Author : Timothy P. Layton
Product Details
Hardcover : 222 pages
Publisher : AUERBACH; 1 edition (July 20, 2006)
Language : English
ISBN-10 : 0849370876
ISBN-13 : 978-0849370878
Table of Contents
EVALUATING AND MEASURING AN INFORMATION SECURITY PROGRAM
INFORMATION SECURITY RISK ASSESSMENT MODEL (ISRAM�)
. Background
. Linkage
. Risk Assessment Types
. Relationship to Other Models and Standards
. Terminology
. Risk Assessment Relationship
. Information Security Risk Assessment Model (ISRAM)
. References
GLOBAL INFORMATION SECURITY ASSESSMENT METHODOLOGY (GISAM�)
. GISAM and ISRAM Relationship
. GISAM Design Criteria
. General Assessment Types
. GISAM Components
. References
DEVELOPING AN INFORMATION SECURITY EVALUATION (ISE�) PROCESS
. The Culmination of ISRAM and GISAM
. Business Process
A SECURITY BASELINE
. KRI Security Baseline Controls
. Security Baseline
. Information Security Policy Document
. Management Commitment to Information Security
. Allocation of Information Security Responsibilities
. Independent Review of Information Security
. Identification of Risks Related to External Parties
. Inventory of Assets
. Classification Guidelines
. Screening
. Information Security Awareness, Education, and Training
. Removal of Access Rights
. Physical Security Perimeter
. Protecting Against External and Environmental Threats
. Secure Disposal or Reuse of Equipment
. Documented Operating Procedures
. Change Management
. Segregation of Duties
. System Acceptance
. Controls against Malicious Code
. Management of Removable Media
. Information Handling Procedures
. Physical Media in Transit
. Electronic Commerce
. Access Control Policy
. User Registration
. Segregation in Networks
. Teleworking
. Security Requirements Analysis and Specification
. Policy on the Use of Cryptographic Controls
. Protection of System Test Data
. Control of Technical Vulnerabilities
. Reporting Information Security Events
. Including Information Security in the Business Continuity Process
. Identification of Applicable Legislation
. Data Protection and Privacy of Personal Information
. Technical Compliance Checking
. References
BACKGROUND OF THE ISO/IEC 17799 STANDARD
. History of the Standard
. Internals of the Standard
. Guidance for Use
. High-Level Objectives
. ISO/IEC Defined
. References
ISO/IEC 17799:2005 GAP ANALYSIS
. Overview
. Guidance for Use
. General Changes
. Security Policy
. Organization of Information Security
. Asset Management
. Human Resources Security
. Physical and Environmental Security
. Communications and Operations Management
. Access Control
. Information Systems Acquisition, Development, and Maintenance
. Information Security Incident Management
. Business Continuity Management
. Compliance
. References
ANALYSIS OF ISO/IEC 17799:2005 (27002) CONTROLS
SECURITY POLICY
. Information Security Policy
. Summary
. References
ORGANIZATION OF INFORMATION SECURITY
. Internal Organization
. External Parties
. Summary
. References
ASSET MANAGEMENT
. Responsibility for Assets
. Information Classification
. Summary
. References
HUMAN RESOURCES SECURITY
. Prior to Employment
. During Employment
. Termination or Change of Employment
. Summary
. References
PHYSICAL AND ENVIRONMENTAL SECURITY
. Secure Areas
. Equipment Security
. Summary
. References
COMMUNICATIONS AND OPERATIONS MANAGEMENT
. Operational Procedures and Responsibilities
. Third-Party Service Delivery Management
. System Planning and Acceptance
. Protection against Malicious and Mobile Code
. Backup
. Network Security Management
. Media Handling
. Exchange of Information
. Electronic Commerce Services
. Monitoring
. Summary
. References
ACCESS CONTROL
. Business Requirements for Access Control
. User Access Management
. User Responsibilities
. Network Access Control
. Operating System Access Control
. Application and Information Access Control
. Mobile Computing and Teleworking
. Summary
. References
INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT, AND MAINTENANCE
. Security Requirements of Information Systems
. Correct Processing in Applications
. Cryptographic Controls
. Security of System Files
. Security in Development and Support Processes
. Technical Vulnerability Management
. Summary
. References
INFORMATION SECURITY INCIDENT MANAGEMENT
. Reporting Information Security Events and Weaknesses
. Management of Information Security Incidents and Improvements
. Summary
. References
BUSINESS CONTINUITY MANAGEMENT
. Information Security Aspects of Business Continuity Management
. Summary
. References
COMPLIANCE
. Compliance with Legal Requirements
. Compliance with Security Policies and Standards, and Technical Compliance
. Information Systems Audit Considerations
. Summary
. References
APPENDIX A: ISO STANDARDS CITED IN ISO/IEC 17799:2005 APPENDIX B: GENERAL REFERENCES INDEX
-------------------------------------------------------------
Editorial Reviews
I have had the pleasure of working with Tim on several large risk assessment projects and I have tremendous respect for his knowledge and experience as an information security practitioner. … Risk assessment is the cornerstone of an effective information security program. … striving to achieve compliance in the absence of a risk-based security strategy can only lead to failure. … Implement an effective risk assessment program and take control of the compliance monster. … This book will help you do just that. I know you will benefit from Tim's guidance on how to get the most from your risk assessment efforts. For today's information security leaders, there is not a topic more important.
-From the Foreword by Gary Geddes, CISSP, Strategic Security Advisor, Microsoft Corporation
-------------------------------------------------------------
Book Description
Organizations rely on digital information today more than ever before. Unfortunately, that information is equally sought after by criminals. New security standards and regulations are being implemented to deal with these threats, but they are very broad and organizations require focused guidance to adapt the guidelines to their specific needs. Fortunately, Information Security: Design, Implementation, Measurement, and Compliance outlines a complete roadmap to successful adaptation and implementation of a security program based on the ISO/IEC 17799:2005 (27002) Code of Practice for Information Security Management. The book first describes a risk assessment model, a detailed risk assessment methodology, and an information security evaluation process. Upon this foundation, the author presents a proposed security baseline for all organizations, an executive summary of the ISO/IEC 17799 standard, and a gap analysis exposing the differences between the recently rescinded version and the newly released version of the standard. Finally, he devotes individual chapters to each of the 11 control areas defined in the standard, covering systematically the 133 controls within the 39 control objectives. Tim Layton's Information Security is a practical tool to help you understand the ISO/IEC 17799 standard and apply its principles within your organization's unique context.
