Transcript Document

TEC 401
Session Three
Human Factors In Technology
Joseph Lewis Aguirre
Objectives- WS3
Organizational and Social Impact of Technology
•Examine the “new social contract.”
•Identify ethical information policies within the
organization.
•Describe the application of technology to HR
functions.
Technology and HR Functions
The Technology is increasingly being used for knowledge management in order
to provide just-in-time information and skills in the workforce.
•Electronic publishing (e.g., company newsletters).
•Television and video (e.g., corporate advertisements to families and friends).
•Audio teleconferencing
•Interactive multimedia (e.g., computer-based training for employee skills
upgrade).
•Simulation and virtual reality
•Authoring aids (e.g., policy and procedures templates, online surveys, keyword
searches for resume generation).
•Electronic performance support systems (e.g., employee evaluation input, sales
quota productivity).
New Social Contract – (NSC)
NSC: (ethical organization information policies)
A social contract for the Information Age deals with key social tensions
peculiar to the use of information:
•Ownership of intellectual output.
•Privacy of personal information and internal organizational
communications.
•Accuracy and quality of information.
•Access to information.
•Flow and content of information.
•Obligations of organizations created by the use of information.
Automobile monitoring
Progressive Corp. is offering 25% discounts to drivers who
allow it to install a monitoring device in their cars and keep a
digital driving diary of their moves
Tracing Nanoparticles
Nanotechnology: manipulation, precision
placement, measurement and modeling or
manufacture of sub-100 nanometer scal
matter
Common Truth
Everything we say and do represents a
choice, &
How we decide determines the shape of
our lives.
- Josephson Institute of Ethics
Choices
Good Prudence
Bad
Vice
Self
Benevolence
Crime
Others
Choices
Ethical A
Legal
B
Legal
C
D
Illegal
Security Vs Privacy
Biggest Problem isn’t about privacy…it is sloppy
security
-----Lee Gomes, Wall Street Journal
Risk Exposure by Industry
Degree of exposure to risk
REGULATORY
Regulatory Overview
•
•
•
•
The Regulatory Landscape
The Security Landscape
Information Security
Resources
Regulatory Landscape
“Traditional” Higher Education regulations for
Information Security
Privacy of Student Records
= FERPA
Privacy of Medical Records
= HIPAA
Registration of Foreign Students
= SEVIS
Regulatory Landscape (Cont)
“Non Traditional” Higher Education regulations
for Information Security
Student / Faculty Lending
= GBL / FTC
Homeland Security
= Patriot Act
Accounting Scandals
= Sarbanes Oxley
Internet/Service Provider
= COPPA, DMCA
State/Local Privacy Initiatives
= Local regulations
Private privacy rules
= Visa, ACH
HIPPA Compliance
HIPPA - Health Insurance Portability and
Accountability Act of 1996
Under HIPAA, large integrated delivery networks to
individual physician offices must put in place physical
and technical data security measures to ensure
against illegal access to communications networks,
databases and applications.
The criminal and civil penalties for non-compliance
are severe, and present healthcare firms and their
executives with significant liability issues
FERPA
Family Educational Rights and Privacy Act
20 U.S.C. § 1232g; 34 CFR Part 99 is a
Federal law that protects the privacy of
student education records.
Applies to all schools that receive funds
under an applicable program of the U.S.
Department of Education.
GBL and FTC Enforcement
• Higher education institutions as “lenders”
– Student loans
– Faculty / real estate loans
– Short term cash loans (?)
• Protection of non-public “customer information”
– Paper or electronic form
– Prevent unauthorized use or access
– Includes you, affiliates, and third party vendors
GBL and FTC Enforcement
• Privacy requirements of GLB/FTC met by
complying with FERPA
• Comprehensive written information security
program requirement must still be met
– Risk assessment
– Design and implement information safeguards
– Prevent unauthorized use or access
GBL and FTC Enforcement
• Internal control of “customer information”
– Good internal controls
• Third party control:
– Due diligence before selection
– Data protection, information security audit clauses in
contracts
– Periodic outside verification of third party systems,
protections
PATRIOT ACT
• Enhanced “Know Your Customer” regulations
placed on financial institutions
• Account opening / entity identification procedures
for new accounts
• No common practices yet developed
– Some banks are very intrusive, wanting personal
identification of corporate officers
– Some banks are very liberal
• Where are your corporate documents?
