in mind it will be rare for someone to openly disclose a conviction therefore an outside verification is needed.

A final recommended method is "paper" honesty surveys. It's actually done either on paper or via computer but the concept and results are the same. These are simply questionnaires that probe the applicants attitudes towards honesty and ethics. They ask questions such as "If you saw a co-worker steal something, you would..." and then there are multiple choice answers. They also ask drug and alcohol related questions such regarding having used drugs at work or coming to work under the influence. There is also usually a section where questions are asked if they have ever stolen from an employer and how much. Astounding as it may seem, many answer yes. In fact the results of the survey have a history of not recommending 30% of those taking them. While there is cost associated with this, the value is very high as the cost of training and turnover is greatly reduced.

Employee parking. Consider your employee parking area as a point of concern from both a security and safety perspective. We all like to get that parking space closest to the store at the mall but for most businesses, those parking spaces are reserved for clientele. There should be a designated parking area for all personnel and that area should be beyond the normal client/customer parking. The reason for this is easy: A thief has a reduced exposure if their car is parked closely.

Employee parking can be a thorny topic. Concerns for their vehicle seem to subside if they can at least occasionally, see their car. While there are no absolutes on this topic here are some suggestions:

Never allow employees to park close to the entrance/exit. Have a designated parking area for them (regardless of the weather).

Do not allow them to park next to loading docks or trash dumpsters.

Don't allow "I forgot my badge" to be a free pass to park anywhere. Have a procedure in place to get them where they need to be and back that up with a counseling program to ensure it won't happen in the future.

Encourage employees to leave the building together to reduce exposure to criminal acts while walking to their car.

Training and Awareness. The importance of training cannot be overstated but the variances of the methods and the materials makes it difficult to define the best practices here. When someone if first hired the amount of paperwork required is enormous. Sometimes mixed in with the employment papers are company policies that require signature. To ensure that the new hire understands the importance of these sign off acknowledgements, time should be set aside that is dedicated to only those documents. At the very least, a new hire should acknowledge through signature that they have read and understand policy. On the practical side, it would be best that specific policies that are pertinent to the employee be presented upon hiring. Those policies and procedures that, if violated, result in immediate termination are also good candidates for the new hire package.

"Training" to what ever extent it is (classroom, OJT, video, Computer Based) is not truly effective unless there is some means to verify the person's level of understanding of the material. The argument cannot be made that because they were there and did not ask any questions that they comprehended the subject matter.

For many companies, initial training/orientation is the sum total of all personnel policies and procedures. Changes are distributed through company mail, email, or conference calls. It is important that all employees have some means of being informed of significant policy changes. When it comes to prevention of employee theft, awareness is the best on going tool.

Awareness is simply reminding employees that the company monitors for this type of activity because it is a profit drain. There are many ways to approach awareness. The use of posters is probably most common and there are many companies that design generic versions. Meetings about inventory control, shrink, operating statements etc, are good platforms to openly discuss the results of internal theft. I saw a handwritten sign over a time clock in a grocery store that said "If you get caught stealing, you're going to jail." I do not recommend this approach and certainly think it sends the wrong message by saying "if you get caught". Now it almost seems like a challenge. The message should be about losses in general and some method of confidential communication should be in place so anyone can provide tips on suspicious behavior.

Access Control. This is a simple objective that increases in complexity the larger the company. This subject concerns two specific areas: access by employees and access by non employees that is facilitated by employees.

External Access Control

Employee Access. Start your review process from the outside in. In other words go to the furthest point that requires authorized access. Authorized access can be a key, a card, a pass code, or some other accept/deny point. The points could be gates, parking lots, exterior doors and alike. Everyone has some level of approved access. Access can be controlled by something as simple as a door lock or as complex as some type of biometrics. Regardless maintaining proper control is really a function of keeping things current. Vehicles and people can easily gain entry through unmanned gates/doors by simply "drafting" (going through after someone else before the door closes). These are weak areas of security.

Entering a building with a key is good security because only that person can/should enter. However, how current is your key control. What happens when a key carrier leaves the company? What happens to the alarm code when someone leaves the company? The security of the security is extremely.

TIP: If your building has a burglar alarm that is monitored by a central station (i.e. ADT) generally there are mailed or on line reports available to check open and close times. Someone should be reviewing these reports to determine if there are any odd-hour entries by authorized personnel. If someone enters the building at 2:00AM on a Saturday, what was their purpose. Alarm companies will generally notify someone if a door is opened at unauthorized time. Check with your alarm company.