-------------------------------------------------------------
Showing posts with label Human resources security. Show all posts
Showing posts with label Human resources security. Show all posts
Tuesday, September 25, 2007
Sunday, September 23, 2007
Information Security Principles (ISO/IEC 17799)
Security policy
- An Information Security Policy document will be available to all staff and students
- Senior management shall set a clear direction and demonstrate support for, and commitment to, information security across the University
- Information systems owners will be responsible for ensuring the design, operation and use of IT systems comply with Information Security Policies
Security organization
- Responsibility for governing and managing security of information rests with the executive management of the University
- A management framework will be established to initiate and control the implementation of information security within the University
- Information security governance must fit into and support the IT governance framework
- Responsibilities for the protection of individual assets, and for carrying out specific information security processes, rest with information systems owners
- Third parties will be provided access under formally managed conditions only
- Security requirements must be addressed as part of outsourcing contracts
Asset classification and control
- All information systems should be accounted for and have a nominated information system owner
- Classification labels must be used to indicate the need and priorities for security protection
Personnel security
- Security should be addressed at recruitment, included in relevant job descriptions and contracts, and monitored
- Users of information should be trained in security procedures and the correct use of IT facilities
- Users should be formally authorised in writing of their scope to access information systems
- Incidents affecting security should be reported through approved channels as quickly as possible
- All staff, contractors and students should comply with all prevailing legal and community standards relating to data confidentiality and privacy
Physical and environmental security
- IT facilities supporting critical or sensitive business activities must be physically protected from :
+ unauthorized access, damage and interference
+ the effects of environmental events such as fire, electrical supply failure, natural disasters and terrorism
Computer and network management
- The integrity, accuracy and availability of data is to be maintained in a manner appropriate to the business requirement
- Procedures must be established for the operation and management of all computers and networks
- Controls are to be developed to reduce the risk of negligent or deliberate system misuse
Access control
- Access to computer services and data should be controlled on the basis of business requirements
- IT will provide appropriate access and security control systems
- Users should only be allowed access to the data that is necessary for them to do their job
Systems development and maintenance
- Security requirements must be identified and agreed prior to the development or procurement of IT systems
- Appropriate controls, including audit trails, should be designed into applications
- Access to project, support and development environments and associated test data should be closely controlled
Business continuity planning
- Plans must be available to protect critical business processes from the effects of major failures and disasters
Audit and compliance
- All relevant statutory and contractual requirements of information systems should be explicitly defined and documented
- The security of IT systems should be regularly and independently reviewed
- Adherence to all relevant privacy laws is compulsory
- Data will be protected against loss and unauthorised access commensurate with its value and the requirements of the regulators and legislators
- IT will monitor and report on access and security breaches, including unsuccessful attempts
Source : http://www.auckland.ac.nz/security/InformationSecurityPrinciples.htm
- An Information Security Policy document will be available to all staff and students
- Senior management shall set a clear direction and demonstrate support for, and commitment to, information security across the University
- Information systems owners will be responsible for ensuring the design, operation and use of IT systems comply with Information Security Policies
Security organization
- Responsibility for governing and managing security of information rests with the executive management of the University
- A management framework will be established to initiate and control the implementation of information security within the University
- Information security governance must fit into and support the IT governance framework
- Responsibilities for the protection of individual assets, and for carrying out specific information security processes, rest with information systems owners
- Third parties will be provided access under formally managed conditions only
- Security requirements must be addressed as part of outsourcing contracts
Asset classification and control
- All information systems should be accounted for and have a nominated information system owner
- Classification labels must be used to indicate the need and priorities for security protection
Personnel security
- Security should be addressed at recruitment, included in relevant job descriptions and contracts, and monitored
- Users of information should be trained in security procedures and the correct use of IT facilities
- Users should be formally authorised in writing of their scope to access information systems
- Incidents affecting security should be reported through approved channels as quickly as possible
- All staff, contractors and students should comply with all prevailing legal and community standards relating to data confidentiality and privacy
Physical and environmental security
- IT facilities supporting critical or sensitive business activities must be physically protected from :
+ unauthorized access, damage and interference
+ the effects of environmental events such as fire, electrical supply failure, natural disasters and terrorism
Computer and network management
- The integrity, accuracy and availability of data is to be maintained in a manner appropriate to the business requirement
- Procedures must be established for the operation and management of all computers and networks
- Controls are to be developed to reduce the risk of negligent or deliberate system misuse
Access control
- Access to computer services and data should be controlled on the basis of business requirements
- IT will provide appropriate access and security control systems
- Users should only be allowed access to the data that is necessary for them to do their job
Systems development and maintenance
- Security requirements must be identified and agreed prior to the development or procurement of IT systems
- Appropriate controls, including audit trails, should be designed into applications
- Access to project, support and development environments and associated test data should be closely controlled
Business continuity planning
- Plans must be available to protect critical business processes from the effects of major failures and disasters
Audit and compliance
- All relevant statutory and contractual requirements of information systems should be explicitly defined and documented
- The security of IT systems should be regularly and independently reviewed
- Adherence to all relevant privacy laws is compulsory
- Data will be protected against loss and unauthorised access commensurate with its value and the requirements of the regulators and legislators
- IT will monitor and report on access and security breaches, including unsuccessful attempts
Source : http://www.auckland.ac.nz/security/InformationSecurityPrinciples.htm
Sunday, September 2, 2007
The Risks to Data Security
here are many, diverse threats to data which a manager of the typical mid-size business must overcome. For his information systems, five key threats should be top of mind:
1. User error – A simple mistake on behalf of an employee could lead to the loss of megabytes of critical company data. From the deletion of a critical file to the accidental deletion of database records, your customers could face large expenses and significant down time recovering the disaster created by a simple mistake.
2. Employee theft – Employees need access to sensitive data in order to perform their jobs. Your customers have to limit the information to which employees have access, ensure that terminated employees no longer have access to sensitive data, and be able to track who's touching what, when and how.
3. Privacy violation – How do your customers protect the personal information with which their customers entrust them? Security breaches can mean that personal data can fall into the hands of the wrong people. In order to maintain your customers' trust, you must ensure that their data is safe and sound. In addition, many governments are now legislating privacy, which can mean fines or imprisonment if sensitive customer data is not secured.
4. Disaster – What natural disasters or unfortunate accidents might affect business? Magazines daily contain news of organizations that have faced unbelievable catastrophes. In the event that your or your customers' organizations are hit with a fire, flood or other disaster, how will the data be protected?
5. External attack – While less common for small business than the Fortune 1000, preparedness against external attacks is crucial. These attacks may take many different forms, from viruses to intrusion by hackers. Proper security measures must be taken to prevent disruption from these adversaries.
These five key vulnerabilities can lead to critical data loss and may ultimately lead to business failure. Additional information can be found at the following links.
1. User error – A simple mistake on behalf of an employee could lead to the loss of megabytes of critical company data. From the deletion of a critical file to the accidental deletion of database records, your customers could face large expenses and significant down time recovering the disaster created by a simple mistake.
2. Employee theft – Employees need access to sensitive data in order to perform their jobs. Your customers have to limit the information to which employees have access, ensure that terminated employees no longer have access to sensitive data, and be able to track who's touching what, when and how.
3. Privacy violation – How do your customers protect the personal information with which their customers entrust them? Security breaches can mean that personal data can fall into the hands of the wrong people. In order to maintain your customers' trust, you must ensure that their data is safe and sound. In addition, many governments are now legislating privacy, which can mean fines or imprisonment if sensitive customer data is not secured.
4. Disaster – What natural disasters or unfortunate accidents might affect business? Magazines daily contain news of organizations that have faced unbelievable catastrophes. In the event that your or your customers' organizations are hit with a fire, flood or other disaster, how will the data be protected?
5. External attack – While less common for small business than the Fortune 1000, preparedness against external attacks is crucial. These attacks may take many different forms, from viruses to intrusion by hackers. Proper security measures must be taken to prevent disruption from these adversaries.