USA Patriot Act
TITLE I--ENHANCING DOMESTIC SECURITY AGAINST
TERRORISM
TITLE II--ENHANCED SURVEILLANCE PROCEDURES
Sec. 201. Authority to intercept wire, oral, and electronic communications
relating to terrorism.
Sec. 202. Authority to intercept wire, oral, and electronic communications
relating to computer fraud and abuse offenses.
Sec. 204. Clarification of intelligence exceptions from limitations on
interception and disclosure of wire, oral, and electronic communications.
Sec. 208. Designation of judges.
Sec. 209. Seizure of voice-mail messages pursuant to warrants.
Sec. 217. Interception of computer trespasser communications.
USA Patriot Act
TITLE I--ENHANCING DOMESTIC SECURITY AGAINST
TERRORISM
TITLE II--ENHANCED SURVEILLANCE PROCEDURES
Sec. 201. Authority to intercept wire, oral, and electronic communications
relating to terrorism.
Sec. 202. Authority to intercept wire, oral, and electronic communications
relating to computer fraud and abuse offenses.
Sec. 204. Clarification of intelligence exceptions from limitations on
interception and disclosure of wire, oral, and electronic communications.
Sec. 208. Designation of judges.
Sec. 209. Seizure of voice-mail messages pursuant to warrants.
Sec. 217. Interception of computer trespasser communications.
USA Patriot Act (Cont)
TITLE VI--PROVIDING FOR VICTIMS OF TERRORISM, PUBLIC
SAFETY OFFICERS, AND THEIR FAMILIES
Subtitle A--Aid to Families of Public Safety Officers
Subtitle B--Amendments to the Victims of Crime Act of 1984
TITLE VII--INCREASED INFORMATION SHARING FOR
CRITICAL INFRASTRUCTURE PROTECTION
TITLE VIII--STRENGTHENING THE CRIMINAL LAWS AGAINST
TERRORISM
TITLE IX--IMPROVED INTELLIGENCE
TITLE X--MISCELLANEOUS
SEC. 2. CONSTRUCTION; SEVERABILITY.
TITLE I--ENHANCING DOMESTIC SECURITY AGAINST
TERRORISM
ACLU
Keep America Safe and Free
Certain ACLU Allegations re. Patriot Act:
• The FBI can investigate United States persons based in part
on their exercise of First Amendment rights, and it can
investigate non-United States persons based solely on their
exercise of First Amendment rights.
• Section 215 might also be used to obtain material that
implicates privacy interests other than those protected by the
First Amendment. For example, the FBI could use Section
215 to obtain medical records.
Sarbanes Oxley Act (Sox)
Requires organizations governed by the SEC to establish and
maintain an audit committee responsible for the appointment,
compensation and oversight of any employed registered public
accounting firm
Corporate Certification of Financial Statements
•Correct
•Complete
•Effective underlying controls
Does not apply directly to information security or nonpublicly held entities (but...)
Sets minimum standards for accountability and integrity
of accounting systems/records
ISO 17799
ISO/IEC 17799 Part 1: Is a guide containing advice
and recommendations to ensure the security of a
company’s information according to ten fields of
application.
BS7799 Part 2: Information security management -specifications with guidance for use provides
recommendations for establishing an effective
Information Security Management System (ISMS). At
audit time, this document serves as the assessment
guide for certification.
ISO 17799
The goal is to “provide a common base for developing organizational
security standards and effective security management practice and to
provide confidence in inter-organizational dealings.”