Non employee Access. Employee theft does not necessarily need to be by the employee themselves. Collusion is a very high possibility. This is especially true with robberies in all business sectors. The "inside job" is more frequent than one might consider. CCTV as a second layer of security will, at least, provide possible identification of the parties involved. Collusion can be used for burglaries, corporate espionage, theft of trade secrets and vandalism (among others).

Internal Access Control.

Employee Access. Once inside a building the security should be more restrictive. The most sensitive areas can be anything from a vault to employee record storage to the IT Department. Value cannot be determined by simply assigning a cash value to it, there are costs associated with theft that extend far beyond the actual property. There are potential costs of liability, customer good will, interruption of the business operation, etc. If an employee steals a laptop computer containing business records that are not backed up, the cost of the loss can be devastating. In short, anywhere an employee has access, theft can and will occur.

Non employee Access. The person acting in collusion with an employee can only have access to areas that either have weak security measures (locked doors propped open) or are actively working with the employee. Getting into a business with the assistance of an employee is virtually risk free.

Tip: Even if you just use locks with keys, segregate the level of access everyone has to specific areas. Managers and supervisors with keys have to allow people to have occasional access somewhere. This is annoying to some. Their misguided remedy may be to disable the lock or give everyone a key by hanging it on a hook somewhere. This makes the security as rigid as tissue paper and defeats the purpose. If an area needs to be secure then limit access.

Postage and Shipping. Stamps! What is the harm of using one postage stamp to mail in my utility payment? The company has lots of stamps and certainly won't miss this one! And so goes the mentality. Do you know how much exposure you have when it comes to unauthorized use of postage and shipping?

Parcel theft, the unauthorized use (and certainly nonpayment) of some method of shipping for personal gain. The scale of a company's mail function is certainly a factor but all companies face the same problem. Tight controls, frequent monitoring/auditing, and an absolutely defined company policy about misuse will help reduce theft. Keep in mind that this type of theft not only involves the mailing of Aunt Emma's Christmas package at the last minute but the theft and diversion of company product and property using the company's own mailing function.

Account numbers for common carriers, UPS, FedEx, DHL and others are pure gold. Little effort is required to ship a package if access to account numbers if uncontrolled. The security of these numbers is as important as safeguarding the combination to a safe. There are some areas where there is a great deal of vulnerability:

Mail rooms. We'll take the obvious first because the exposure comes from two sources: employees of the mail room and employees outside the mailroom. In both cases however, the final checkpoint is in the mailroom itself.

Tip: Ensure there are frequent spot audits (scheduled and irregular) of all documentation. Review for similarities of addresses that do not seem connected to the business. In large operations, only a database would enable complex queries. Investment is specialized software that can query disparate databases that contain data fields such as employee addresses, relative's addresses, emergency contact information, names, etc ( ) would virtually be the only method to conduct audits of this type. Infoglide's software can analyze relationships of information across multiple databases to determine how related all information is to the target.

Shipping Departments. This is the same as above but usually involves larger packages and carriers such as UPS and FedEx. This area has potential for theft of company product, especially in retail and catalog environments, by shipping to themselves or accomplices. Additionally the driver for the carrier can also be in collusion and simply accept packages and then drop them somewhere along their route.

Tip: While cumbersome and time consuming, occasional audits should be conducted after the carrier has been loaded. All packages should be checked for proper labeling and screened for suspicious names and addresses.

6. Expense Monitoring. Expense accounts are often termed as "abused" when in reality it is theft. Expense accounts can be used in a number of ways for personal gain, most of which can be caught early on with proper oversight. A supervisor should always review submitted expenses or monthly credit card statements to ensure the propriety of money spent. A paper trail needs to exist for all expenditures and companies should refrain from adopting policies that do not require receipts for small dollar amounts.

To combat possible fraud companies should do as much direct billing as possible and set strict limits with those vendors as to what will be paid for. A strict policy should be maintained regarding improper use of company funds and regular audits should be conducted for all employees. A distinction should also be made within the policy that the supervisor's approval signature is meant that all items have been properly reviewed and that they are legitimate. When there is accountability, there is less likelihood that a supervisor is passing down receipts to a lower level so that questions won't be raised on their own reports.

Abuse and fraud through the use of personal credit cards is also possible. One of the most frequent abuses I have seen is the use of a personal credit card that awards airline mileage to book travel reservations. The owner of the card will almost always be management and the reimbursement process will need to be prompt in order to pay the bill. Hundreds of thousands of miles can be amassed in a fairly short period of time.

7. Payroll. Using the company payroll to commit fraud is perhaps one of the oldest ploys around. "Ghosting" payroll means creating fictitious employees or continuing to submit payroll requests despite the employee no longer working. This also requires forgery of the endorsement of the check so the funds can be cashed or deposited in the forger's account. This type of fraud is usually committed by managers and can go undetected for long periods of time.

