National Institute of Standards and Technology (NIST) Secure Password Guidelines
The National Institute of Standards and Technology, otherwise known as NIST, is a physical sciences laboratory and non-regulatory agency of the United States Department of Commerce. NIST was created to promote innovation and industrial competitiveness in certain industries such as information technology, nanoscale science and technology, and engineering. NIST has been named to lead the development of appropriate technical standards for reliable, robust, trustworthy, secure, portable, and interoperable AI systems by the American AI Initiative. In June of 2017, NIST published guidelines for ideal requirements for protecting one’s digital identity.
Characteristics of Secure and Strong Passwords
According to NIST’s secure password guidelines, there are certain password factors that are recommended for better security. Some of these guidelines are:
- Minimum eight characters with a suggested maximum of 64 characters
- Ability to use special characters (e.g.?&!@)
- Restriction of repetitive or sequential characters (e.g. abcde or 1111)
- Restriction of context specific phrases (e.g. email or username)
- Restriction of commonly used passwords or passwords obtained from previous breach corpuses
The restriction of various password phrases is important since predictable passwords are likely to be guessed by hackers. Such passwords and phrases are compared against a black list of unacceptable passwords and denied if they match up to those predefined conditions. A black list usually consists of simple dictionary words, previous passwords, and specific words and phrases that tie to the organization or service.
Random Characters Do Not Equal Strong Passwords
NIST suggests strong passwords are something unique that one will remember but someone else cannot guess. Contrary to past popular belief, passwords with mixed upper and lower case letters, number and special characters are not suggested anymore but rather having complex, memorable phrases such as “house kangaroo 28 card ticket” where the phrase itself does not make sense as a sentence but can be pictured in your mind.
In addition to strong passwords, controls surrounding passwords are equally important. Even though the new guidelines rely less on length and complexity, lockout after repeated failed attempts should be set in order to prevent numerous efforts that could be signs of a hacking attempt. Another control should be password history restriction that do not let personnel use the same password as any of their previous passwords because those passwords may have been compromised.
For more information about secure password guidelines, check out the NIST website focused on information technology publications. To learn more about our risk consulting services, contact Katelyn.Crowley@freedmaxick.com, connect with me here, or call 716.362.6281.View full article
If your organization is looking to reduce its costs with IT assets, you should consider implementing an IT asset management (ITAM) system. Tracking your organization's IT assets is an effective way to reduce unnecessary spending on software licenses and IT infrastructure. This can eliminate the purchase of assets your organization already owns, utilize your organization's current assets more efficiently, and be better prepared for the replacement of old devices or expiration of software licenses.
Building your organization's IT asset management goals
Before implementing an ITAM system within your organization, you should first determine your organization's goals. It is critical to identify specific objectives and desired outcomes to assist you in developing a system of measurement to align with these objectives. Take a moment to list what you would like to achieve with your ITAM system and rate these achievements to determine what is most critical to your organization.
Determining your system of IT asset measurement
Once you have established your desired IT asset management goals, it is important to choose key performance indicators (KPIs) that measure the progress toward achieving your goals. This will help your organization evaluate the adequacy of its ITAM system. For instance, if your organization would like to emphasize software license compliance, your organization could track licenses by expiration date or the ratio of used purchased licenses to unused purchased licenses.
Using an effective measurement system not only assists in tracking assets but also provides beneficial information for future decision-making. As you strategize your ITAM system, be mindful of choosing logical metrics that correlate with your goals. Consider the following ways an ITAM system could provide value to your organization and the potential metrics that could be used for:
- Defining an IT budget by tracking asset costs
- Reducing discrepancies to the IT environment by identifying assets that cause service failures
- Optimally employing existing resources by identifying users with multiple workstations.
Establishing an IT asset repository
If there is uncertainty with where to begin in implementing your ITAM system, start by establishing a full IT asset repository. No matter the size of your organization, it is best practice to track your organization's IT assets to reduce the risk of not discovering lost or stolen assets. When deciding how your organization will maintain a repository, acknowledge who will be responsible for updating the listing, as well as how the process can be integrated into your existing IT service support management and change management systems. Be sure your organization's repository incorporates all relevant IT assets, including:
- Hardware and software
- Network and communication infrastructure, servers, and applications
- Mobile devices
- Cloud assets
For each item in the repository, be sure to include the following relevant information as well as any additional critical metrics you identified previously to measure the progress toward achieving your organization's goals.
Model and serial numbers
Maintenance, repair, change, and upgrade information
If your organization must comply with industry regulatory requirements such as HIPAA and PCI, it may be useful to record where critical or sensitive data is stored to increase the efficiency of audits.