COPPA (Children's Online Privacy
Protection Act)
• Online collection of personal information from
children under 13
• Requires privacy policy, consent from parent, and
protection of data
Digital Millennium Copyright Act
(DMCA)
• Protection of intellectual property and
property rights
–Identification of covered information
–Steps to prevent abuse of covered information
• Posting of appropriate notices on
institutional/department web sites
California Privacy Legislation (SB
1386)
• If electronic information includes social security
number and/or banking information
• AND electronic systems suffer a security breach
• Consumer customers who are residents of
California must be notified of the security breach
California Privacy Legislation (SB
1386)
• How are we “doing business with residents
of California”?
• Does it apply to businesses outside
California?
–Will not know for decade or more
–Behave as if it does
• Model for Federal legislation applicable to
all states
Prohibition of use of SSN
• Colorado legislature passed law prohibiting use of
SSNO or credit card numbers as identification for
check payments
– Revision of cashiering procedures
– More difficulty researching returned checks / payments
• Indicative of trend across all states
Credit Card Association
• Visa, Mastercard, Discover, American Express,
Diners, JCB
• Visa has most specific information security rules
– Other card associations follow Visa’s lead
• Probable penalties assessed for noncompliance
– Eventually Visa will get to given sector for compliance
monitoring
– Most likely to occur after you receive serious publicity
for a breach
Automated Clearing House (ACH)
Rules
• Specific security requirements for Internet-,
telephone-initiated transactions
– WEB, TEL Standard Entry Class codes
• Web site security requirements
– 128 bit Secure Sockets Layer
– Specific transaction authorization
– “Commercially reasonable” security standards
Assessing Security of Sensitive
Systems - More Info
• Treasury Institute for Higher Education
– http://www.treasuryinstitute.org/default.asp
• Association for Financial Professionals
– http://www.afponline.org/
Assessing Security of Sensitive
Systems - Resources
• Protecting your own system
– http://www.afponline.org/Information_Center/Publicati
ons/AFP_Exchange/tinuccisup/tinuccisup.html
• Graham Leach Bliley / FTC
– http://www.ftc.gov/os/2002/05/67fr36585.pdf (Final
Rule)
– http://www.nacubo.org/business_operations/safeguardin
g_compliance/index.html
– http://www.ftc.gov/privacy/glbact/index.html
Assessing Security of Sensitive
Systems - Resources
• USA PATRIOT Act Analysis
– http://www.afponline.org/ohc/082003/219_article_13/2
19_article_13.html
• Sarbanes Oxley
– http://www.afponline.org/FRACpublic/sox/sox.html
– http://www.treasurystrategies.com/resources/articles/Ho
wILearnedSarbanes.pdf
Assessing Security of Sensitive
Systems - Resources
• COPPA
– http://www.ftc.gov/bcp/conline/pubs/buspubs/coppa.ht
m
– http://www.ftc.gov/bcp/conline/edcams/coppa/index.ht
ml
• DMCA
– http://www.educause.edu/ir/library/html/cem9913.html
– http://www.educause.edu/issues/issue.asp?issue=dmca
– http://www.copyright.gov/legislation/dmca. pdf
Assessing Security of Sensitive
Systems - Resources
• California Privacy Bill SB 1386
– http://info.sen.ca.gov/pub/01-02/bill/sen/sb_13511400/sb_1386_bill_20020926_chaptered. html
• Colorado Prohibition on SSN for identification
– http://www.state.co.us/gov_dir/leg_dir/olls/sl2003a/sl_1
80.htm
Assessing Security of Sensitive
Systems - Resources
• Visa Cardholder Information Security Program
(CISP)
– http://www.usa.visa.com/business/merchants/cisp_inde
x.html
• MasterCard Electronic Commerce Best Practices
– http://www.mastercardmerchant.com/preventing_fraud/
website_security.html
– http://www.mastercardmerchant.com/docs/best_practice
s.pdf
Assessing Security of Sensitive
Systems - Resources
• ACH WEB transaction requirements
– ACH Rules, Operating Guidelines, Section IV, Chapter VI
(Special Topics, Internet-Initiated Entries)
• SANS SCORE Project homepage
– http://www.sans.org/score/
– Assessing the security of third party vendors (ASP
checklist) http://www.sans.org/score/asp_checklist.php
– (BS 7799 / ISO 17799 checklist)
http://www.sans.org/score/checklists/ISO_17799_checklist.
pdf
ETHICS
Common Truth
Everything we say and do represents a
choice, &
How we decide determines the shape of
our lives.