Even a small company can fall victim to this type of theft without occasional audits to reconcile the existence of employees. In high turn over industries a manager could simply postpone submitting termination paperwork to a payroll department for until the next person quit. This could be considered a form of identity theft but it is more a means to steal cash.

Tip: Field managers should be conducting these audits on a very regular basis.

8. . The Bookkeeper. The bookkeeper plays a critical role in a business because of their skills, their knowledge base, and their total familiarity with the company and their practices. These same areas can be used with a devastating effect if theft is involved. Even when a company becomes large enough to move into the stage that requires an Accounting Department, fraud can occur.

Consider the following areas:

Banking. What process is in place to ensure that revenue and deposits are the same? What process is in place to ensure that the number and amount of checks and the amount of cash equal the receipts for the day? To steal cash, one would simply have to delay depositing funds. The subsequent days the cash that was taken would have to be replaced by checks from previous day's business.

Vendor accounts. What prevents the bookkeeper from creating fictitious vendors and then creating payments they receive themselves? What prevents intentional overpayment of a vendor to receive a portion of the stolen funds. What monitoring is available to ensure that vendors do not develop personal relationships with critical employees. (Note: a review of policy regarding the receiving of gifts, trips, ball game tickets, rounds of golf, etc from vendors should be conducted).

Horror Stories. A vendor for a very large company set out to woo the affection of the accounts payable clerk that who handled their account. Eventually becoming successful the AP clerk began charging various locations through journal entries for fictitious product. By sheer coincidence one of the locations' managers saw an unusual charge which eventually unraveled the case. Time to detect: 8 months. Loss: $1.2 million. Both were prosecuted

A busy realtor had an excellent bookkeeper. The bookkeeper was young, energetic and very territorial about her work. Even the realtor could not get into the password protected files. The realtor thought she was a gem of an employee because she even came in on her vacation to take the daily deposit to the bank. She was also efficient and had the realtor pre sign company checks to pay bills. The bank manager was alerted to some odd looking checks made out to the bookkeeper. Since the realtor had been a long time customer, the realtor was notified. The bookkeeper was creating checks to herself and depositing at the same bank. Time to detect: 12 months. Loss: $267,000. Side note: Realtor failed to conduct criminal background check which would have shown the bookkeeper's prior convictions for credit card fraud.

9. Petty Cash. Sometimes called a coffee fund or office supply money, petty cash is simply an amount of money that is used for various small purchases. There is no "Best Practice" as to how much the fund should be but regardless, it must be tightly controlled and must be used only for the intended purpose. Petty cash funds tend to become the "small loan department" for lunch or other needs when someone is short on cash. The money goes out and an IOU is substituted. This is not a recommended practice as company funds are being used for personal use.

Petty cash should be counted daily and documented somewhere for reference. This documentation should be audited and the cash personally counted (with a witness) by the person who is in charge of this fund. The cash plus any receipts for disbursed money should equal the total that should be present. Variances, over or short, should not be tolerated.

10. Lockers and searches. Lockers are considered by many employees to be "theirs" meaning there is an expectation of privacy of their contents and that searching a locker is an intrusion of their personal rights. This should not be the perception or the rule and is simple enough to remedy.

Company policy should clearly state that all employees and their vehicles are subject to search. Lockers present a challenge if employees are allowed to use their own locks. Check with your legal counsel as the "ownership" issue may change if the lock itself belongs to the occupant.

Searching lockers either randomly or for cause can be a human resource disaster if not handled with care, tact, and diplomacy. Ensure your method of search is approved by legal counsel. Is a "search" confined only to what is visible in the locker or does the search allow opening of backpacks, purses, and briefcases? Does the employee need to be present during any search? There is a reasonableness factor in this element. Check with your attorney to determine if a supervisor can be there instead. What is the action taken if someone refuses to allow the search of the locker? If your policy is clearly written, the resolution of that confrontation is spelled out.

Consider this question: what expectation of privacy should an employee have while on company property? There are many arguments to this and policy should be chosen and written carefully.

Throughout this paper the overriding theme is audit. Policy and procedure without compliance review have little or no impact on a business. Policy and procedure without consistent application is an open invitation to liability.

About the Author

Pat Murphy is the President of LPT Security Consulting. He provides security consulting and expert witness testimony on a number of topics. He has over 30 years experience in the industry.
Houston, Texas
281 370 1569

Article Source: Content for Reprint

Use ISO 17799 to Improve Security and Minimize Risks

Most organizations are dependent upon their information and business systems, leaving them exposed to critical loss in the aftermath of a security breach. Fortunately, by implementing an information security management system ("ISMS"), as outlined in the only internationally accepted standard/code to address information security, a business can significantly reduce the risk of a security breach.

