My Lair

Trust Management in Online Banking

Posted on January 18, 2012 by Kinda Strange

A trusted system is one that meets the expectation of risk. The system performs as expected, keeping risks within the accepted boundaries. This enables the system to meet the desired level of confidentiality, integrity, and availability of the organization. In online banking, a user must trust that his or her money will be kept safe and accessible, that automatic payments may be made, and that information should be kept private.

There are three levels of trust: component, information system, and enterprise. An overall security strategy determines the controls at each level, and ensures that the controls support each other for robust security. Each individual component, or device, must conform to the security policy of the organization. Minimal standards for the security policy of a component include disabling unused services, routine updates, data encryption, and strong passwords, as well as firewalls and anti-viruses as applicable. Managing trust starts with a documented and management-approved security program. A security program consists of policies, standards, and guidelines that clearly state management’s expectations (Olzak, 2011).

An end user of the organization’s online banking system should be able to access the account information 24/7. Data must be transferred over secure channels to prevent interception. Changes to account information, such as a deposit, withdrawal, or purchase, must update to the online account page as close to instantaneously as possible. Payments, transfers, and money-orders requested through the online interface must be made promptly and securely. The system should respond only to authorized end users and demand strong passwords.

Information must move across trust boundaries from the organization’s system to the end user’s system. As it is beyond the power of the organization to control the security of the end user’s system, it is vital to put as many safety precautions in place as possible. One option is to require additional security questions be answered if access is attempted from an unfamiliar IP address. The security must also flow both ways, with a method in place to assure the end user that they have indeed reached the bank’s secure website and not that of a phishing scam forger. One method used is to divide the authentication into two steps, then have the end user upload a picture or phrase which is then displayed once the user passes the first round of authentication, and then require a second round of authentication once the user is assured they have reached the correct location.

While the organization cannot control what the end user attempts to keep on their own system, the organization should ensure all data stored on its system is thoroughly encrypted. Information should be accessible only via connected to a server, never stored on a component that could conceivably be removed from the organization’s direct control. Physical access should be controlled both via authentication processes and physical security. End users should be secure in the knowledge that transactions are monitored and that red flags will be raised at unusual activity. Alerts will be investigated and audits be performed routinely on these procedures to insure every alert is responded to properly. The system itself should work to protect the end user from being a risk by requiring strong passwords and routine changes to passwords. The system should also protect the end user by limiting password resets and locking out the account after a certain number of unsuccessful authorization attempts. Should this occur the end user should be manually notified via phone or letter and verify identity and authorization before the hold on the account is released.

End users must be able to trust in the organization’s members, which requires proper separation of roles and inclusion in the security policy of processes for handling complaints and termination. Changes to account management should be restricted to a very small number of employees, and then only during their on duty times in which they are functioning in the role of account manager. The end user should be secure in the knowledge that an average teller is unable to alter account information, and that terminated employees are unable to continue to access the system either electronically or physically.

Continue reading →

Share and Enjoy:

Posted in Homework, Technology | Tagged Networking, Security | Leave a comment

Role Management

Posted on January 18, 2012 by Kinda Strange

Role based access control provides additional layers of organizational security against both errors and fraud. This method must be used sensibly and planned properly to be most effective. A properly determined role based access control model can mitigate or eliminate entirely the risk of a variety of issues (Ferraiolo, Chandramouli, Ahn, & Gavrila, 2003).

The role based access control model establishes relationships between various elements of a business process (Olzak, 2011). A role is a clearly defined position with an assigned responsibility that allows a user to perform certain operations within the system. Only operations pertinent to the role are permitted.

The human resource information system at Riordan Manufacturing keeps track of employee information, including personal information, rate of pay, tax exemptions, hire and seniority dates, organizational information, and vacation hours. Though changes to this information are submitted by an employee’s manager, they can only be entered into the system by a payroll clerk. Training and development records are kept by the Development Specialist, while the Compensation Manager tracks the results of job analyses and compensation decisions. Worker’s compensation is handled by a third party vendor.