ITAM throughout the IT Asset Life Cycle
ITAM is more than just maintaining a listing of assets; it extends to processes in each step of an asset's life cycle. The IT asset life cycle is a series of stages that an asset goes through during an organization's ownership, from requisition to retirement/disposal. In order to establish and maintain a robust ITAM system, your organization should consider the processes and controls in place surrounding each stage in the cycle.
- IT Asset Requisition
During the asset requisition stage, controls should focus on the proper authorization of asset purchases. The authorizing person or group should reference the asset repository to check if a requested item is actually available to avoid unnecessary purchases and confirm that the requested item is compatible with company policies.
- IT Asset Procurement and Receipt
In the procurement and receipt stage, orders should be placed only to approved vendors, and vendor lists should be reviewed periodically to avoid purchases from unauthorized vendors. The IT asset manager should anticipate delivery times and verify that new assets are logged either upon delivery or before releasing to the user.
The receiving department’s manager is responsible for reconciling received assets with original requests to ensure that delivered equipment that is faulty or that does not match the purchase order is returned to the supplier and not added to the asset repository. The receiver should also assign a unique identifier for the asset as communicated by the asset manager. At this point, the asset should be recorded in the asset repository with relevant information covered in the previous section. The IT technician then schedules installation, as needed.
- IT Asset Deployment
The deployment stage puts the asset to use. The asset repository should be correct prior to the deployment of equipment to users. The IT technician is responsible for installing IT equipment for the user and making sure it is configured and ready for use. The user should receive training on how to use the asset, with additional training available, if needed. Employees should sign an acceptance form for the equipment once it is delivered. This form should be recorded or kept in the user's personal HR record so that equipment can be retrieved if the individual leaves the organization. If an asset was previously deployed to a different user, a process should be in place to wipe information from that asset before cascading to the new user.
- IT Asset Maintenance
Asset management is a continual process. As such, ensure that your organization consistently follows its ITAM policy as your assets go through maintenance, repairs, and changes. A clear policy should be documented to cover what changes are acceptable, who is responsible for authorizing changes, and what action will be taken if the organization's procedures are not followed. Significant maintenance, repairs, or changes surrounding IT assets should be recorded in the asset repository prior to releasing equipment.
Your organization should have regular audits of its databases and workstations, as well as regular reviews of systems and procedures with recommendations for improvements, where necessary. Consider the legal and regulatory requirements in terms of software licenses and contractual issues, such as maintenance contracts, insurance contracts, and lease contracts.
- IT Asset Retirement/Disposal
Eventually, it will be time to dispose of or retire your assets. Ideally, the replacement of assets is planned and not as a consequence of an item suddenly ceasing to function. Any addition to your asset repository leads old equipment out. A process should be in place to wipe company information from an asset prior to disposal using a professional third-party.
When equipment is re-issued to a user, old equipment should be removed at the time of issuing new equipment. A return form should be completed, with a copy sent to HR for the employee's record. The employee's manager is typically responsible for the return of equipment.
ITAM can seem like a daunting process. It is important to initiate the process with a plan based on the needs of your organization. Avoid getting bogged down by too many details by only tracking information that will be most useful to decision-making in your organization.
Connect with a Freed Maxick IT Asset Management Consultant
If you are interested in establishing an ITAM system for your organization, or improving your organization’s controls surrounding the IT asset life cycle, our Risk Advisory Services team can work with you. Our internal control consultants will conduct an examination of your organization's ITAM system to identify weak areas. We can recommend the appropriate level of control for your organization and develop systems to monitor, assess and update those controls.
For more information regarding how Freed Maxick can help, please call 716.847.2651 or contact us here.View full article
Do you employ a risk and control inventory?
No matter where you get your business news, it seems like a day never goes by without a story about a large reputable organization in hot water for a failure of management to recognize and manage a risk.
However, the news is also full of favorable press for executives and businesses navigating tricky waters and thriving despite risks.
In order to understand risk, let’s start with the dictionary definition. Risk is the “possibility of suffering harm or loss; danger”; i.e., loss of financial wealth, emotional well-being, social status, and/or physical health, etc. We take risks in order to gain a reward resulting from a given action or inaction, foreseen or unforeseen. The biggest problem with risk is that too many businesses fail to thoroughly understand and manage it, but in order to manage risk, you need to be able to measure and understand your organization’s tolerance for risk.
Then, how do we measure risk and how do we minimize risk? How do we weigh our options as we assess risks? What is our risk appetite?
How to Make an Educated, Real Time Decision About Risk
Executives must make decisions every day, often under tremendous pressure to deliver an answer in a split second. How do you know that you are making the right decisions?
The key to making educated risk decisions in the spur of the moment is to develop a thorough understanding of the risks that your business faces and its tolerance for risk ahead of time. Armed with this knowledge, you can proactively manage existing risks and identify and respond to new risks as they arise.
