This is a follow-up on how to achieve a holistic view of security within an organization. Surely everyone would agree that effective communication is a core requirement. When an adverse event occurs, it needs to be reported, discussed, and brought to resolution in a way that brings together all the relevant people. This includes the reporters, the witnesses, and the experts. Third parties, such as law enforcement may be involved. It should always be clear who, within the organization, is responsible for managing the incident, although this may change as more information emerges. Different experts may be needed, and particular departments, or people will need to be informed. So what are the barriers to this level of collaboration? And how does our product TeamMacro TERSM help to overcome them?
Language Differences
In organizations who must work across different countries this is a big one. The basic information being reported may be in one language, but the forensic analysts, experts, and people who need to understand what happened may not speak that language. Information entered about an incident is entered in the user's language, but it can be easily compared and so translated into the organization’s main language. By storing both the original and the translated, users can view in the language they are most comfortable with. Also, TeamMacro TERSM can easily be translated to any language (28 have been done before). It is designed to take account of the different lengths of sentences on the screen, for example, German and Hungarian can be quite verbose yet say Chinese, being pictographic, is extremely brief.
It is also important that the customer can do translations on-line without needing any techical expertise. TeamMacro TERSM has a well developed customer driven process for creating and updating translations. The customer utilizes their own in-house language expertise to translate the terms. However at the same time, strong controls are in place to ensure only vetted and approved translations appear in the production system.
Technical Terminology
In describing the event, security people will typically use technical terminology or jargon to summarize what happened. For instance, theft takes many forms including robbery, stealing, larceny, pilfering, shoplifting, burglary, holdup, misappropriation, embezzlement, defalcation, and so on. All have different nuances, presumably well understood by security professionals, but only loosely comprehended by reporters and witnesses. Cyber Crime, of course, has a specialized language that describes typically how an exploit was engineered, phishing, online harassment, cyberstalking, invasion of privacy, identity theft ... this list goes on and on. Data Protection, too, is full of legal concepts that derive from the regulations. These terminology barriers can be overcome by, wherever possible, allowing non-technical users to describe things in simple common terms and technical users to enhance that with the more precise and necessary technical terms.
Lack of Standardization
There are advantages in categorizing the event in standard ways. For instance, theft and then the type of theft. Other seemingly simple descriptions like the location of the event, may not in fact be simple. Think of a supply chain where something, due to theft, did not arrive, it may be quite hard to discover the actual location of the theft. Also, how to measure the loss? We need to be able to compare the impact of one event against another to know its importance. If loss is measured in different ways, for example, cost versus price, one currency versus another, total loss versus loss less recoveries, then we cannot account properly, in financial terms for what happened. Especially when aggregating results to compare different parts of the organization, it is essential to use standard results and to apply agreed upon business rules. By using software to record incidents, a level of standardization is effectively enforced simply through the validations it can provide. TeamMacro TERSM facilitates collaboration, a central point for the information and, in most cases, an automatic way of sharing and alerting those who need to know. Keeping the information centralized and not, for instance, on user's desktops, allows it to be protected in "fortress IT" and not unnecessarily duplicated and moved around on devices that could be lost or stolen.
Multiple Systems for Reporting
Ideally for a holistic view of security, there should be one system that contains all the relevant information, available at any time, to those who need to know. But in our experience in large organizations this is rarely possible, often for valid reasons, and also for dubious ones. The IT department undoubtedly needs specialized software to protect IT systems from attack, especially viruses and the like. But adverse Cyber events are increasingly becoming more the result of social engineering than software tampering. So, something like identity theft becomes a concern of the security department as well as the IT department. Some events have many dimensions, take for example the theft of private data from a vehicle through violent means. This may involve many departments: Security, IT, Data Protection, and Human Resources because of health and safety. IT may elect to record the event in their Cyber system, Data Protection may be required by law to make a record, as might Human Resources. A common solution is to use the ubiquitous spreadsheet - because that is so easy to do, especially if the number of incidents is low. But that does not overcome any of the barriers mentioned above, creating islands of potentially tamperable and at-risk data through different parts of the organization. TeamMacro TERSM supports all these departments except very specialized requirements like Anti-Virus. In the case where other systems are in use either through necessity, during transition, or simply because a department is wedded to something else, TeamMacro TERSM allows interfaces to be created to replicate incidents in both systems.