Role	Alter employee information	Track training and development records	Track applicant information	Manage worker compensation claims	Keep individual employee records	Track complaints	Handle individual compensation decisions
Employee Manager					X
Training and Development Specialist		X
Worker’s Compensation Provider				X
Payroll Clerk	X
Compensation Manager							X
Employee Relation Specialist						X
Recruiter			X

The separation of roles serves to prevent errors, including fraud and malicious action, from coming into play. Certain tasks, such as altering an employee’s rate of pay, are split into three separate activities. The Compensation Manager determines the rate of pay, the Employee Manager submits the rate of pay, and the Payroll Clerk enters the rate of pay into the system. The tasks are mutually exclusive to prevent acts of fraud and to provide a trail for errors. For instance, if an employee receives a low paycheck after a raise, it can easily be tracked to determine what the raise was supposed to be, locate the form, and determine that the Payroll Clerk accidentally entered $40 an hour as $4 an hour. This also serves to prevent instances of favoritism where an Employee Manager may give a pet employee a significant and undeserved raise over a more suited employee. The Compensation Manager and Employee Manager are also unable to modify an employee’s record by adding additional training or manufacturing complaints to otherwise artificially justify changes to an employee’s status or rate of pay.

For determining pay information, the Recruiter, Employee Relation Specialist, and Training and Development Specialist provide pertinent information to the Compensation Manager as requested, who then gives the instruction to the Employee Manager. The Employee Manager then submits the change to the Payroll Clerk, in writing. Worker’s Compensation information can also be noted, such as a change to an employee’s availability for work.

Each role only has access to the operations vital to perform job functions. A recruiter needs to track information on applicants, but it is the Compensation Manager that approves the rate of pay, preventing a recruiter from promising an inappropriate rate of pay to a potential employee. A Compensation Manager does not get to access information on an employee’s worker’s compensation claims to prevent bias from entering any decisions. By making the tracking of employee complaints and workers compensation suits into separate roles, a need to know policy is enforced that helps prevent instances of discrimination and retaliation. This allows for all decisions to be made more objectively and based only on applicable criteria (O’Brien & Marakas, 2009).

A supervisor would inherit the permissions of his or her underlings. A payroll clerk has the ability to enter changes into the system, and the payroll supervisor has both the authority to enter changes into the system and to approve a run of payroll checks. To keep a proper separation of duties, the employee manager or operations supervisor should be the only one with the permission to print and hand out checks. This allows for three opportunities to correct errors and zero opportunities for the deliberate perpetration of fraud without multiple employees working together.

By properly utilizing the principles of need to know and least privilege in role determination, we have successfully eliminated most opportunities for discrimination, retaliation, and payroll errors in this organization. This removes a massive risk of lawsuits and fraud for the organization, resulting in an improved ability to safely do business. Continue reading →

Share and Enjoy:

Posted in Homework, Technology | Tagged Security | Leave a comment

Describe Project Selection and Organizational Goals

Posted on December 14, 2011 by Kinda Strange

It is important for an organization’s sustainability and success to identify projects suitable for Six Sigma and to determine when these projects should be deployed. If the project is ineffective, it might be more successful with Six Sigma, but not have an effect on the organization itself.

A suitable Six Sigma project will help the business in several ways, including significant business process improvements and a large return on investment (ROI).

Project Selection Process:

Identify opportunities for improvement and arrange organizational areas such as production, operations, finance, and strategy.
Analyze opportunities and group related opportunities together.
Evaluate and rank opportunities for improvement against the criteria of resources needed to implement the projects and the potential benefits in terms of ROI after completing the projects.

Some project selection methods include:

Criteria-based project selection matrix, which is awaiting matrix to rate projects are criteria decided by stakeholders and customers.
Pareto diagram, a prioritization tool known as the 80-20 rule.
Hoshin Kanri, a method used to deploy organizational strategies and identify projects that will help an organization achieve its goals.

While six Sigma projects are focused primarily on customers other areas of six Sigma projects can focus on are:

Performance improvement in critical to quality (CTQ) characteristics.
Reducing customer complaints.
Reducing defects, in-process or internal.
Reducing warranty claims.
Improving surveying customer research scores.
Effectively capturing feedback from staff members.
Increasing profits and revenue.
Audit score improvement.
Process performance and dashboard metrics improvement.
Increased growth over the competitors.

