For the week of May 4th, 2012:

• IT Security begins with Human Capital Management
• Learning to Assess the Latest Tech Candidate
• How Does COLLABORATE Help Secure your Organization

“IOUG Podcast 04-MAY-2012: IT Security in HCM / Assessing Candidates / COLLABORATE”

Subscribe to this Podcast (RSS) or in iTunes

IT Security Begins with HCM

In a marketing video entitled “X Marks the Spot” Oracle explores the scenario of an oil company that spends months doing location surveys which were all wrong because the data had been tampered with by a trusted user. Two years after the discovery of the data integrity issue, and pulling all the audit logs back from off-site storage, they still have no culprit because auditing logins doesn’t say who did it, just which account was used. Products like IBM InfoSphere Guardium and LogLogic Database Security Manager are increasingly being introduced as watchdog appliances to provide surveillance of trusted users. But who is watching the security appliance administrators?

In cases of the federal government’s investigation of fraud, waste and abuse by contractors, while their systems had been certified as hardened by such measures as TEMPEST and the National Institute of Security Standards (or NIST) responsible for maintaining thousands of security and vulnerability standards and requirements related to IT, most of the controls are related to thwarting external penetration, not inside jobs.

So, why don’t we focus more on the threat from inside technical and functional personnel? Because the bottom-line related to security within an IT organization starts with how you let someone in the door – the hiring process. While the fictional video is targeted towards adding additional auditing capability and monitoring to the database and applications, which is part of a growing focus of Governance, Risk and Control applications, it also notes that the intruder was a hired employee, without adequate background checks, and using forged credentials to obtain the position. When hiring contractors, do you adequately ensure that the contractor’s agency hiring standards, are equal to or better than your own?  When bringing new employees in-house for technical positions, often the challenge is being able to assess the technical capacity or experience of someone, especially when your organization is attempting to fill a resource void and has no prior experience with the skillset required.

Learning to Assess the Latest Tech Candidate

In cases like this, often external testing and screening agencies can be of assistance. Companies like ReviewNet dot net and Kenexa’s Prove It technology are not designed as a simple pass/fail standards – those criteria must be addressed by your own organizational policies. But as in the creative fields, where interview processes are not so driven by resume and interview skill, but by a portfolio of prior work examples, these same experience by demonstration hiring practices can help during the assessment of a technically-complex skill candidate.  Determining that a person is technically qualified for the position does not by itself address the likelihood of a candidate being a hired-gun or IT mercenary.  But part of the qualitative nature of the hiring process begins with a very old principle of creating a high-quality organization by hiring the right people. As the video mentions, it’s very easy for a person applying for a Database Administrator position to say all the right technical responses during a typical interview – actually, you can web search for those kinds of details and memorize the responses with confidence. So asking, “Can you recover a crashed 11g database?” Shouldn’t be accepted with a simple, “Yeah, I can do that.” response. Remember to ask, “So how would you go about that?”

Now, if you’re facing a modern-day Kevin Mitnick, the challenge is to become aware of personality traits, because a person of similar caliber is likely to respond with appropriate answers. But one of the simplest signs that are often common to these individuals is over-confidence in themselves and their own skill sets. If you keep persisting, with questions like “What if that doesn’t work, then what?” the true professional is not afraid to go outside of themselves and ask for help, whether My Oracle Support service requests, or TechNet Forums and Expert blogs, like Tom Kyte, Steven Chan and Arup Nanda. Remember, “going public” is something the infiltrator is least likely to want to do, and probably has little or no public or social media presence on the Net.

How Does COLLABORATE Help Secure your Organization?

Has your candidate presented papers or case studies of their achievements at conferences like Collaborate?  Public-speaking skills aside, the Insider Agent personality isn’t likely to want to have their presence permanently recorded for every search engine to find and track. When over 7,000 people know your face and background, it’s pretty tough to just assume a new identity and insert yourself for illicit purposes into an organization. So as part of your background research on potential candidates, don’t forget the world-wide-web can be a unique cross-check on how much an individual really knows. Especially if they’re part of the global user group community alongside your own organization.  Individuals who join user groups like IOUG, OAUG, and Quest, aren’t likely to have ulterior motives other than to become well-trained and employed in their chosen real profession – IT.