- Josephson Institute of Ethics
Choices
Good Prudence
Bad
Vice
Self
Benevolence
Crime
Others
Choices
Ethical A
Legal
B
Legal
C
D
Illegal
ETHICS – NOT!
• Religion;
• Political stance;
• Fad
• Laws
• Absolutes
• Something that can only be understood by extremely
intelligent people.
ETHICS IS:
•
•
•
•
•
What we believe, why we believe it, and
how we act out those beliefs;
Personal & public display of personal
attitudes and beliefs;
Fluid through different situations;
An aid in decision making; and
According to Aristotle:
a) A standard of behavior; &
b) An area of study exploring the nature of
morality. .
Standard of Conduct
Act with integrity
– Protect the privacy and confidentiality of
information
– Do not misrepresent or withhold information
– Do not misuse resources
– Do not exploit weakness of systems
– Set high standards
– Advance the health and welfare of general public
Ethics Decision Tree for CPAs
CPA’s Taxes and Code of Ethics
ETHICS - OBSTACLES
• If It is Necessary, it is Ethical-justify-the-means
reasoning
• The False Necessity Trap - As Nietzsche put it,
"Necessity is an interpretation, not a fact."
• If It’s Legal and Permissible, It’s Proper-. Ethical
people often choose to do less than the maximally
allowable, and more than the minimally acceptable.
• It’s Just Part of the Job- Fundamentally decent people
feel justified doing things at work that they know to be
wrong in other contexts.
• It’s All for a Good Cause- is a seductive rationale that
loosens interpretations of deception, concealment,
conflicts of interest, favoritism and violations of
established rules and procedures.
ETHICS - OBSTACLES
• It’s All for a Good Cause- is a seductive rationale that
loosens interpretations of deception, concealment,
conflicts of interest, favoritism and violations of
established rules and procedures.
• I Was Just Doing It for You -n"little white lies" or
withholding important information in personal or
professional relationships, such as performance reviews.
• I’m Just Fighting Fire With Fire- This is the false
assumption that promise-breaking, lying and other kinds
of misconduct are justified if they are routinely engaged
in by those with whom you are dealing.
• It Doesn’t Hurt Anyone - Used to excuse misconduct,
ETHICS - OBSTACLES
• Everyone’s Doing It - This is a false, "safety in numbers"
rationale fed by the tendency to uncritically treat cultural,
organizational or occupational behaviors as if they were
ethical norms, just because they are norms.
• It’s OK If I Don’t Gain Personally - This justifies
improper conduct done for others or for institutional
purposes on the false assumption that personal gain is
the only test of impropriety.
• I’ve Got It Coming - People who feel they are
overworked or underpaid rationalize that minor "perks"
• I Can Still Be Objective - By definition, if you’ve lost your
objectivity, you can’t see that you’ve lost your objectivity!
Ethical Considerations- Principles
– Proportionality: good must outweigh harm
– Informed Consent: understand and accept
risk
– Justice: fair distribution
– Minimized Risk: avoid unnecessary risk
Ethical Considerations – 6 Pillars of
Character
1.
2.
3.
4.
5.
6.
Trustworthiness.
Respect.
Responsibility.
Fairness.
Caring.
Citizenship.
Ethics Decisions - Requirements
Making ethical decisions requires the ability to make
distinctions between competing choices.
It requires training, in the home and beyond
Ethics Decisions - Conclusion
No one can simply read about ethics and become ethical.
People have to make many decisions under economic,
professional and social pressure.
Rationalization and laziness are constant temptations.
But making ethical decisions is worth it, if you want a
better life and a better world.
Keep in mind that whether for good or ill, change is
always just a decision away.