These five key vulnerabilities can lead to critical data loss and may ultimately lead to business failure. Additional information can be found at the following links.
EMPLOYEES, NOT HACKERS, GREATEST COMPUTER THREAT
The greatest security threat to companies' computer systems comes from disgruntled employees stealing confidential information and trade secrets, according to a new study on cybersecurity. The survey, conducted by Michael G. Kessler & Associates Ltd., a New York security firm, found that 35 percent of the theft of proprietary information is perpetrated by discontented employees. Outside hackers steal secrets 28 percent of the time; other U.S. companies 18 percent; foreign corporations 11 percent and foreign governments, 8 percent. The remaining 10 percent, according to the study, are listed as miscellaneous crimes. The financial losses caused by these cyber break-ins totaled $42 million last year, which is up more than 100 percent from the 1997 figure of $20 million.
'No such thing as a hacker's holiday'
"Computer crime is much more complex than bugs and viruses," said President and CEO Michael G. Kessler. "Y2K enlightened business owners to pitfalls in their systems, but there must also be heightened awareness of the growing number and variety of computer security breaches that can weaken a company's balance sheet."
The survey was done over the past six months, and written questions were given to 300 of Kessler's clients and other companies. He said that disgruntled employees could be capable of taking business records, trade secrets and payroll information. "It doesn't take a new millennium for corporate computer piracy to occur," said Kessler. "There's no such thing as a hacker's holiday. Internet invasions increase with growing computer and Internet popularity. Codes can be cracked; systems will be sabotaged. Hacking is a reality, and CEOs who have turned a deaf ear to its existence will be shocked when it happens to their allegedly fail-safe network." Kessler cautioned that now that Y2K is over, corporations shouldn't be lulled into a false sense of security.
Hacker attacks not often reported
"Problems could just as easily occur on Jan. 30 as Jan. 1. Businesses should brace for outbreaks of sophisticated viruses and hackings from outside and in. Once a breach in computer security has occurred, our research historically reveals much more -- a 'subplot' that can alert corporations to the real root of some serious trouble," said Kessler. He said companies fail to report computer break-ins for fear of bad publicity, and that for every break-in reported, 400 do not. The Kessler study mirrors previous reports showing that computer security is one of the biggest challenges facing corporate America. Computer-crime rates and information-security breaches continue to increase, according to a joint study conducted last year by the Computer Science Institute and the FBI.
Losses greater than $100 million
The 1999 Computer Crime and Security Survey, based in San Francisco, polled 521 security professionals at U.S. corporations, government agencies and universities. The findings revealed that financial losses among 163 respondents totaled $124 million, which was the third straight year the survey had recorded losses greater than $100 million. "It is clear that computer crime and other information security breaches pose a growing threat to U.S. economic competitiveness and the rule of law in cyberspace," said Richard Power, editorial director of the institute. "It is also clear that the financial cost is tangible and alarming." System break-ins by outsiders were reported by 30 percent of respondents, and unauthorized access by insiders was reported by 55 percent.
Technology not enough
Even though security measures such as digital identification, encryption and intrusion-detection systems are being used more frequently, technology itself is not enough to stymie hackers. The study also found that 98 percent of respondents said they use anti-virus software, 90 percent reported incidents of virus contamination. Also, system penetration from outside grew for the third straight year despite 91 percent of respondents saying they used firewalls. "The lesson to be learned is simple security technology does not equal a security program," said Power, suggesting that well-trained, motivated staff and smart procedures are just as important for security as technology.
Justice Department stepping in
The problem of proprietary information being breached on computer systems has prompted the Justice Department to devote an entire section to computer crimes, called the Computer Crime and Intellectual Property section. In addition, the Economic Espionage Act of 1996 is expected to be used to prosecute foreign sources of computer crime. Michael A. Vatis, director of the FBI's National Infrastructure Protection Center, agrees that a "disgruntled insider" is the principal source of computer crimes. "Insiders do not need a great deal of knowledge about computer intrusions, because their knowledge of victim systems often allows them to gain unrestricted access to cause damage to the system or to steal system data. The 1999 Computer Security Institute/FBI report notes that 55 percent of respondents reported malicious activity by insiders," Vatis told a congressional committee last year.
Coast Guard lost data
Recent cases of white-collar computer crimes: Shakuntla Devi Singla used her insider knowledge and another employee's password and log-on identification to delete data from a U.S. Coast Guard personnel database system. It took 115 agency employees over 1,800 hours to recover and re-enter the lost data. Singla was convicted and sentenced to five months in prison and five months' home detention and ordered to pay $35,000 in restitution. Software engineer William Gaed, working for a subcontractor to Intel Corp., was convicted of illegally downloading secret data on the computer giant's plans for a Pentium processor worth between $10 million and $20 million. Authorities said Gaed also videotaped information on his computer screen and planned to sell the tapes to a competitor. Gaed was sentenced to 33 months in prison. And, according to a General Accounting Office [GAO] report issued in October, the federal government has been lax in protecting computer networks used by government and businesses. "At the federal level, these risks are not being adequately addressed," the report said.
U.S. unprepared for information threat
The report showcased concerns of some experts about threats to private-sector systems that control energy, telecommunications, financial services, transportation and other critical services. "Few reports are publicly available about the effectiveness of controls over privately controlled systems," GAO said.
Currently, there is no strategy to improve government information security, the GAO report found. If the United States is faced with a threat, the response could be "unfocused, inefficient and ineffective," wrote Jeffrey Steinhoff, the acting assistant comptroller general.
Author : David Noack
Article Source : www.investigation.com
'No such thing as a hacker's holiday'
"Computer crime is much more complex than bugs and viruses," said President and CEO Michael G. Kessler. "Y2K enlightened business owners to pitfalls in their systems, but there must also be heightened awareness of the growing number and variety of computer security breaches that can weaken a company's balance sheet."
The survey was done over the past six months, and written questions were given to 300 of Kessler's clients and other companies. He said that disgruntled employees could be capable of taking business records, trade secrets and payroll information. "It doesn't take a new millennium for corporate computer piracy to occur," said Kessler. "There's no such thing as a hacker's holiday. Internet invasions increase with growing computer and Internet popularity. Codes can be cracked; systems will be sabotaged. Hacking is a reality, and CEOs who have turned a deaf ear to its existence will be shocked when it happens to their allegedly fail-safe network." Kessler cautioned that now that Y2K is over, corporations shouldn't be lulled into a false sense of security.
Hacker attacks not often reported
"Problems could just as easily occur on Jan. 30 as Jan. 1. Businesses should brace for outbreaks of sophisticated viruses and hackings from outside and in. Once a breach in computer security has occurred, our research historically reveals much more -- a 'subplot' that can alert corporations to the real root of some serious trouble," said Kessler. He said companies fail to report computer break-ins for fear of bad publicity, and that for every break-in reported, 400 do not. The Kessler study mirrors previous reports showing that computer security is one of the biggest challenges facing corporate America. Computer-crime rates and information-security breaches continue to increase, according to a joint study conducted last year by the Computer Science Institute and the FBI.