ISO/IEC 17799:2005 ("ISO 17799"), known as the Code of practice for information security management, was developed by an IT Security Subcommittee of the International Organization for Standardization and was published in June 2005. ISO 17799 is superior to other security standards because it is globally accepted and comprehensive. ISO 17799 has been cleverly crafted to work well across industries and geographies. Also, the International Organization for Standardization has consciously made this standard consistent with most other existing information security audit and control standards, such as those developed by the NIST (National Institute of Standards and Technology). Therefore, ISO 17799 can be the common framework that links to all other standards, regulatory requirements and corporate governance initiatives.

ISO 17799 provides practical guidelines for developing organizational security controls and effective security management practices. An ISO 17799 evaluation results in a snapshot of the company's security infrastructure, in that it provides a high-level view of how well (or how badly) a company implements information security. This standard is a great tool for companies whether establishing or improving information security within their organization.

The information security process traditionally has been based on sound best practices and guidelines, with the goals of preventing, detecting and containing security breaches, as well as restoration of the affected data to its previous state. While this cumulative wisdom of the ages is valid, it is also subject to various interpretations and implementations. ISO 17799 offers an achievable benchmark against which to build organizational information security.

Control Selection based on Risks Identified

ISO 17799 consists of 39 security controls, which can be used as a basis for a security risk assessment. The controls encompass all forms and types of information, whether they are electronic files, paper documents or various forms of communications such as email, fax and spoken conversations. The standard sets out a variety of hardware and software considerations, policies, procedures and organizational structures that protect a company's information assets from a broad range of modern security threats and vulnerabilities. How organizations shape their information security programs will depend on the unique requirements and risks they face. An organization should only deploy controls that relate to, and are in proportion to, the actual risks it faces.

Controls can also more simply be described as the countermeasures for risks. Apart from knowingly accepting risks considered acceptable, or transferring those risks (through insurance) to others, there are essentially four types of control:

1. Deterrent controls reduce the likelihood of a deliberate attack.
2. Preventative controls protect vulnerabilities and make an attack unsuccessful or reduce its impact.
3. Corrective controls reduce the effect of an attack.
4. Detective controls discover attacks and trigger preventative or corrective controls.

It is essential that any controls that are implemented are cost-effective. The cost of implementing and maintaining a control should be no greater than the identified and quantified cost of the impact of the identified threat (or threats). It is not possible to provide total security against every single risk; the trade-off involves providing effective security against most risks. No board should sign off on any ISMS proposal that seeks to remove all risk from the business - the business does, after all, exist within a risk framework and, since it is impossible to exist risk-free, there is little point in proposing to eliminate every risk.

No organization should invest in information security technology (hardware or software) or implement information security management processes and procedures without having carried out an appropriate risk and control assessment that assures them that:

- The proposed investment (the total cost of the control) is the same as, or less than, the cost of the identified impact;
- The risk classification, which takes into account its probability, is appropriate for the proposed investment; and
- Mitigating the risk is a priority - i.e. all the risks with higher prioritization have already been adequately controlled and, therefore, it is appropriate now to be investing in controlling this one.

Once information security needs and requirements are identified, a suitable set of controls from ISO 17799 can be established, implemented, monitored, reviewed and improved upon in order to ensure that the specific security objectives of the organization are met.

ISO 17799 is a comprehensive information security code of practice that provides enterprises an internationally recognized and structured methodology for information security. In addition to ISO 17799, the International Organization for Standardization also published ISO 27001, which specifies a number of requirements for establishing, implementing, maintaining and improving an ISMS using the controls outlined in ISO 17799.

ISO 27001 is the formal standard against which an organization may seek independent certification of their ISMS. While certification is entirely optional, as of January 2007, over 3000 organizations world-wide were ISO 27001 certified, demonstrating their commitment to information security. Organizations may be certified compliant with ISO 27001 by a number of accredited certification bodies worldwide. ISO 27001 certification generally involves a two stage audit process, with a "table top" review of key documentation at the first stage and a more in-depth audit of the ISMS at the second stage. The certified organization would need to be re-assessed periodically by the certification body.

In summary, organizations face threats to their information assets on a daily basis. At the same time, they are becoming increasingly dependent on these assets. Technical solutions are only one portion of a holistic approach to information security. Establishing broad information security requirements in the framework of the organization's own unique risk environment is essential.

About the Author

Fazila Nurani is the President and Founder of PrivaTech Consulting (, based in Toronto, Canada. Visit Fazila Nurani's bio. Nurani advises organizations on compliance with global privacy laws and managing information security risks. She may be reached at +1.905.886.0751 or