Ethical Challenges
•Employment
-Computer monitoring
•Working Conditions
-Upgrade
Security
Ethics and
Society
•Individuality
-Loss of individuality
•Health
-Ergonomics
Ethical Considerations- Principles
– Proportionality: good must outweigh harm
– Informed Consent: understand and accept
risk
– Justice: fair distribution
– Minimized Risk: avoid unnecessary risk
Security
Security and Risks
The BCS Code of Practice says:
“A system is at risk from the moment that the project
which develops it is first conceived.
This risk remains until at least after the system is
finally discontinued, perhaps indefinitely. Threats to
security range from incompetence, accident and
carelessness to deliberate theft, fraud, espionage or
malicious attack.”
Security
Convenience
Scope
Security
Convenience
The $10,000 Fence for the $1.00
Horse
Leaks
02-25-05 BoF, 1.2 Million federal government charge cards
affected. Computer back up tapes were lost.
LexisNexis - 03-09-05 310 consumers affected. Unauthorized
use of customer logins and passwords
MCI - 05-23-05 16,500 current and former employees,.
Laptop stolen from MCI financial analyst
CardSystems Solutions 06-17-05 40 million credit card
holders affected. Person broke into the computer network of
CardSystems
USC - 06-20-05, 270,000 consumers affected. Hackers broke
into applications database
CyberMines
Targeted Attacks - mass mailings of worms and
viruses. Using keyloggers, security flaws in web
browsers - solution: get unplugged
Botnets - robot networks made up of home and
business PCs taken over by hackers. ISPs monkey
Net crash - arcane protocol, exploit border gateway
protocol to advertise their routs so they can carry
their network
Critical infrastructure attacks - cyberattacks that
penetrate supervisory control and data acquisition compliance with rigorous cybersecurity standards.
CyberMines (Cont)
Phraud - Internet-related fraud accounted for 53% of
all consumer fraud complaints to FTC in 2004. In
Phising, guard personal information. Evil twins, do
not use unsecure attach points. Pharming, how to
find Nemo.
Hijacking - Covert control of computer resources.
Use firewalls and secure browsers.
Wireless Attacks - smartphones, PDAs, etc.
Cyber Enemy
Bot Network Pperators - hackers
Organized Crime Groups
Corporate Spies
Foreign Intelligence Services
Hackers
Insiders
Phishers - trading on sensitive data
Spyware/Malware authors
Terrorists
Who is the enemy
In-house security breaches account for some 70-90%
of all security breaches. Hurwitz Group
57% - Worse breaches occurred when their own
users accessed unauthorized information.
Next problem happened when user accounts
remained active when users left the company.
Digital Research
Only 21% are concerned with external security
threats.
Cost of Computer Crime
Millions of US
Cost of Computer Crimes
$5.00
$4.00
$3.00
$2.00
$1.00
$-
IP Theft
Fraud
1997 1998 1999 2000 2001
Source: Computer Security Institute
Insurance Council of Australia estimates $3 trillion/year
Action Taken After Breach
Source: Computer Security Institute
Reported to
legal
counsel
Reported to
law
enforcement
Did not
report
Patches
100%
80%
60%
40%
20%
0%
Security Vs Privacy
Biggest Problem isn’t about privacy…it is sloppy
security
-----Lee Gomes, Wall Street Journal
Security Vs Privacy
Biggest Problem isn’t about privacy…it is sloppy
security
-----Lee Gomes, Wall Street Journal
Worm Evolution
1988 - Robert Morris First worm
2001 - Code Red, exploited IIS to infect 359,00 hosts to launch a
Denial Of Service attack on the White House site…random
propagation caused it to clog and contain
2001 - Code Red authors learned and launched Nimda
2003 - Sapphire - exploited vulnerability in MS SQL Server
2004 - Welchia.C - compiled list of addresses - variant SoBig.F
2005 - BotNets - Worm writers partner with spammers for profit.