The two basic Six Sigma models are DMAIC (Define, Measure, Analyze, Improve, and Control) and DFSS (Design for Six Sigma), also called DMADV (Define, Measure, Analyze, Design, and Verify). The methodologies use measurement based strategies to achieve the objectives of process improvement and variation reduction. DMAIC is used to add incremental improvements to an existing process, while DFSS is used to develop new processes, services, and products when more is required to existing processes than just incremental improvements.

The JDI (Just Do It) method of problem solving is deployed when the rigorous methodologies of DMAIC are not needed for the continuous improvement process. JDI is a shortcut approach, but is useful when management has sufficient information to bypass or shorten the Measure or Analyze phase. JDI is also used when the process improvement team wants to demonstrate results. This can reduce data collection and analysis effort and allow time and effort to be saved by moving on to the execution stage.

The PDCA (Plan-Do-Check-Act) cycle is a basic four step process to carry out continuous improvement processes. The Plan step involves recognizing the opportunity for process improvement and to identify the plan for improvement. The Do step is the implementation of the plan. Employees are trained and activities such as scheduling and following up happen. If the desired process improvement is not achieved, the plan can be abandoned and the cycle start over from the Plan step. The Check step involves comparing the yielded results with the planned results. Deviations are recorded and a new improvement plan is proposed to achieve results. The Act step involves acting on the results of the check step and then either restarting the cycle or standardizing the results.

Total Quality Management (TQM) is structured to focus on satisfying customers via involving all members of an organization in the quality improvement processes. The main objective is sustained customer satisfaction, which is accomplished through systematic methods of problem solving, breakthrough achievement, and standardization. There are no hardline procedures for implementing TQM, and the PDCA is a popular TQM problem-solving tool.

Share and Enjoy:

Posted in Class Notes | Tagged Business, ElementK, Six Sigma | Leave a comment

Java – Create Arrays

Posted on December 6, 2011 by Kinda Strange

Data structures are a key feature in any programming language, enabling pieces of data to be stored and processed together as a single object. Java provides several categories of data structures, such as arrays and collections.

An array is a non-resizable data structure that stores multiple objects or primitive types together as a single object. It is a sectioned container where each section can hold a single array element. All of the array elements are the same type and are numbered with a unique number starting at zero, called the array index.

An array must be declared and initialized before it can be used to store data. Arrays are declared by placing a set of square brackets [] immediately after a datatype, followed by the name that will reference the array.

Datatype[] arrayName;

The square braces can also be placed after the name of the variable:

Datatype arrayName[];

To create an array of integers called numbers, it would be:

int[] numbers;

An array can also be an array of objects, such as an array of strings.

string[] words;

Declaring the array doesn’t make it usable. It must also be initialized. Creating the actual array in memory doesn’t occur until it is initialized. After declaration, the keyword new will initialize the array. This is where it is necessary to specify how large the array should be.

int[] numbers;
numbers= new int[10];

This declares the variable numbers to be an array filled with integers. It then creates the new integer array, of size 10, and assigns it to the variable numbers. It can be done similarly with an array of objects.

String[] words = new String[5];

A newly initialized array is empty, meaning that all its elements are null. The size of the array cannot be increased or decreased after being initialized. Arrays cannot have a negative size, attempting to do so will throw an exception.

After the array is initialized, it can be used to store data. Values are assigned to individual array elements, which are accessed using the array name and the index number of the array element. To store a value in the first element of the numbers array:

numbers[0]=2;

Since arrays are zero based, an integer array with a size of ten has array elements 0-9. Storing a value in element 10 or higher would cause an exception to be thrown for this array. The highest element in an array index is always one less than the total size of the array.

An array of primitive types contains values, while an array of objects contains references to the objects in memory.

