Bragging Rights: GDPR Training

I’ve successfully completed the Understanding the GDPR MOOC offered by the University of Groningen’s Security, Technology and e-Privacy (STeP) Research Group on FutureLearn.

Observations:

  • It’s a four week course but I completed a good amount of on-the-job research prior to taking the course and, therefore, managed to complete the entire thing in about a week.
  • The topics covered are both comprehensive and realistic. It doesn’t get bogged down in the details and does an excellent job of covering the issues companies need to know in order to begin a gap analysis and ensure compliance.
  • The General Data Protection Regulation (GDPR) is still very new and many of the questions professionals, researchers, companies, corporations and governments have are not possible to answer. The reason for the lack of answers is simply this: when the issue is taken to court, the courts will hold a full investigation and trial. The results of that legal process will stand as Independence for suture decisions. There is very little in the way of legal precedence currently established, so the academic and professional focus is on the ‘spirit of the requirements’ and the ‘primary objectives behind the establishment of the law.’
  • The course has a series of quizzes that must be passed at 75% or higher (total cumulative score) in order to receive a certificate. There’s only one opportunity to take each quiz – they cannot be redone. It’s possible to open up the videos, articles and lecture notes while taking the quiz and there is no time limit – so it is (in essence) open book. It is not possible to search everything and auto-find the answers. So, be sure to do your readings, watch all the videos and pay attention to the notes provided during the practice quizes!
  • Successful completion of the full (paid) version results in a certificate that can be used for continuing education credits (this is useful if you hold a professional certification in a related area!).

The MOOC is well worth the time and effort. I highly recommend it to anyone involved in GDPR compliance or information security.

GDPR: Facebook data privacy scandal

Like any organization providing services to users in European Union countries, Facebook is bound by the EU General Data Protection Regulation (GDPR). Due to the scrutiny Facebook is already facing regarding the Cambridge Analytica scandal, as well as the general nature of the social media giant’s product being personal information, its strategy for GDPR compliance is similarly receiving a great deal of focus from users and other companies looking for a model of compliance…Facebook members outside the US and Canada have heretofore been governed by the company’s terms of service in Ireland. This has reportedly been changed prior to the start of GDPR enforcement, as this would seemingly make Facebook liable for damages for users internationally, due to Ireland’s status as an EU member.

Shadow profiles” are stores of information that Facebook has obtained about other people—who are not necessarily Facebook users. The existence of “shadow profiles” was discovered as a result of a bug in 2013. When a user downloaded their Facebook history, that user would obtain not just his or her address book, but also the email addresses and phone numbers of their friends that other people had stored in their address books…Because of the way that Facebook synthesizes data in order to attribute collected data to existing profiles, data of people who do not have Facebook accounts congeals into dossiers, which are popularly called a “shadow profile.” It is unclear what other sources of input are added to said “shadow profiles,” a term that Facebook does not use, according to Zuckerberg in his Senate testimony.

Facebook data privacy scandal: A cheat sheet, Tech Republic, By James Sanders and Dan Patterson, June 14, 2018

Information Security Resources: Federal USA

United States of America Federal Regulations and recommendations affecting Information Security, cyber security, data security and privacy.

 

Information Security Resources: International Organizations

Organizations providing international information security standards and recommendations:

Book Review: It’s Not About You

Amazon.com

“Give people something good to live up to—something great—and they usually will. In fact, often they’ll even exceed those expectations.”

This book reads like a novel. It’s a lovely, heartwarming, story about a manager trying to coordinate a merger between a small family business and a larger corporation.

He’s there to convince people, persuade them to do what his employer wants them to do. He’s there to meet his own career objectives. While he achieves his goals, he also learns crucial lessons about doing business both ethically and effectively – about negotiating a win-win situation and about leading a people toward goals that may not be clear to everyone involved.

“The single biggest challenge to any organization is the constant cloud of fear and doubt that swirls around the heads of the people involved. As a leader, your job is to hold fast to the big picture, to keep seeing in your mind’s eye, with crystal clarity, where it is you’re going—that place that right at this moment exists only in your mind’s eye. And to keep seeing that, even when nobody else does. “Especially when nobody else does.” Your people count on you to do this. It’s the biggest job you have.”

This isn’t the business management version of a Christmas Carol. The main character is a far cry from the wicked Mr. Scrooge. In fact, he’s essentially a really good guy with some rather standard perspectives on management and business. This is a story about a good guy transforming into a better guy – a better manager and a better person.

“Building a business takes skill, work, and materials . . . but those are details. More than anything else, building a business—really, building anything—is an act of faith. Because you’re creating something out of nothing, you see?”

It’s a light read filled with truly useful advice, making it the perfect business book to pick up over the holidays.

It’s Not About You: A Little Story About What Matters Most in Business by Bob Burg, John David Mann

Book Review: Women and Career Decisions

There are a lot of books focused on women in the workplace. Most are written by women who are CEOs, successful entrepreneurs or otherwise well know for their professional achievements. Wander Woman: How High-Achieving Women Find Contentment and Direction by Marcia Reynolds is not that book.

Wander Woman is filled with facts:

What most surprised the managers was that the top-performing women did not stay and fight. These days, strong women take their expertise and knowledge to greener pastures.

Their workplace wish lists rarely state “being promoted” as a prime motivator. Instead, my survey respondents told me they look for (1) frequent new challenges that stretch and grow their ability to achieve; (2) the opportunity to be flexible with their schedule; (3) the chance to collaborate with other high achievers; (4) recognition from their company; and (5) the freedom to be themselves.