Risk Exposure by Industry
Degree of exposure to risk
Security Vs Privacy
Mail: 25-30 %
Web Traffic: 50-60%
Security Landscape
• Hackers, crackers, and thieves, oh my! Viruses,
worms, and trojans, oh my!
• Identity theft running rampant (electronic AND in
person)
– Internal/external fraud on the rise
– Third party vendors selling private information
• Wireless networks broadcasting data
• The insecure nature of academic networks
Sensitive Data
• Definition of “sensitive data”
• Analysis of where sensitive data is used
• Assessment of the security of systems with
sensitive data
• Securing systems with sensitive data
• Developing an information security culture
Sensitive Data
• “Personal information”
–Name, address, contact information, gender,
age
–Social Security Number
–Banking information, including financial
institution, account number, credit/debit card
number
–Health / medical data
Sensitive Data
• Corporate information
–Operational procedures
–Contingency procedures
–Bank account and investment information
• Other information that might be used to
conduct fraud or impersonation
–Often depends on context
–Look at as a whole, not specific pieces
individually
Sensitive Data Found in:
•
•
•
•
•
•
•
Student systems
Cashiering / Bursar / POS systems
Application, registration, recruitment systems
Accounts Receivable / Payable
Human Resources / Payroll
Medical / clinical systems
Departmental databases
–Treasury workstation
–Conference registrations (if keep credit card
numbers)
• Research databases
Assessing Security of Sensitive
Systems
• Nontechnical assessments:
– Physical security assessment
– Location of sensitive records
– Logical access to data
(Who has access?
Do they really need access?)
– Disaster backup procedures
– Contingency procedures
– Privacy statement / policies
Assessing Security of Sensitive
Systems - Contractual Services
Agreement
• Third party vendor assessment
• Boilerplate language for
– Protection of data
– System security
– Secure file exchange
– Financial penalties for noncompliance
• Use of subcontractors ONLY with your
permission
Assessing Security of Sensitive
Systems - Operational Security
• Do our procedures require sensitive data?
– SSN on deposited checks
– Credit card number on conference registration server
– SSN as student ID
• Can we replace the data with nonsensitive data?
• Can we change the procedure entirely?
– ACH payments instead of
checks
Assessing Security of Sensitive
Systems - Privacy Policies
• Does the organization have a master privacy
policy?
• Does each departmental web site either have their
own privacy policy or link to master?
• Does the policy comply with local law?
(California, other states)
• Is data access limited to “need to know”?
– Access control lists for everything
Assessing Security of Sensitive
Systems - Technical Assessment
• Visa Cardholder Information Security Program
Compliance Questionnaire
– 77 point technical security checklist
• SANS SCORE Project checklists
• Form alliance with internal auditors (EDP
auditors)
• Hire outside expertise for
assessment
Assessing Security of Sensitive
Systems - Securing
• Implement technical security measures
– Firewalls, intrusion detection and response, appropriate
architecture
– Visa CISP checklist measures (SSL, data encryption,
etc.)
– Access control policies (least possible access to data)
implemented and enforced
– Enforce good passwords
• Hire professional security programming expertise
(require department to do so)
– Particularly if cards accepted over web sites
Assessing Security of Sensitive
Systems - Centralized Security
• Centralized student systems behind mega-firewall
• Firewalls within firewalls
• Data inquiries run on server, only results passed
to client
– Remote access to student data severely limited
• Web servers never retain credit card information
• Look at processes and procedures (sanitize
reports, etc.)