Losses greater than $100 million
The 1999 Computer Crime and Security Survey, based in San Francisco, polled 521 security professionals at U.S. corporations, government agencies and universities. The findings revealed that financial losses among 163 respondents totaled $124 million, which was the third straight year the survey had recorded losses greater than $100 million. "It is clear that computer crime and other information security breaches pose a growing threat to U.S. economic competitiveness and the rule of law in cyberspace," said Richard Power, editorial director of the institute. "It is also clear that the financial cost is tangible and alarming." System break-ins by outsiders were reported by 30 percent of respondents, and unauthorized access by insiders was reported by 55 percent.
Technology not enough
Even though security measures such as digital identification, encryption and intrusion-detection systems are being used more frequently, technology itself is not enough to stymie hackers. The study also found that 98 percent of respondents said they use anti-virus software, 90 percent reported incidents of virus contamination. Also, system penetration from outside grew for the third straight year despite 91 percent of respondents saying they used firewalls. "The lesson to be learned is simple security technology does not equal a security program," said Power, suggesting that well-trained, motivated staff and smart procedures are just as important for security as technology.
Justice Department stepping in
The problem of proprietary information being breached on computer systems has prompted the Justice Department to devote an entire section to computer crimes, called the Computer Crime and Intellectual Property section. In addition, the Economic Espionage Act of 1996 is expected to be used to prosecute foreign sources of computer crime. Michael A. Vatis, director of the FBI's National Infrastructure Protection Center, agrees that a "disgruntled insider" is the principal source of computer crimes. "Insiders do not need a great deal of knowledge about computer intrusions, because their knowledge of victim systems often allows them to gain unrestricted access to cause damage to the system or to steal system data. The 1999 Computer Security Institute/FBI report notes that 55 percent of respondents reported malicious activity by insiders," Vatis told a congressional committee last year.
Coast Guard lost data
Recent cases of white-collar computer crimes: Shakuntla Devi Singla used her insider knowledge and another employee's password and log-on identification to delete data from a U.S. Coast Guard personnel database system. It took 115 agency employees over 1,800 hours to recover and re-enter the lost data. Singla was convicted and sentenced to five months in prison and five months' home detention and ordered to pay $35,000 in restitution. Software engineer William Gaed, working for a subcontractor to Intel Corp., was convicted of illegally downloading secret data on the computer giant's plans for a Pentium processor worth between $10 million and $20 million. Authorities said Gaed also videotaped information on his computer screen and planned to sell the tapes to a competitor. Gaed was sentenced to 33 months in prison. And, according to a General Accounting Office [GAO] report issued in October, the federal government has been lax in protecting computer networks used by government and businesses. "At the federal level, these risks are not being adequately addressed," the report said.
U.S. unprepared for information threat
The report showcased concerns of some experts about threats to private-sector systems that control energy, telecommunications, financial services, transportation and other critical services. "Few reports are publicly available about the effectiveness of controls over privately controlled systems," GAO said.
Currently, there is no strategy to improve government information security, the GAO report found. If the United States is faced with a threat, the response could be "unfocused, inefficient and ineffective," wrote Jeffrey Steinhoff, the acting assistant comptroller general.
Author : David Noack
Article Source : www.investigation.com
Monday, August 13, 2007
10 Hot Areas for Employee Theft
Preemployment screening. Enough cannot be said about hiring quality employees. However, as you are reviewing their resume or application that studies show that nearly one third of all resumes and applications contain inaccurate information. This could be embellishing their experience, adjusting their dates of employment to appear to have been employed regularly, or leaving blank questions regarding criminal convictions.
Read the information and then go back through and pick through each line in detail. Ask yourself (and then the applicant)
Why there are gaps in employment? Were they unemployed or hospitalized or were they in jail during that time.
Why do they only list the year's of employment and not, at least, the month?
Look at the SSN to determine if the issuing state is reasonable. These numbers can be checked to determine where they were issued. If the application says they are a life-long resident of California, why would they have a Florida issued Social Security number?
Does the education seem reasonable? Did they graduate around the age of 18? Did they go straight into college? If not, there should be employment history for that time.
Are the previous employers no longer in business? This is either a run of bad luck or an attempt to prevent reference checking.
Criminal Background checks are essential in today's workplace. Access to convictions is available through so many public and private entities that to not conduct one may be considered negligent if this was not determined and that same employee committed a criminal act. Hiring someone with the full knowledge that they do have convictions is an extremely high risk. Many companies ask only for felony convictions to be disclosed on their applications. This too, is a risky practice. Misdemeanor crimes such as carrying a concealed weapon, assault, stalking and some narcotic offenses are pertinent to your company. A company is entitled to know of all convictions as an adult. Lastly, suspended sentences and deferred adjudication ARE convictions. They are a form of probation that required a guilty plea. To make this clear to applicants, a statement should be included on the application that these types of sentences must also be disclosed. Keep in mind it will be rare for someone to openly disclose a conviction therefore an outside verification is needed.
A final recommended method is "paper" honesty surveys. It's actually done either on paper or via computer but the concept and results are the same. These are simply questionnaires that probe the applicants attitudes towards honesty and ethics. They ask questions such as "If you saw a co-worker steal something, you would..." and then there are multiple choice answers. They also ask drug and alcohol related questions such regarding having used drugs at work or coming to work under the influence. There is also usually a section where questions are asked if they have ever stolen from an employer and how much. Astounding as it may seem, many answer yes. In fact the results of the survey have a history of not recommending 30% of those taking them. While there is cost associated with this, the value is very high as the cost of training and turnover is greatly reduced.
Employee parking. Consider your employee parking area as a point of concern from both a security and safety perspective. We all like to get that parking space closest to the store at the mall but for most businesses, those parking spaces are reserved for clientele. There should be a designated parking area for all personnel and that area should be beyond the normal client/customer parking. The reason for this is easy: A thief has a reduced exposure if their car is parked closely.
Employee parking can be a thorny topic. Concerns for their vehicle seem to subside if they can at least occasionally, see their car. While there are no absolutes on this topic here are some suggestions:
Never allow employees to park close to the entrance/exit. Have a designated parking area for them (regardless of the weather).
Do not allow them to park next to loading docks or trash dumpsters.
Don't allow "I forgot my badge" to be a free pass to park anywhere. Have a procedure in place to get them where they need to be and back that up with a counseling program to ensure it won't happen in the future.
Encourage employees to leave the building together to reduce exposure to criminal acts while walking to their car.
Training and Awareness. The importance of training cannot be overstated but the variances of the methods and the materials makes it difficult to define the best practices here. When someone if first hired the amount of paperwork required is enormous. Sometimes mixed in with the employment papers are company policies that require signature. To ensure that the new hire understands the importance of these sign off acknowledgements, time should be set aside that is dedicated to only those documents. At the very least, a new hire should acknowledge through signature that they have read and understand policy. On the practical side, it would be best that specific policies that are pertinent to the employee be presented upon hiring. Those policies and procedures that, if violated, result in immediate termination are also good candidates for the new hire package.
"Training" to what ever extent it is (classroom, OJT, video, Computer Based) is not truly effective unless there is some means to verify the person's level of understanding of the material. The argument cannot be made that because they were there and did not ask any questions that they comprehended the subject matter.
For many companies, initial training/orientation is the sum total of all personnel policies and procedures. Changes are distributed through company mail, email, or conference calls. It is important that all employees have some means of being informed of significant policy changes. When it comes to prevention of employee theft, awareness is the best on going tool.