Java does provide a mechanism that allows an array to be created and populated with only one line of code. To create a populated array of strings:

String[] beatleNames = {"John", "Paul", "George", "Ringo"};

This is the equivalent to:

String[] beatleNames;
beatleNames = new String[4];
beatleNames[0]="John";
beatleNames[1]="Paul";
beatleNames[2]="George";
beatleNames[3]="Ringo";

Share and Enjoy:

Posted in Class Notes | Tagged Arrays, Java | Leave a comment

Introduction to ASP

Posted on December 2, 2011 by Kinda Strange

ASP stands for Active Server Pages. It is not a software application or a programming language, but rather a server-side scripting environment. Common web sites are made up of static web pages, such as HTML (with some client side JavaScript) sent from the server to the client when requested. Solutions such as CGI/Pearl, ColdFusion, JSP, PHP, and others have allowed webpages to become dynamic and capable of on the fly customization and data retrieval based on user input. ASP was developed by Microsoft and made available in January of 1997.

In a static HTML page, the client (or user, someone surfing the web via browser) requests the HTML file from the server, and the server sends the file out to be viewed in the browser. In ASP, the server can process the file first, adding additional content or customization that will be sent to the browser. This is done by sending the file to ASP.dll, which parses the special ASP commands into HTML, client-side scripting, CSS, etc…

The resulting page includes only HTML, preventing browser compatibility issues beyond that of standard HTML (or CSS or other client-side scripting). The ASP also cannot be learned by viewing the source code of other sites, as they are executed on the server and the browser displays only the results.

ASP pages are text pages with HTML/CSS, optional client-side scripting, and server scripting that interacts with ASP objects and components. ASP code can be mixed with HTML as it does not need to be separately compiled or deployed. ASP can be edited with Notepad or any other simple ASCII text editor.

ASP is free, though it may require additional downloads to the Windows operating system to turn it into a development platform. It runs natively on Windows server, and can also be installed on UNIX or other servers with the use of additional software.

ASP Scripting Languages, Objects, and Components

ASP pages are composed of traditional HTML and client-side scripting with the addition of server scripting, ASP built-in objects, and ASP components. ASP is less complex than a full programming language such as C++ or Java.

One benefit is that ASP can be used with any scripting language that supports the ActiveX scripting engine, including VBScript and Jscript as well as PerlScript and Python. ASP only uses server-side scripting to produce the HTML viewed by the browser. Since the server does all the interpreting, the end result is available for viewing with all browsers.

Though ASP is flexible, it is best to avoid confusion and use only one language in most situations. Examples here will use VBScript.

Declaring the language on each ASP page is a good habit to practice. This can be done using the <%@ language directive before the <html> tag: <%@ LANGUAGE = ScriptingLanguage %>
Alternatively, the <script> tag can be used to declare scripting procedures on a web page.

<script language=VBScript runat=Server>
 ...Some code here...
 </script>

Commenting is also a good habit, though while HTML uses <!—and –> for comments, VBscript uses an apostrophe:

' this is a comment line

Comments will be removed when the script is processed by the server, so they will not be seen by the client or in the HTML source code.

The ampersand symbol (&) is used to concatenate strings together, such as ‘London Bridge is”&” falling down”. In conjunction with the underscore character (_), groups of strings that span more than one line of code can be concatenated together.

Variables should be declared, which VBScript does via the Dim statement:

Dim var1
 var1 = HarryDresden

It is best to explicitly declare variables to avoid confusion and eliminate the possibility of ambiguity. To force the declaration of all variables, place <% Option Explicit %> at the top of the page, just after the language directive. It demands all variables used on the page be declared first via Dim.

ASP is a modular environment, encouraging the re-use of code. The ASP Object Model comes with several built-in objects, each with its own properties, methods, events, and collections. Additional objects are available through the scripting language, and there are hundreds of third-party components available for purchase and installation.

Share and Enjoy:

Posted in Class Notes | Tagged ASP, ElementK, Microsoft | Leave a comment

Identify Organizational Drivers and Metrics

Posted on December 2, 2011 by Kinda Strange

Organizational processes are a set of core processes that make an organization effective, efficient, and adaptable; or processes are focused on delivering the right quality of products or services to customers, per customer requirements. Core processes differ from one organization to another and may be dependent on the organizational structure.