Assessing Security of Sensitive
Systems - Culture Development
• Buy-in from the highest levels
– Lots of scary stories
– Regulatory requirements
– Financial liability
– Adverse publicity
• Basic security education for all users AND
students
• Partnership with internal auditors
• Partnership with campus computer departments
Financial
Typical Vulnerability
Breach
Invalidated Parameters
Hijack accounts; steal data;
commit fraud
Command Injection Flaws
Database dumps all account
information
Buffer Overflows
Crash the servers; damage
app, other mayhem
Cross Site Scripting
Steal account and customer
information
Broken Accounts/Session Mgmt Hijack accounts; steal data;
commit fraud
Information Security Action Plan
1. Keep it simple
2. Security requirements
3. Assessing threats
4. Establish Security framework
5. Plan for disaster
6. Develop clear security policy
7. Use the right security tools
8. Staff training
9. Monitor
Application Protection
Improved QA
Scanning/Vulnerability Assessment
Host Based
•Intrusion Detection (IDS)
•Intrusion Prevention (IPS)
Application Firewall
Application Protection - QA
ADVANTAGE
DIS-ADVANTAGE
Right the first time
Time consuming
No runtime performance
penalty
Protects from known
vulnerabilities
Built into application
development cost
Lack of specialized
security expertise
Scanning and Vulnerability Assess.
ADVANTAGE
DIS-ADVANTAGE
Identifies vulnerabilities
Secure as last scan
Complement lack of
security expertise
A challenge fixing
vulnerabilities discovered
VENDORS
•SPI Dynamics
•Sanctum
•Kavedo
Host Based Scanning
ADVANTAGE
Plugs security holes once
discovered
Helps with network level
VENDORS
•Cisco
•NETA
•Sana
DIS-ADVANTAGE
May not address OS,
platform dependencies
and other vulnerabilities
Security
Severe
E-COMMERCE
Risk
of
Breach
QA
Minimal
Static Content
eCommerce
Application Protection
ADVANTAGE
Stops hacks before they
get to the application
Continuous protection
DIS-ADVANTAGE
Upfront investment
Increased network
complexity
VENDORS
•Teros
•Netcontinuum
•Magnifier/F5
Secure
Application
Gateway
Web Application Security Market
DECISION ENVIRONMENT
ENVIRONMENT
CLIMATE
Other Teams
Enthusiasm
STRUCTURE
Competition
Reward
System
Accountability
GOALS
Reporting
Relationships
Values
Clarity
Collaboration
Mission
Philosophy
Culture
Commitment
Stress
Feedback
System
Flexibility
Marketplace
Decision
Making
Behavior
Norm
Involvement
Pressures
Trust
Competition
Fund Transfers
Europe
4%6%
2%
US& Canada
42%
Origin
Asia Pacific
South America
46%
Africa Middle
East
Europe
20%
Destination
21%
2%
8%
US& Canada
Asia Pacific
South America
49%
Africa Middle
East
HUMAN RESOURCES
HR Perception
Focus on retaining high quality workers
40%
Fair performance evaluations
41%
Rate favorable job training
58%
Opportunities of advancement
most
What is required to move up?
Do not know
Company shows genuine interest I employee well being
Source: Hay Group, 2005 survey
most
HR Perception
In a Knowledge economy, finding and
nurturing talent is one of the most vital
corporate functions. And that is just what
HR does so badly.
--Keith. H. Hammonds, FAST Company’s deputy editor
You are only effective if you add value.
That means you are not measured by what
you do, but what you deliver.
--David Ulrich, University of Michigan
HR - Walking the Talk
“ The underlying principle was invariably
restricted to the improvements of bottom line
performance”
Study of relationship between what companies
said about their human assets and how they
actually behaved.
--Strategic Human Resources Management (1999)
HR Perception
HR People aren’t the sharpest tacks in the box
HR pursues efficiency in lieu of value
HR is not working for you
The corner office does not get the HR
--Keith. H. Hammonds, FAST Company’s deputy editor
HR Examples
A talented young marketing executive accepts a
job offer with Time Warner out of a business
school. She interviews for openings in several
departments - then she is told by HR that only
one is interested in her.
--Keith. H. Hammonds, Why We Hate HR, August 2005 FAST CO.
HR Examples
A talented young marketing executive accepts a
job offer with Time Warner out of a business
school. She interviews for openings in several
departments - then she is told by HR that only
one is interested in her.
FACT: She learns later, they all had been
interested in her. She had been railroaded inot
the job, under the supervision of a widely
reviled manager.
--Keith. H. Hammonds, Why We Hate HR, August 2005 FAST CO.