Awareness is simply reminding employees that the company monitors for this type of activity because it is a profit drain. There are many ways to approach awareness. The use of posters is probably most common and there are many companies that design generic versions. Meetings about inventory control, shrink, operating statements etc, are good platforms to openly discuss the results of internal theft. I saw a handwritten sign over a time clock in a grocery store that said "If you get caught stealing, you're going to jail." I do not recommend this approach and certainly think it sends the wrong message by saying "if you get caught". Now it almost seems like a challenge. The message should be about losses in general and some method of confidential communication should be in place so anyone can provide tips on suspicious behavior.
Access Control. This is a simple objective that increases in complexity the larger the company. This subject concerns two specific areas: access by employees and access by non employees that is facilitated by employees.
External Access Control
Employee Access. Start your review process from the outside in. In other words go to the furthest point that requires authorized access. Authorized access can be a key, a card, a pass code, or some other accept/deny point. The points could be gates, parking lots, exterior doors and alike. Everyone has some level of approved access. Access can be controlled by something as simple as a door lock or as complex as some type of biometrics. Regardless maintaining proper control is really a function of keeping things current. Vehicles and people can easily gain entry through unmanned gates/doors by simply "drafting" (going through after someone else before the door closes). These are weak areas of security.
Entering a building with a key is good security because only that person can/should enter. However, how current is your key control. What happens when a key carrier leaves the company? What happens to the alarm code when someone leaves the company? The security of the security is extremely.
TIP: If your building has a burglar alarm that is monitored by a central station (i.e. ADT) generally there are mailed or on line reports available to check open and close times. Someone should be reviewing these reports to determine if there are any odd-hour entries by authorized personnel. If someone enters the building at 2:00AM on a Saturday, what was their purpose. Alarm companies will generally notify someone if a door is opened at unauthorized time. Check with your alarm company.
Non employee Access. Employee theft does not necessarily need to be by the employee themselves. Collusion is a very high possibility. This is especially true with robberies in all business sectors. The "inside job" is more frequent than one might consider. CCTV as a second layer of security will, at least, provide possible identification of the parties involved. Collusion can be used for burglaries, corporate espionage, theft of trade secrets and vandalism (among others).
Internal Access Control.
Employee Access. Once inside a building the security should be more restrictive. The most sensitive areas can be anything from a vault to employee record storage to the IT Department. Value cannot be determined by simply assigning a cash value to it, there are costs associated with theft that extend far beyond the actual property. There are potential costs of liability, customer good will, interruption of the business operation, etc. If an employee steals a laptop computer containing business records that are not backed up, the cost of the loss can be devastating. In short, anywhere an employee has access, theft can and will occur.
Non employee Access. The person acting in collusion with an employee can only have access to areas that either have weak security measures (locked doors propped open) or are actively working with the employee. Getting into a business with the assistance of an employee is virtually risk free.
Tip: Even if you just use locks with keys, segregate the level of access everyone has to specific areas. Managers and supervisors with keys have to allow people to have occasional access somewhere. This is annoying to some. Their misguided remedy may be to disable the lock or give everyone a key by hanging it on a hook somewhere. This makes the security as rigid as tissue paper and defeats the purpose. If an area needs to be secure then limit access.
Postage and Shipping. Stamps! What is the harm of using one postage stamp to mail in my utility payment? The company has lots of stamps and certainly won't miss this one! And so goes the mentality. Do you know how much exposure you have when it comes to unauthorized use of postage and shipping?
Parcel theft, the unauthorized use (and certainly nonpayment) of some method of shipping for personal gain. The scale of a company's mail function is certainly a factor but all companies face the same problem. Tight controls, frequent monitoring/auditing, and an absolutely defined company policy about misuse will help reduce theft. Keep in mind that this type of theft not only involves the mailing of Aunt Emma's Christmas package at the last minute but the theft and diversion of company product and property using the company's own mailing function.
Account numbers for common carriers, UPS, FedEx, DHL and others are pure gold. Little effort is required to ship a package if access to account numbers if uncontrolled. The security of these numbers is as important as safeguarding the combination to a safe. There are some areas where there is a great deal of vulnerability:
Mail rooms. We'll take the obvious first because the exposure comes from two sources: employees of the mail room and employees outside the mailroom. In both cases however, the final checkpoint is in the mailroom itself.
Tip: Ensure there are frequent spot audits (scheduled and irregular) of all documentation. Review for similarities of addresses that do not seem connected to the business. In large operations, only a database would enable complex queries. Investment is specialized software that can query disparate databases that contain data fields such as employee addresses, relative's addresses, emergency contact information, names, etc (www.infoglide.com/index.htm ) would virtually be the only method to conduct audits of this type. Infoglide's software can analyze relationships of information across multiple databases to determine how related all information is to the target.
Shipping Departments. This is the same as above but usually involves larger packages and carriers such as UPS and FedEx. This area has potential for theft of company product, especially in retail and catalog environments, by shipping to themselves or accomplices. Additionally the driver for the carrier can also be in collusion and simply accept packages and then drop them somewhere along their route.
Tip: While cumbersome and time consuming, occasional audits should be conducted after the carrier has been loaded. All packages should be checked for proper labeling and screened for suspicious names and addresses.
6. Expense Monitoring. Expense accounts are often termed as "abused" when in reality it is theft. Expense accounts can be used in a number of ways for personal gain, most of which can be caught early on with proper oversight. A supervisor should always review submitted expenses or monthly credit card statements to ensure the propriety of money spent. A paper trail needs to exist for all expenditures and companies should refrain from adopting policies that do not require receipts for small dollar amounts.
To combat possible fraud companies should do as much direct billing as possible and set strict limits with those vendors as to what will be paid for. A strict policy should be maintained regarding improper use of company funds and regular audits should be conducted for all employees. A distinction should also be made within the policy that the supervisor's approval signature is meant that all items have been properly reviewed and that they are legitimate. When there is accountability, there is less likelihood that a supervisor is passing down receipts to a lower level so that questions won't be raised on their own reports.
Abuse and fraud through the use of personal credit cards is also possible. One of the most frequent abuses I have seen is the use of a personal credit card that awards airline mileage to book travel reservations. The owner of the card will almost always be management and the reimbursement process will need to be prompt in order to pay the bill. Hundreds of thousands of miles can be amassed in a fairly short period of time.
7. Payroll. Using the company payroll to commit fraud is perhaps one of the oldest ploys around. "Ghosting" payroll means creating fictitious employees or continuing to submit payroll requests despite the employee no longer working. This also requires forgery of the endorsement of the check so the funds can be cashed or deposited in the forger's account. This type of fraud is usually committed by managers and can go undetected for long periods of time.
Even a small company can fall victim to this type of theft without occasional audits to reconcile the existence of employees. In high turn over industries a manager could simply postpone submitting termination paperwork to a payroll department for until the next person quit. This could be considered a form of identity theft but it is more a means to steal cash.
Tip: Field managers should be conducting these audits on a very regular basis.
8. . The Bookkeeper. The bookkeeper plays a critical role in a business because of their skills, their knowledge base, and their total familiarity with the company and their practices. These same areas can be used with a devastating effect if theft is involved. Even when a company becomes large enough to move into the stage that requires an Accounting Department, fraud can occur.