And with highly quotable and inspirational statements:

If you want to change how you relate to others and run your life, you have to first transform your concept of self. If you try to change your behavior without first transforming who you think you are, the changes will last a few days until you quit thinking about them.

But the real strength of this book comes from her personal experience. She describes being an overachieving teen who gets into trouble that very nearly destroys (or ends) her life:

I learned one of my greatest life lessons—if you don’t know who you are, you will never be content with what you can do—in one of the darkest places on earth, a jail cell. A year after high school graduation, I ended up spending six months in jail for possession of narcotics, an experience I swore would never happen to me. In truth, the sentence saved my life.

And delves into her struggles as the daughter of a man who was so tied up in his self-imposed identity as a man-who-works that he was unable to handle retirement:

The day the doctors told my father he could no longer work was the day he accepted his death sentence…In my anger for his leaving me, I somehow missed the lesson in my father’s passing. My father could not be a retiree. He could not free himself from the identity of being a successful businessman. When he could no longer hold on to that identity, he quit…When he had to give up his formula for prestige, he gave up his will to survive. I desperately tried to help him see what else he could accomplish if he redefined his goals. I didn’t see that his addiction to achievement was killing him.

There are pages upon pages of down-to-earth realistic advice pulled from the life of a highly-relatable professional woman. Reading it feels like sitting down for coffee or tea with a friend and hashing out the day-to-day frustrations every one of us has to face. I came away with advice that I regularly use:

I choose my work based on what I have defined as my purpose and say “no” to everything else. When I am buried under a to-do list, I prioritize and let some things go with no guilt. My exercise and fun time can’t be compromised. These are the good days.

This isn’t grandiose advice handed down to the masses by a woman who has achieved dizzying heights. It’s perspectives, thoughts and ideas that actually apply to the challenges of daily life, provided by someone who has been through it herself.

Elements of Workplace Mobbing

Quote

Mobbing happens when conflicts in a workplace (1) escalate out of control, (2) begin to involve increasing numbers of people, (3) are left without effective intervention by management, (4) result in the targeting of a victim for blame (otherwise known as scapegoating) who is then held responsible for both starting and stopping the conflict and who, ultimately, is eliminated from the organization.

Overcoming Mobbing: A Recovery Guide for Workplace Aggression and Bullying by Maureen Duffy Ph.D., Len Sperry Ph.D.

October is national bullying prevention month!

Bad Management, Company Culture and Workplace Mobbing

Quote

Unhealthy and toxic organizational culture and leadership combine to create mobbing-prone organizations. Singling out an individual “bully” to blame and purge from the organization is generally a poor and wrong-headed solution to what is an organizational and not an individual problem.

In addition to multiple acts of proactive unethical communication, the ganging up and mobbing process also includes a form of unethical communication characterized by failure to act or silence in the face of worker mistreatment. These kinds of aggressive acts against a victim include acts of omission that involve failure to take action when action is called for. Such aggressive acts of omission are frequently committed by management and administration in their efforts to appear uninvolved in an escalating conflict that results in the mobbing of a victim.

Overcoming Mobbing: A Recovery Guide for Workplace Aggression and Bullying by Maureen Duffy Ph.D., Len Sperry Ph.D.

October is national bullying prevention month!

Insider Threat Program – Basic Structure

Quote

Governance of an Insider Threat Program

A mature governance structure is essential to effectively develop, deploy, and manage an insider threat program. The CERT Insider Threat Center recommends that the organization implement a governance structure that enables the insider threat program to

  •  Maintain an updated knowledge base related to insider threats including staying current with the latest research and capturing lessons learned.
  • · Provide support to the insider threat program stakeholders to ensure the groups are meeting their objectives, providing the appropriate inputs to the insider threat program manager and appropriately communicating results and decisions to other insider threat program stakeholders.
  • · Monitor governance practices to ensure that governing bodies are meeting insider threat program needs, to make recommendations for improvement, and to refine the measures as needed.
  • · Capture and communicate insider threat program success stories to internal and external stakeholders to increase program support.
  • · Execute a comprehensive program-risk-management approach and required procedures for insider threat program stakeholders.
  • · Perform processes including budgetary review, the development of future technical requirements, continuous operation procedures, and risk management.
  • · When applicable, facilitate both formal and informal Continuous Diagnostic Monitoring (CDM) governance training for the CDM program staff, departments and/or agencies (D/As), partners, and stakeholders.
  • · Maintain and execute the program schedule for updating charter guidance, procedures, and policies based on ongoing lessons learned (both internally and externally), best practices, and stakeholder input.

Common Sense Guide to Mitigating Insider Threats, Fifth Edition, The CERT Insider Threat Center, Software Engineering Institute at Carnegie Mellon University ( http://www.sei.cmu.edu), December 2016
TECHNICAL NOTE: CMU/SEI-2015-TR-010

Devastating Group Dynamics

Quote

For mobbing victims, the huge disappointment is that the choice a bystander is most likely to make is the choice to not get involved and do nothing. From the perspective of the mobbing victim that choice represents betrayal. The mobbing victim is likely to think that coworkers will come to his or her aid and defense. That they usually do not is devastating to the victim, who valued his or her relationships with coworkers and who no longer feels able to trust them. From the perspective of the bystanders, trying to keep their distance is about fear and self-preservation. Bystanders do not want to have happen to them what happened to their mobbed coworker. The fear and avoidance of the social exclusion at the heart of workplace mobbing is deeply ingrained if not primal.

Overcoming Mobbing: A Recovery Guide for Workplace Aggression and Bullying by Maureen Duffy Ph.D., Len Sperry Ph.D.