Pages

Sunday, September 24, 2017

Episode 554: Web Reception, But No Card Information


Operation: Acceptance of credit card registration

Want to promote credit card charging...

If I could charge to "credit cards" according to the service usage record automatically, very smooth settlement would be possible. If I could digitize "bill issuance", I would drastically reduce cost on payment collection.

I would like to prepare a "card payment system" like an electric company, gas company, or mobile phone company.

Challenge: Risk of credit card information data breach

However, as security requirements become more stringent, "holding a credit card number" seems to be a big risk.

Our company is not a power company nor, a big company such as Google or Facebook. In other words, it seems that we unlikely could comply the requirement that "PCI DSS" says. "What important is," the credit companies (Acquirer) say, "not to possess cardholder's info".

Alright, I'm going to leave cardholder's info such as PAN, PIN, CVC, to "Payment agencies", as it is advocated in a document by the Japanese government that "we aim for non-retention by March 2018". (But how?)
  • PAN:Primary Account Number (card number)
  • PIN:Personal Identification Number
  • CVC: Card Verification Code/Value (3 digit number. Formally CVC2, aka CID)
* Reference: PCI DSS (PAYMENT CARD INDUSTRY
DATA SECURITY STANDARD) Ver.3.2 2016-04
* Reference: Payment services (PSD 2) - Directive (EU) 2015/2366

[Credit Card Info Reception]

Monday, September 18, 2017

Episode 553: Organizational Responding to Vulnerability Alert


Operation: Vulnerability Response Process

They say, "There is no software without a weak point."

In other words, computers and communication devices with countless software built in are "full of dangerous weak points". There are also business systems that manage sales and salaries...

"Vulnerability Response" by IT department is, in simple words, "repair work of software".

Specifically, the IT department collects vulnerability information from "IT information site" or "Google Alert email" on a daily basis. If information relates with the software used by the company's computer, they conduct "patch application" or "version upgrade", etc. Although there are many software perform "automatic patch" and "automatic update" by themselves recently, there are still not a few "incidents that must be handled manually".

Incidentally, once or twice a year, a security test ("vulnerability assessment") by a specialized contractor should be carried out to check whether the repair work is done properly.

Challenge: Response depends on individual

However, a tremendous number of "attack methods" are found everyday.

"Methods of attack" on old software are also reported almost every day. Even though "weak points" should have been overcome by daily repair, it seems that attackers are also improving their ideas and power, day by day. It seems to continue forever. "Vulnerabilities" announced by CVE, for example, are count to more than 10,000 annually.
(CVE:Common Vulnerabilities and Exposures)

It is no longer the amount that IT department can check through. The reality is, that experienced employees are responding using their "individual information network" and "smell?"

Hmm, wouldn't be there any way to deal it more systematically?

To put it more, I would like to record and share precisely about who decided what kind of judgment on urgent vulnerability. For example, I would like to look back on when and how the correspondence was made against sensational vulnerabilities such as "ShellShock" or "Heartbleed". (OpenSSL, GNU bash)

[Vulnerability Response Process]

Sunday, September 10, 2017

Episode 552: "Idea Soliciting" is Important for Work Style Reformation


Operation:Soliciting Improvements from in-house

It seems that the Japanese government seriously wants to make "work style reform".

Certainly, there are "creating documents that no one sees" or "inefficient exchanging" also inside our company. I would like to think about a method more actively to absorb concrete "improvement idea", such as "introduce cloud service for certain work" or "utilizing IoT". For example, "mid-career employees" and "temporary workers" are grumbling while they are drinking... It is really wasteful if it just ?ended up in vain.

However, even if the president cried out that "Improve the business process and increase productivity!" at the morning meeting, specific "improvement proposal" will not come up.

Oh, yeah. First of all, let's ask "Internal Audit Office" to accept "idea submission" like the image of the so-called "suggestion box".

And let them operate a Workflow such as let it advance to 'on-site hearing step' and 'president reporting step' about good ideas. And let them operate a Workflow which make it advance to 'on-site hearing step' and 'president reporting step' about good ideas. (Business Improvement Idea Reception Process)

Challenge: Form that anyone in the company can post to

However, all the workers do not have "login ID" to the Workflow platform.

If "login ID" was required for idea posting, temporary workers and part-timers are not able to post. (I suppose the inefficiency of the work-floor could be surely being pressed on to part-timers and temporary staffs...)

Thinking carefully, it needs to secure some degree of "anonymity", as well.

I would like to endorse bold idea such as, for example, "Improvement idea to lower manager's fraud risk".

Hmm, it seems that soliciting questionnaires on "a completely opened webform on the Internet" is one of the way, but it makes me feeling nervous somehow. (The URL might be exposed, or people who have nothing to do with might make suggestion...)

[Business Improvement Idea Reception Process]

Sunday, September 3, 2017

Episode 551: Comments on Weekly Report SpreadSheet


The Task:Feedback to Weekly sales report

"Sales of one week" is now to be written to Google Sheets. (See Episode 550)

Since every store manager edits one file (e.g. "Sales report 2017-08-27to2017-09-02") concurrently, the following improvements are achieved.
  • Each store manager has become to be aware of other stores
  • Store managers have become to point out incorrect input each other
  • Summing work at the headquarters has become unnecessary (as it is left to Spreadsheet)
  • The executives also have become to browse the file and actively checked the trend of each store
In other words, "sales data" including comments from each store manager has been used actively inside the company. ("Sales data" was dead before...)

Challenge: No comment by management

However, there should have been "feedback" from managers in the headquarter to all the store managers.

Even though all the store managers work hard and reporting, it is sad that there are not any comments from the managers in the headquarter. It doesn't matter how simple these words would be. Just express your gratitude to the store managers who are eager to your smile...

Doing so, the executives will be able to understand "what the managers in headquarters are thinking about actual data / what advice they are giving".

[Weekly Sales Report-Feedback]