Consider the following areas:
Banking. What process is in place to ensure that revenue and deposits are the same? What process is in place to ensure that the number and amount of checks and the amount of cash equal the receipts for the day? To steal cash, one would simply have to delay depositing funds. The subsequent days the cash that was taken would have to be replaced by checks from previous day's business.
Vendor accounts. What prevents the bookkeeper from creating fictitious vendors and then creating payments they receive themselves? What prevents intentional overpayment of a vendor to receive a portion of the stolen funds. What monitoring is available to ensure that vendors do not develop personal relationships with critical employees. (Note: a review of policy regarding the receiving of gifts, trips, ball game tickets, rounds of golf, etc from vendors should be conducted).
Horror Stories. A vendor for a very large company set out to woo the affection of the accounts payable clerk that who handled their account. Eventually becoming successful the AP clerk began charging various locations through journal entries for fictitious product. By sheer coincidence one of the locations' managers saw an unusual charge which eventually unraveled the case. Time to detect: 8 months. Loss: $1.2 million. Both were prosecuted
A busy realtor had an excellent bookkeeper. The bookkeeper was young, energetic and very territorial about her work. Even the realtor could not get into the password protected files. The realtor thought she was a gem of an employee because she even came in on her vacation to take the daily deposit to the bank. She was also efficient and had the realtor pre sign company checks to pay bills. The bank manager was alerted to some odd looking checks made out to the bookkeeper. Since the realtor had been a long time customer, the realtor was notified. The bookkeeper was creating checks to herself and depositing at the same bank. Time to detect: 12 months. Loss: $267,000. Side note: Realtor failed to conduct criminal background check which would have shown the bookkeeper's prior convictions for credit card fraud.
9. Petty Cash. Sometimes called a coffee fund or office supply money, petty cash is simply an amount of money that is used for various small purchases. There is no "Best Practice" as to how much the fund should be but regardless, it must be tightly controlled and must be used only for the intended purpose. Petty cash funds tend to become the "small loan department" for lunch or other needs when someone is short on cash. The money goes out and an IOU is substituted. This is not a recommended practice as company funds are being used for personal use.
Petty cash should be counted daily and documented somewhere for reference. This documentation should be audited and the cash personally counted (with a witness) by the person who is in charge of this fund. The cash plus any receipts for disbursed money should equal the total that should be present. Variances, over or short, should not be tolerated.
10. Lockers and searches. Lockers are considered by many employees to be "theirs" meaning there is an expectation of privacy of their contents and that searching a locker is an intrusion of their personal rights. This should not be the perception or the rule and is simple enough to remedy.
Company policy should clearly state that all employees and their vehicles are subject to search. Lockers present a challenge if employees are allowed to use their own locks. Check with your legal counsel as the "ownership" issue may change if the lock itself belongs to the occupant.
Searching lockers either randomly or for cause can be a human resource disaster if not handled with care, tact, and diplomacy. Ensure your method of search is approved by legal counsel. Is a "search" confined only to what is visible in the locker or does the search allow opening of backpacks, purses, and briefcases? Does the employee need to be present during any search? There is a reasonableness factor in this element. Check with your attorney to determine if a supervisor can be there instead. What is the action taken if someone refuses to allow the search of the locker? If your policy is clearly written, the resolution of that confrontation is spelled out.
Consider this question: what expectation of privacy should an employee have while on company property? There are many arguments to this and policy should be chosen and written carefully.
Throughout this paper the overriding theme is audit. Policy and procedure without compliance review have little or no impact on a business. Policy and procedure without consistent application is an open invitation to liability.
Pat Murphy is the President of LPT Security Consulting. He provides security consulting and expert witness testimony on a number of topics. He has over 30 years experience in the industry.
www.lptsecurityconsulting.com
Houston, Texas
281 370 1569
Read the information and then go back through and pick through each line in detail. Ask yourself (and then the applicant)
Why there are gaps in employment? Were they unemployed or hospitalized or were they in jail during that time.
Why do they only list the year's of employment and not, at least, the month?
Look at the SSN to determine if the issuing state is reasonable. These numbers can be checked to determine where they were issued. If the application says they are a life-long resident of California, why would they have a Florida issued Social Security number?
Does the education seem reasonable? Did they graduate around the age of 18? Did they go straight into college? If not, there should be employment history for that time.
Are the previous employers no longer in business? This is either a run of bad luck or an attempt to prevent reference checking.
Criminal Background checks are essential in today's workplace. Access to convictions is available through so many public and private entities that to not conduct one may be considered negligent if this was not determined and that same employee committed a criminal act. Hiring someone with the full knowledge that they do have convictions is an extremely high risk. Many companies ask only for felony convictions to be disclosed on their applications. This too, is a risky practice. Misdemeanor crimes such as carrying a concealed weapon, assault, stalking and some narcotic offenses are pertinent to your company. A company is entitled to know of all convictions as an adult. Lastly, suspended sentences and deferred adjudication ARE convictions. They are a form of probation that required a guilty plea. To make this clear to applicants, a statement should be included on the application that these types of sentences must also be disclosed. Keep in mind it will be rare for someone to openly disclose a conviction therefore an outside verification is needed.
A final recommended method is "paper" honesty surveys. It's actually done either on paper or via computer but the concept and results are the same. These are simply questionnaires that probe the applicants attitudes towards honesty and ethics. They ask questions such as "If you saw a co-worker steal something, you would..." and then there are multiple choice answers. They also ask drug and alcohol related questions such regarding having used drugs at work or coming to work under the influence. There is also usually a section where questions are asked if they have ever stolen from an employer and how much. Astounding as it may seem, many answer yes. In fact the results of the survey have a history of not recommending 30% of those taking them. While there is cost associated with this, the value is very high as the cost of training and turnover is greatly reduced.
Employee parking. Consider your employee parking area as a point of concern from both a security and safety perspective. We all like to get that parking space closest to the store at the mall but for most businesses, those parking spaces are reserved for clientele. There should be a designated parking area for all personnel and that area should be beyond the normal client/customer parking. The reason for this is easy: A thief has a reduced exposure if their car is parked closely.
Employee parking can be a thorny topic. Concerns for their vehicle seem to subside if they can at least occasionally, see their car. While there are no absolutes on this topic here are some suggestions:
Never allow employees to park close to the entrance/exit. Have a designated parking area for them (regardless of the weather).
Do not allow them to park next to loading docks or trash dumpsters.
Don't allow "I forgot my badge" to be a free pass to park anywhere. Have a procedure in place to get them where they need to be and back that up with a counseling program to ensure it won't happen in the future.
Encourage employees to leave the building together to reduce exposure to criminal acts while walking to their car.
Training and Awareness. The importance of training cannot be overstated but the variances of the methods and the materials makes it difficult to define the best practices here. When someone if first hired the amount of paperwork required is enormous. Sometimes mixed in with the employment papers are company policies that require signature. To ensure that the new hire understands the importance of these sign off acknowledgements, time should be set aside that is dedicated to only those documents. At the very least, a new hire should acknowledge through signature that they have read and understand policy. On the practical side, it would be best that specific policies that are pertinent to the employee be presented upon hiring. Those policies and procedures that, if violated, result in immediate termination are also good candidates for the new hire package.