A manufacturer sources raw materials from their vendors. Material and resource requirement planning includes both inward and outward logistics. And when logistics include importing materials in stores, moving from supply to production line in a timely fashion, and storing raw materials as needed. Outward logistics include dispatching finished goods and forming the organizational process called supply chain management. This process may cut across different departments, geographies, and products.

Core processes are supported by sub-processes, enabling the processes to achieve higher customer satisfaction, better product quality, and increased delivery and time to market speed.

Purchase – Increase profitability by procuring high-quality raw materials at the most cost-effective price and optimizing the inventory cost of raw materials.
Production – Process raw materials efficiently and produce high yields by reducing defects and rework. Pay attention to training and reducing machine downtime via suitable maintenance programs for production machinery.
Sales and Marketing – Employ innovative strategies as part of public relations. Increase the willingness of the customer to buy the manufactured products via advertising and sales campaigns.
Delivery – Take care to process the order quickly, freeze the scheduled time of delivery, and ensure the delivery schedule is met in the most cost effective manner. Obtain customer feedback for this sub-process.

Organizational drivers are the highest level of measure in a business process and are strongly linked to the strategic goals of an organization. If the key drivers of an organization are achieved, the organization can be considered to have achieved its overall goal set for that period. Organizational goals are usually defined for a three to five year time frame. Organizational drivers are usually business level metrics, such as financial and performance measures. They can be customer, market, product, and/or supplier related, and form the backbone of any business effort to improve customer, operational, and financial performance.

There should only be about five goals at maximum. The measurement system is established to measure the progress of the strategic goals, and thus the strategic goals are referred to as the Big Y and are considered outputs in operational processes. These organizational drivers are linked to the downstream key metrics of processes.

Metrics are process and operational level measurements of the efficiency and effectiveness of processes. Operation level metrics are measurements that relate to the efficiency or effectiveness of cost, performance, time, and much more. They provide inputs to constantly gauge the effectiveness and efficiency of process improvement efforts. Efficient processes help an organization meet the three to five year strategic goals. Gauging the organization and its processes is dependent on the selection and use of these metrics. Operational and process level metrics are considered to be the ‘X’s and inputs for organizational drivers or the Big Y. Metrics are tactical in nature, measured often, and are easily impacted. Organizations can achieve the Big Y by monitoring and controlling these Xs.

A balanced scorecard (BSC) is a strategic performance management framework for measuring the impact of strategic decisions across all organizational drivers of an organization. BSCs provide a wider perspective on strategic decisions by measuring the impact on key business drivers, such as finance, customer requirements, internal processes, innovation, and growth perspectives. The BSC is intended to overcome the limitations of traditional performance measurement tools. Managers can use it to track the activities of their direct reports and monitor the impacts of their actions. In the decision making levels, a BSC is utilized as a tool that facilitates strategic decision making and provides insight into future performances.

Share and Enjoy:

Posted in Class Notes | Tagged ElementK, Six Sigma | Leave a comment

Describe Six Sigma

Posted on December 2, 2011 by Kinda Strange

Six Sigma is a process improvement approach that seeks to enhance quality and efficiency by eliminating the causes of defects and variation in a process. Sigma represents standard deviation and is used by statisticians to measure process variation. The Six Sigma approach is customer focused and aims at achieving increased bottom-line profitability. The goal is zero defects. Six Sigma is driven by a complete grasp of customer requirements, data-driven decision making, and statistical analysis to promote the improvement of business processes.

Standard deviation is a statistical measure of variation from the mean in a distribution or set of data.

Defects per million opportunities (DPMO) is the average number of defects across a million opportunities for a defect to appear.

A defect is a product, service, or parameter that fails to meet customer requirements. A Six Sigma quality performance indicates that less than 3.4 DPMO are present.

Process variation occurs whenever a process or set of processes delivers variable output.

Sigma levels provide a measure of the performance level of a process.

