Operation: Vulnerability Response Process

They say, "There is no software without a weak point."

In other words, computers and communication devices with countless software built in are "full of dangerous weak points". There are also business systems that manage sales and salaries...

"Vulnerability Response" by IT department is, in simple words, "repair work of software".

Specifically, the IT department collects vulnerability information from "IT information site" or "Google Alert email" on a daily basis. If information relates with the software used by the company's computer, they conduct "patch application" or "version upgrade", etc. Although there are many software perform "automatic patch" and "automatic update" by themselves recently, there are still not a few "incidents that must be handled manually".

Incidentally, once or twice a year, a security test ("vulnerability assessment") by a specialized contractor should be carried out to check whether the repair work is done properly.

Challenge: Response depends on individual

However, a tremendous number of "attack methods" are found everyday.

"Methods of attack" on old software are also reported almost every day. Even though "weak points" should have been overcome by daily repair, it seems that attackers are also improving their ideas and power, day by day. It seems to continue forever. "Vulnerabilities" announced by CVE, for example, are count to more than 10,000 annually.
(CVE:Common Vulnerabilities and Exposures)

It is no longer the amount that IT department can check through. The reality is, that experienced employees are responding using their "individual information network" and "smell?"

Hmm, wouldn't be there any way to deal it more systematically?

To put it more, I would like to record and share precisely about who decided what kind of judgment on urgent vulnerability. For example, I would like to look back on when and how the correspondence was made against sensational vulnerabilities such as "ShellShock" or "Heartbleed". (OpenSSL, GNU bash)

[Vulnerability Response Process]


Operation:Soliciting Improvements from in-house

It seems that the Japanese government seriously wants to make "work style reform".

Certainly, there are "creating documents that no one sees" or "inefficient exchanging" also inside our company. I would like to think about a method more actively to absorb concrete "improvement idea", such as "introduce cloud service for certain work" or "utilizing IoT". For example, "mid-career employees" and "temporary workers" are grumbling while they are drinking... It is really wasteful if it just ?ended up in vain.

However, even if the president cried out that "Improve the business process and increase productivity!" at the morning meeting, specific "improvement proposal" will not come up.

Oh, yeah. First of all, let's ask "Internal Audit Office" to accept "idea submission" like the image of the so-called "suggestion box".

And let them operate a Workflow such as let it advance to 'on-site hearing step' and 'president reporting step' about good ideas. And let them operate a Workflow which make it advance to 'on-site hearing step' and 'president reporting step' about good ideas. (Business Improvement Idea Reception Process)

Challenge: Form that anyone in the company can post to

However, all the workers do not have "login ID" to the Workflow platform.

If "login ID" was required for idea posting, temporary workers and part-timers are not able to post. (I suppose the inefficiency of the work-floor could be surely being pressed on to part-timers and temporary staffs...)

Thinking carefully, it needs to secure some degree of "anonymity", as well.

I would like to endorse bold idea such as, for example, "Improvement idea to lower manager's fraud risk".

Hmm, it seems that soliciting questionnaires on "a completely opened webform on the Internet" is one of the way, but it makes me feeling nervous somehow. (The URL might be exposed, or people who have nothing to do with might make suggestion...)

[Business Improvement Idea Reception Process]

The Task:Feedback to Weekly sales report

"Sales of one week" is now to be written to Google Sheets. (See Episode 550)

Since every store manager edits one file (e.g. "Sales report 2017-08-27to2017-09-02") concurrently, the following improvements are achieved.
  • Each store manager has become to be aware of other stores
  • Store managers have become to point out incorrect input each other
  • Summing work at the headquarters has become unnecessary (as it is left to Spreadsheet)
  • The executives also have become to browse the file and actively checked the trend of each store
In other words, "sales data" including comments from each store manager has been used actively inside the company. ("Sales data" was dead before...)

Challenge: No comment by management

However, there should have been "feedback" from managers in the headquarter to all the store managers.

Even though all the store managers work hard and reporting, it is sad that there are not any comments from the managers in the headquarter. It doesn't matter how simple these words would be. Just express your gratitude to the store managers who are eager to your smile...

Doing so, the executives will be able to understand "what the managers in headquarters are thinking about actual data / what advice they are giving".

[Weekly Sales Report-Feedback]

The Task: Weekly sales report

I have each store manager report sales of the week.

It sure is good to operate a simple "Sales report Process", which is
  1. Each and every "Store manager" makes reporting
  2. "Director" at the headquarter confirms
However, those store managers seem to be working only "watching their boss".

I suppose it could be better, for example, to produce "more chances to access data of other store".