"Training" to what ever extent it is (classroom, OJT, video, Computer Based) is not truly effective unless there is some means to verify the person's level of understanding of the material. The argument cannot be made that because they were there and did not ask any questions that they comprehended the subject matter.
For many companies, initial training/orientation is the sum total of all personnel policies and procedures. Changes are distributed through company mail, email, or conference calls. It is important that all employees have some means of being informed of significant policy changes. When it comes to prevention of employee theft, awareness is the best on going tool.
Awareness is simply reminding employees that the company monitors for this type of activity because it is a profit drain. There are many ways to approach awareness. The use of posters is probably most common and there are many companies that design generic versions. Meetings about inventory control, shrink, operating statements etc, are good platforms to openly discuss the results of internal theft. I saw a handwritten sign over a time clock in a grocery store that said "If you get caught stealing, you're going to jail." I do not recommend this approach and certainly think it sends the wrong message by saying "if you get caught". Now it almost seems like a challenge. The message should be about losses in general and some method of confidential communication should be in place so anyone can provide tips on suspicious behavior.
Access Control. This is a simple objective that increases in complexity the larger the company. This subject concerns two specific areas: access by employees and access by non employees that is facilitated by employees.
External Access Control
Employee Access. Start your review process from the outside in. In other words go to the furthest point that requires authorized access. Authorized access can be a key, a card, a pass code, or some other accept/deny point. The points could be gates, parking lots, exterior doors and alike. Everyone has some level of approved access. Access can be controlled by something as simple as a door lock or as complex as some type of biometrics. Regardless maintaining proper control is really a function of keeping things current. Vehicles and people can easily gain entry through unmanned gates/doors by simply "drafting" (going through after someone else before the door closes). These are weak areas of security.
Entering a building with a key is good security because only that person can/should enter. However, how current is your key control. What happens when a key carrier leaves the company? What happens to the alarm code when someone leaves the company? The security of the security is extremely.
TIP: If your building has a burglar alarm that is monitored by a central station (i.e. ADT) generally there are mailed or on line reports available to check open and close times. Someone should be reviewing these reports to determine if there are any odd-hour entries by authorized personnel. If someone enters the building at 2:00AM on a Saturday, what was their purpose. Alarm companies will generally notify someone if a door is opened at unauthorized time. Check with your alarm company.
Non employee Access. Employee theft does not necessarily need to be by the employee themselves. Collusion is a very high possibility. This is especially true with robberies in all business sectors. The "inside job" is more frequent than one might consider. CCTV as a second layer of security will, at least, provide possible identification of the parties involved. Collusion can be used for burglaries, corporate espionage, theft of trade secrets and vandalism (among others).
Internal Access Control.
Employee Access. Once inside a building the security should be more restrictive. The most sensitive areas can be anything from a vault to employee record storage to the IT Department. Value cannot be determined by simply assigning a cash value to it, there are costs associated with theft that extend far beyond the actual property. There are potential costs of liability, customer good will, interruption of the business operation, etc. If an employee steals a laptop computer containing business records that are not backed up, the cost of the loss can be devastating. In short, anywhere an employee has access, theft can and will occur.
Non employee Access. The person acting in collusion with an employee can only have access to areas that either have weak security measures (locked doors propped open) or are actively working with the employee. Getting into a business with the assistance of an employee is virtually risk free.
Tip: Even if you just use locks with keys, segregate the level of access everyone has to specific areas. Managers and supervisors with keys have to allow people to have occasional access somewhere. This is annoying to some. Their misguided remedy may be to disable the lock or give everyone a key by hanging it on a hook somewhere. This makes the security as rigid as tissue paper and defeats the purpose. If an area needs to be secure then limit access.
Postage and Shipping. Stamps! What is the harm of using one postage stamp to mail in my utility payment? The company has lots of stamps and certainly won't miss this one! And so goes the mentality. Do you know how much exposure you have when it comes to unauthorized use of postage and shipping?
Parcel theft, the unauthorized use (and certainly nonpayment) of some method of shipping for personal gain. The scale of a company's mail function is certainly a factor but all companies face the same problem. Tight controls, frequent monitoring/auditing, and an absolutely defined company policy about misuse will help reduce theft. Keep in mind that this type of theft not only involves the mailing of Aunt Emma's Christmas package at the last minute but the theft and diversion of company product and property using the company's own mailing function.
Account numbers for common carriers, UPS, FedEx, DHL and others are pure gold. Little effort is required to ship a package if access to account numbers if uncontrolled. The security of these numbers is as important as safeguarding the combination to a safe. There are some areas where there is a great deal of vulnerability:
Mail rooms. We'll take the obvious first because the exposure comes from two sources: employees of the mail room and employees outside the mailroom. In both cases however, the final checkpoint is in the mailroom itself.
Tip: Ensure there are frequent spot audits (scheduled and irregular) of all documentation. Review for similarities of addresses that do not seem connected to the business. In large operations, only a database would enable complex queries. Investment is specialized software that can query disparate databases that contain data fields such as employee addresses, relative's addresses, emergency contact information, names, etc (www.infoglide.com/index.htm ) would virtually be the only method to conduct audits of this type. Infoglide's software can analyze relationships of information across multiple databases to determine how related all information is to the target.
Shipping Departments. This is the same as above but usually involves larger packages and carriers such as UPS and FedEx. This area has potential for theft of company product, especially in retail and catalog environments, by shipping to themselves or accomplices. Additionally the driver for the carrier can also be in collusion and simply accept packages and then drop them somewhere along their route.
Tip: While cumbersome and time consuming, occasional audits should be conducted after the carrier has been loaded. All packages should be checked for proper labeling and screened for suspicious names and addresses.
6. Expense Monitoring. Expense accounts are often termed as "abused" when in reality it is theft. Expense accounts can be used in a number of ways for personal gain, most of which can be caught early on with proper oversight. A supervisor should always review submitted expenses or monthly credit card statements to ensure the propriety of money spent. A paper trail needs to exist for all expenditures and companies should refrain from adopting policies that do not require receipts for small dollar amounts.
To combat possible fraud companies should do as much direct billing as possible and set strict limits with those vendors as to what will be paid for. A strict policy should be maintained regarding improper use of company funds and regular audits should be conducted for all employees. A distinction should also be made within the policy that the supervisor's approval signature is meant that all items have been properly reviewed and that they are legitimate. When there is accountability, there is less likelihood that a supervisor is passing down receipts to a lower level so that questions won't be raised on their own reports.
Abuse and fraud through the use of personal credit cards is also possible. One of the most frequent abuses I have seen is the use of a personal credit card that awards airline mileage to book travel reservations. The owner of the card will almost always be management and the reimbursement process will need to be prompt in order to pay the bill. Hundreds of thousands of miles can be amassed in a fairly short period of time.
7. Payroll. Using the company payroll to commit fraud is perhaps one of the oldest ploys around. "Ghosting" payroll means creating fictitious employees or continuing to submit payroll requests despite the employee no longer working. This also requires forgery of the endorsement of the check so the funds can be cashed or deposited in the forger's account. This type of fraud is usually committed by managers and can go undetected for long periods of time.