Six Sigma provides a means of handling declining product prices in the market to allow an organization to compete with the top companies in business. A common performance goal for the entire company helps to target the desire for zero defects. Six Sigma helps the organization achieve increased profitability and quality improvement rates, keeping it ahead of its competitors. Companies seeking to achieve Six Sigma see reduced scrap-related costs, improved yield, and increased customer satisfaction.

Work is a process that requires inputs to produce outputs and asserts that variations in the quality of the output can be reduced by controlling the inputs. The process is one that can be defined, measured, analyzed, improved, and thus controlled. If output = Y and input =X, the process is expressed as Y=f(X).

The primary goal of Six Sigma is to implement a measurement based strategy in an organization that concentrates on process improvement and reducing variation. Other goals include:

Reducing the number of defects to improve the quality of a product or service
Achieving customer satisfaction and ensuring customer expectations are met
Reducing cycle time to enable the faster delivery of products
Improve efficiency and effectiveness of the organization to raise profitability

Six Sigma is a combination of the best elements of various quality improvement methodologies and is a rigorous statistical-driven approach to performance improvement. The term was coined by Bill Smith, an engineer at Motorola.

Uniformity System –Introduced by Eli Whitney in 1798. Created necessity for measuring dimensions and evolved into specifications
Moving Assembly Line – Introduced by Henry Ford in 1913. Highlighted importance of maintaining a regular supply of parts that fit to ensure that the production assembly line would not be forced to slow down or stop. Led to the sampling method, replacing 100% inspection.
Control Charts – Introduced by Walter Shewhart in 1924 and signaled the age of statistical quality control
Quality Movement – Pioneered by the Japanese in 1945. Uses data to quantify variation and integration of quality across all levels of an organization.
Customer Centric Products –Focuses on eliminating defects and reducing cycle-time to result in the production of high-quality, efficient, and customer-centric products.
Zero Defects Concept –Introduced by Philip Crosby in 1980. Perfection in a product, process, or service is attainable.
Quality Standards – Introduced by the International Organization for Standardization (ISO) in 1987. Global quality standard, leading to uniformity in quality practices across countries.
Six Sigma – Motorola won the first Malcom Baldridge National Quality award in 1987, confirming that its metric-based, customer-centric quality approach worked and leading to the present Six Sigma methodology.

A process is a set of structured activities or tasks that produce a specific output or product that meets customer specifications or requirements. A process may lead to a sequence of interrelated processes where the culmination of one process is the beginning of another. Process inputs can be data, services, or materials that a process converts into outputs. The recipient of a process input is the process itself. Components, dimensions, and process settings can be considered process inputs for the organization itself.

If the process is developed per Six Sigma goals, process inputs are referred to by the term ‘X’, and are the focus of attention due to their vitality in meeting customer specifications. Process inputs are referred to as Key Performance Input Variables (KPIVs) or the independent variables, causes, problems, or metrics, which can be controlled.

A process output is the material, service, or data that results from the operation of a process. The recipient of a process is usually the customer or client. In some processes, the output is then used as the input for the next stage of the process or for a different process. A process can result in more than one output. If the process is developed per the goals of Six Sigma, then the process output (referred to as ‘Y’) is a good measure of customer requirements. Customer requirements are met by the process consistently delivering on the output metric. Process outputs are also referred to as Key Performance Output Variables (KPOVs) or the dependent variables, effects, symptoms, or metrics which will be monitored.

Share and Enjoy:

Posted in Class Notes | Tagged ElementK, Six Sigma | Leave a comment

S	M	T	W	T	F	S
« Dec
1	2	3	4	5	6	7
8	9	10	11	12	13	14
15	16	17	18	19	20	21
22	23	24	25	26	27	28
29	30	31

Trust Management in Online Banking

Role Management

Describe Project Selection and Organizational Goals

Java – Create Arrays

Introduction to ASP

ASP Scripting Languages, Objects, and Components

Identify Organizational Drivers and Metrics

Describe Six Sigma

Buy me a beer

Nanowrimo

ScriptFrenzy

Administration

Categories

Links

Blogging

Computers

Education

Miscellaneous

Society

Writing

People’s Activist Network

Recent Comments

Twitter

Archives