If you are using G suite, "Google SpreadSheet" is available to edit the same document by all store managers (* up to 50 people). And it will reduce labor for "summing up" of "Headquarter director". Regarding "mistakes on input", store manager who made mistake could aware of it by him or herself for comparing with data of other stores. Or, maybe managers would mention about "input mistakes" each other! (It may lead to activate communications between stores, and that leads improving productivity...)

Challenge: Preparation of the new SpreadSheet is troublesome

However, then, someone is needed to prepare "Spreadsheets for reporting" every week.

It would be too much for "directors" in headquarter to ask to do. They are hard on others, and easy on themselves. Like, they never have tried to be in time for deadline even for claiming out-of-pocket expense. Hmm, the biggest challenge seems to be the first Step at which "to prepare a new SpreadSheet and announce it to every store managers every week precisely".

[Weekly Sales Report]

How to announce personnel information

The task of "announcing information on personnel changes (change of assignment or position) to in-house" is tricky.

There are various types, such as promotion / relegation / recruitment / retirement / leave of absence / department transfer / seconded ... and also individual circumstances differ from each other.

As a feeling of a HR staff, he or she may want to let everybody know about it a few months in advance, if was a case where, for example, "a happy retirement of an employee who has been trustworthy". Whereas, in the case where "being headhunted by a competitor", HR may want to keep that secret. Also in the case of "taking a leave for family care", there are people who want to positively let it known to their colleagues or related people in advance (in consideration of breach of confidentiality obligations), while some other people may want remain in silent.

Basically, we should solemnly switch the "information that is secret within the HR department" to "information publicly known inside the company", according to the "prescribed disclosing rules". (Personnel notice)

Challenges on practical operation

In Japan, many companies adopt "in-house posting" as a publication method.

However, with the way of printing on paper and stick it to "bulletin board" or "wall", there is only few chances of looking at if, for employees who go out often, who are on long leave or teleworkers. On the other hand for staffs of HR, the tasks of "posting the notice at a fixed timing" or "stopping the posting at the scheduled timing" is unexpectedly a big burden.

Whereas, other companies adopt the way of "announcing verbally at morning briefing". However, also it must be said that it is difficult for people who are on long leave and teleworkers to obtain the same amount of information as attendance at the morning briefing. Moreover, there are also risks that 'date of change' or 'change department' etc. are not accurately conveyed because of being verbal.

[Personnel Change Information Publication]

Analytics tells 'particular building company is in trouble'?

In the last article and the one before the last, I introduced you (nearly unmanned) Workflows that informs "trends of web access of the last week" to in-house.

Once this business process is in operation, employees will be able to check the latest information obtained through the "Google Analytics Reporting API" every Monday morning by e-mail. As the result, daily work for "Customer support" or "Sales" will be more efficient.

However, it might be better if "Information that is not in Analytics" is written as well. That is, it may be possible to gain deeper understanding and insight on trend information such as "links that a lot of inflows" and "Pages that referred by specific customers", if it also has included information which is not in Analytics such as;
  • 'delivered a press release on last Tuesday'
  • 'held a user seminar on last Thursday (in which the particular building company participated!)'.

API acquisition of calendar information as well

The following Business Process Definition is a mechanism in which information of the events of last week, that have been written in the in-house calendar for "Public relations schedule and exhibition schedule" (Google Calendar), is added to the email notification.

When operating this Workflow, employees who would receive notification emails will be able to see "related information that may have affected Web access" at the same time.

[Website Operation Report 3]

Ranking on popular pages

In the last article, I introduced you a way of automatic generation of "weekly reports" by automated communication with "Google Analytics Reporting API".

The point was the automated Step (Service Task Addon) which automatically retrieves data aggregated in the following rule.
  • Dimension: ga:hostname, ga:pagePath, ga:pageTitle
  • Metrics: ga:pageviews, ga:sessions

In this Step, "List of web pages that got a lot of access" is gathered into a multi-line text. If you set to "filter" something like "ga:pagePath=~/blog/" you can also automatically get the ranking of "web pages under blog folders".

Notification email that is embedded these texts would be very useful information for Marketing team.

Tens of thousands of other patterns of aggregation method

But now, I would like to aggregate data of Google Analytics in more different perspectives.

While in the previous example, ranking was retrieved with the above "three dimensions" and "two metrics", Google Analytics has about 260 dimensions and about 230 metrics. In other words, a wide variety of data aggregation is available, by changing its combination.

For example, when you aggregate not only on the aspect of site contents ("Behavior (BEHAVIOR)") but also "AUDIENCE" or "ACQUISITION", you should be able to extract information such as "What kind of people are accessing?" or "What kind of site has it been derived from?".

Reference: Dimensions & Metrics Explorer

[Website Operation Report 2]