Being risk-focused means having your ducks in a row. Some items to consider:
- Understand the risks within your industry, i.e. operational, environmental, regulatory, and technical, etc.
- Have an idea what your competitors are doing regarding risks and their reactions to them.
- Do you have a risk and control inventory?
- What is your organizational risk culture and what risk programs do you presently have in place?
10 Steps for Creating a Risk and Control Inventory
One way to understand the risks that affect your business or department is to create and maintain process flows and narratives that identify relevant risks and their controls. This is a very simple exercise, but many businesses never take the time to do it.
Follow these steps to create a risk and control inventory:
- Challenge your team to stop and think about the processes within their specific area.
- Identify processes that generate inputs to your workflow. (What must happen before we can start our work?)
- Identify where your process outputs go. (What steps happen once your work is done?)
- Inventory each process within your area that modifies the input you receive in order to create the output you deliver. Document these processes in writing.
- Plot each process from beginning to end. (Sometimes you might have to think about the actual processes by breaking them down to several pieces. You can go as high-level or as detailed as you wish).
- Once you understand each of the process steps, identify the risks associated with For every step, list each of the possible things that could go wrong.
- Then identify the corresponding controls designed to address those risks.
- Number your risks and controls for easy reference. Make sure that each risk has at least one corresponding control. If one doesn’t exist now, the creation of a new control could be one of the first to-dos coming out of the process. (An added dividend of this process is you may identify repetitive or non-value-added steps that can be eliminated to streamline the flow.)
- Create a process flow narrative. It shouldn’t merely repeat the process steps. The narrative should add value to the process by identifying associated risks and controls at each step.
- Refer to these risks and controls going forward by their assigned reference numbers. Documentation should be clear and precise, including just enough detail that the reader understands the risks in play.
The flow charting process may take several tries. Confer with process owners to determine how detailed you need to make the chart in order to help everyone understand their roles in identifying and controlling risks. Don’t get discouraged if you cannot get the processes down the first time. Once completed, it will help you to see where exactly the risks and controls lie. Once identified, then the next step is how to use this information in order to mitigate these risks.
Connect with a Freed Maxick Risk Management Expert
If you would like to learn more about how to document risks within your organization, contact one of our Freed Maxick risk professionals here, or call us at 716.847.2651 to discuss the risk services that we offer. Our risk professionals currently work with clients from multiple industry sectors.
We will work with you and your organization to complete an assessment that will identify risks, make recommendations for improving your current processes and controls, and advise you on risk management best practices. We look forward to working with you.View full article
Three Borrower Traits Asset Based Lenders Need to Recognize in their Loan Portfolio
Author: Ashley Trexler, Supervising Field Examiner
If a borrower possesses significant fixed assets, owns its real estate, or operates several lines of business, you may be exposing your bank to unnecessary risk. To avoid that situation, be sure you review your loan portfolio for clients with certain traits.
Commercial property ownership can be quite risky, especially for retailers. Why? Because the store’s owner can be held liable for crimes or accidents that occur on the site if a victim proves there’s inadequate security.
Liability insurance can help mitigate losses. But many policies may be based on outdated business appraisals, and damages might exceed the borrower’s coverage.
For an added layer of protection, borrowers may want to create a separate legal entity for their real estate ventures. That way they can lease the property to the operating business at a fair market value. The same will hold true for businesses with significant fixed assets.
Doing so will protect the operating business entity from property liability claims. The real estate venture can still be pledged as collateral for loans to the operating entity.
Suppose a dry cleaning establishment diversifies and explores the health food market. If the experiment doesn’t work, it will drag down the dry cleaning business (or vice versa). If the borrower sets up a separate legal entity for each business segment, however, the borrower will not only limit its “spillover liability,” but it will also allow for more flexibility in the ownership structure. Keeping things separate from the get-go — with separate bank accounts and balance sheets — can be quite helpful if the owners subsequently decide to sell or seek additional financing.
If a family business wants to transfer wealth to subsequent generations, the company will likely benefit from establishing separate legal entities. For example, suppose an operating business carves out its real estate into an LLC or a trust. Those who are active in the operating business are “gifted” interests in the company. Passive heirs are then given pieces of the real estate venture.
This setup serves several goals beyond limiting liability. First, the parents can use the annual gift tax exclusion ($14,000 in 2013) and the lifetime unified credit ($5.25 million in 2013) to gradually lower their taxable estate. Gifts are typically discounted for marketability and lack of control.
Second, those who are active in the business will get a stake in something they can directly impact — the value of the operating business. Passive investors will have access to a steady income stream. Plus, the family will be able to minimize its overall tax liability if the children are in a lower tax bracket.