Even a small company can fall victim to this type of theft without occasional audits to reconcile the existence of employees. In high turn over industries a manager could simply postpone submitting termination paperwork to a payroll department for until the next person quit. This could be considered a form of identity theft but it is more a means to steal cash.
Tip: Field managers should be conducting these audits on a very regular basis.
8. . The Bookkeeper. The bookkeeper plays a critical role in a business because of their skills, their knowledge base, and their total familiarity with the company and their practices. These same areas can be used with a devastating effect if theft is involved. Even when a company becomes large enough to move into the stage that requires an Accounting Department, fraud can occur.
Consider the following areas:
Banking. What process is in place to ensure that revenue and deposits are the same? What process is in place to ensure that the number and amount of checks and the amount of cash equal the receipts for the day? To steal cash, one would simply have to delay depositing funds. The subsequent days the cash that was taken would have to be replaced by checks from previous day's business.
Vendor accounts. What prevents the bookkeeper from creating fictitious vendors and then creating payments they receive themselves? What prevents intentional overpayment of a vendor to receive a portion of the stolen funds. What monitoring is available to ensure that vendors do not develop personal relationships with critical employees. (Note: a review of policy regarding the receiving of gifts, trips, ball game tickets, rounds of golf, etc from vendors should be conducted).
Horror Stories. A vendor for a very large company set out to woo the affection of the accounts payable clerk that who handled their account. Eventually becoming successful the AP clerk began charging various locations through journal entries for fictitious product. By sheer coincidence one of the locations' managers saw an unusual charge which eventually unraveled the case. Time to detect: 8 months. Loss: $1.2 million. Both were prosecuted
A busy realtor had an excellent bookkeeper. The bookkeeper was young, energetic and very territorial about her work. Even the realtor could not get into the password protected files. The realtor thought she was a gem of an employee because she even came in on her vacation to take the daily deposit to the bank. She was also efficient and had the realtor pre sign company checks to pay bills. The bank manager was alerted to some odd looking checks made out to the bookkeeper. Since the realtor had been a long time customer, the realtor was notified. The bookkeeper was creating checks to herself and depositing at the same bank. Time to detect: 12 months. Loss: $267,000. Side note: Realtor failed to conduct criminal background check which would have shown the bookkeeper's prior convictions for credit card fraud.
9. Petty Cash. Sometimes called a coffee fund or office supply money, petty cash is simply an amount of money that is used for various small purchases. There is no "Best Practice" as to how much the fund should be but regardless, it must be tightly controlled and must be used only for the intended purpose. Petty cash funds tend to become the "small loan department" for lunch or other needs when someone is short on cash. The money goes out and an IOU is substituted. This is not a recommended practice as company funds are being used for personal use.
Petty cash should be counted daily and documented somewhere for reference. This documentation should be audited and the cash personally counted (with a witness) by the person who is in charge of this fund. The cash plus any receipts for disbursed money should equal the total that should be present. Variances, over or short, should not be tolerated.
10. Lockers and searches. Lockers are considered by many employees to be "theirs" meaning there is an expectation of privacy of their contents and that searching a locker is an intrusion of their personal rights. This should not be the perception or the rule and is simple enough to remedy.
Company policy should clearly state that all employees and their vehicles are subject to search. Lockers present a challenge if employees are allowed to use their own locks. Check with your legal counsel as the "ownership" issue may change if the lock itself belongs to the occupant.
Searching lockers either randomly or for cause can be a human resource disaster if not handled with care, tact, and diplomacy. Ensure your method of search is approved by legal counsel. Is a "search" confined only to what is visible in the locker or does the search allow opening of backpacks, purses, and briefcases? Does the employee need to be present during any search? There is a reasonableness factor in this element. Check with your attorney to determine if a supervisor can be there instead. What is the action taken if someone refuses to allow the search of the locker? If your policy is clearly written, the resolution of that confrontation is spelled out.
Consider this question: what expectation of privacy should an employee have while on company property? There are many arguments to this and policy should be chosen and written carefully.
Throughout this paper the overriding theme is audit. Policy and procedure without compliance review have little or no impact on a business. Policy and procedure without consistent application is an open invitation to liability.
About the Author
Pat Murphy is the President of LPT Security Consulting. He provides security consulting and expert witness testimony on a number of topics. He has over 30 years experience in the industry.
www.lptsecurityconsulting.com
Houston, Texas
281 370 1569
Article Source: Content for Reprint
Monday, August 6, 2007
EMPLOYEE CONFIDENTIALITY UNDERTAKINGS
It is increasingly important that employees are required to sign confidentiality undertakings to their employers. The following guidance is given for consideration, although organizations are recommended to seek further expert opinion on the suitability of such statements to their own contracts of employment:
'Confidential Information' normally means any information which is not generally known in the relevant trade or industry, and belongs to the Organization, or is learned, discovered, developed, conceived, originated or prepared during, as a result of, or in connection with, the Employees work, or relates to the Organization's customers of clients, including but not limited to :
- Information which is unique to the Organization
- Any information which the Organization or their clients or customers may wish to protect by patent or copyright, or by keeping it secret or confidential; and
- Information relating to the existing or contemplated products, services, technology, designs, processes, formulae, computer systems, computer software, algorithms, research or development of the organization;
- Information relating to proprietary products or services;
- Any proprietary information not generally known to the public;
- Information relating to the business plans, sales or marketing methods, methods of doing business, customer lists, customer requirements or supplier information of the Organization;
- Information which may affect the value of the shares in the Organization and (where relevant) any price sensitive information
The Employees should be asked to acknowledge that the Organization:
- Is (inter alia) in the business or providing
- Operates a highly competitive commercial arena.
- Has and will invest significantly in terms of money and time in developing their business and products;
- Has and will expect to develop confidential proprietary information relating to their business; and
The Employees should acknowledge that during their employment they may have access to, gain knowledge of, be entrusted with and be involved in the creation of Confidential Information, improper disclosure of which could :
- Result in the Organization losing its competitive edge;
- Cause the Organization to suffer financial loss; and
- Be otherwise detrimental to the Organization.
The Employees should undertake that both during employment or thereafter, they will:
- Not disclose, divulge or communicate to any person any Confidential Information, save to those officials of the Organization whose proper province it is to know such information or with the written consent of the Board;
- Not use any Confidential Information for his/her own benefit or for the benefit of any third party or in a manner which could be detrimental to the Organization;
- Do everything reasonably within his power to protect the confidentiality of all Confidential Information;
The Employees should also undertake that on leaving the company they will:
- Deliver up to the Organization all copies and originals of documents, computer disks, tapes, accounts, data, records, papers, designs, specifications, price lists, lists of customers and all other information, whether written or electronically stored, which belongs to the Organization or relates in any way to their business or affairs or the business or affairs of any of their suppliers, agents, distributors or customers, or contain any Confidential Information, and are in the Employees' possession or under his control.
- Upon request supply the Organization with a signed statement confirming that the Employee has complied with this undertaking.
Again, further guidance on this and similar topics is included in the RUSecure Security On-line Support system (http://www.yourwindow.to/security-policies/).
From : 17799-news.the-hamster.com
Subscribe to:
Posts (Atom)
