Article: Group Problem Solving Improved by Distance

Added by Tom 8 months ago

From the BBC, we learn of the latest psychological literature suggesting that less communication might actually be better than constant inputs. Collaboration in an "always on" mode may in fact reduce ‘collective intelligence’ (a team’s joint problem-solving ability). Instead of always staying in touch with colleagues with continual chats on Slack, for example, the study suggests a better model would be to concentrate group communication to short, intermittent bursts – a single daily video call, for example – to boost team problem solving and creativity.

Besides helping us to make better use of our time during the current crisis, these findings could help to shape the ways that we go about team decision making in the future. Even if we are in the office, we might all benefit from having a bit more me time and a bit less team time.

Now is the time to switch to electronic signatures

Added by Tom 10 months ago

Businesses are striving to continue to operate normally during the COVID-19 world-wide pandemic. With restrictions on physical meetings, with many businesses are now operating as much as possible remotely. This may raise the question: how to execute documents in these circumstances? Do you wonder whether it is possible to validly execute documents by electronic signature? The short answer is, electronic signatures can be validly used in many circumstances.

An electronic signature allows a person to electronically add a signature to an online contract. Electronic Signatures (or eSignatures) are a digital version of the paper-based method of signing signatures, the person with the intent to sign simply electronically signs the document. This removes the need for handwritten signatures. A digital signature is a different method of validating an online document. Encryption software is required. This involves electronic data, encrypted message and encryption protections. Whilst a digital signature can be grouped with the category of electronic signature, it uses algorithms to create a digital fingerprint or private key (or secret key) unique to your document.

In the EU, with the Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 with ‘Community Framework for electronic signatures’establishes the legal framework at an European level for electronic signatures and certi cation services. The aim was to make electronic signatures easier to use and help them become legally recognized within the Member States.

In the US, digital signatures are valid and enforceable. As long as certain requirements are met, they have the same legal effect as their written equivalents. There are circumstances where e-signatures may not be practical. For example, when it comes to documents that need an extra layer of identification, notarization, or one or more witnesses.

This article from Lexology goes into even greater detail.

Deploying Email Services In-House

Added by Tom 10 months ago

Setting up a secure private email server isn’t as difficult as one imagines. While securing the bulk of an organziation's email from snooping beyond the per-message level is a challenge, it is do-able. One way of simplifying the email server setup process is with a tool like Helm, which acts as an all-in-one private email server solution. One should consider encrypting the actual contents of an email message with free tools.

Most mail servers made of Mail Delivery Agent (MDA) and Mail Transfer Agents (MTA). MDA software is used to routes e-mail to its destination. MTA software used to transfers e-mail between servers or computers. Apart from MTA and MDA, one needs Antispam, Antivirus, Webmail and other software utilities. The server IP address needs to be properly found (via DNS) and a TSL/SSL certificate configured. It often makes sense to install a database to store user names, email IDs, password and other information -- OpenLDAP comes to mind. Setting up and maintaining a full-fledged email server need not be too a complicated task; it is in the wheelhouse of a good sysadmin. The attached article lists software that enables a Unix-powered VM to run as a mail server out of a box.

This article details how to set up an email server in AWS. Of course, one can run an email server on any Linux system or alternate cloud provider, such as Rackspace.

Europe's Strategy for Data

Added by Tom 11 months ago

The European Commission presented its long-awaited EU data strategy in Brussels on February 29, 2020. In response to evolving economic and social concerns brought about through digital transformation, European lawmakers debuted a discussion paper addressing a vision for Europe as a leader in the global data economy. The paper was presented together with the Commission’s Communication, Shaping Europe’s digital future and other White Papers, such as on Artificial Intelligence.

Role of Your GDPR Representative

Added by Tom about 1 year ago

Recently adopted Guidelines on the Territorial Scope of the GDPR enabled the EDPB to confirm key elements of the role of a GDPR Representative. These guidelines were adopted on November 12, 2019.

Small Businesses and GSA Professional Services Schedule

Added by Tom over 1 year ago

The Professional Services Schedule is the second largest GSA Schedule after IT70. It is the combination of 30 unique professional services many of which have few similarities to each other. Therefore, the reality is the Professional Services Schedule or 00CORP in many ways is the combination of many niche services to form one large inter working grouping.

The purpose of combining all these services into one schedule was to reduce the administrative burden for firms that need access to more than one of these unique niches. We learned that most small businesses utilize on average 3.78 niches or SINs and most large businesses utilize 4.88 SINs. Consolidation makes sense for ease of access and simplicity of award.

Professional services tend to have high sales volumes even though many of the firms in this grouping are niche players and often smaller than the average federal contractor. The average small business that holds the Professional Services Schedule conducts over $1MM per year in federal sales.

On PSS, all GSA contracts under $10,000 will be direct no bid awards. (Small Business only)
All contracts under $250,000 will be GSA Small Business Elite Direct Awards. (Small Business only). GSA will break out over $900 million in GSA Prime Vendor Contracts for re-distribution to GSA Small Business Schedule Holders in 2020.

In FY2017, GSA saved taxpayers over 10% of the dollar amount spent through the GSA. This increased efficiency and reduction of administrative burned resulted in $6.8B in savings. GSA enables 15,000 small businesses $1MM plus per year in direct federal contract awards. This means 37% of every dollar spent through the GSA schedule system are with small business — the highest utilization of small business throughout the federal government.

Read more at:

The GSA PSS Contract only covers the categories detailed below. Certain IT, HR, and energy related services can be offered through PSS, but only to complement the core service offerings.
  • Mission Oriented Business Integrated Services (MOBIS) (formerly Schedule 874)
  • Professional Engineering Services (PES) (formerly Schedule 871)
  • Financial and Business Solutions (FABS) (formerly Schedule 520)
  • Advertising and Integrated Marketing (AIMS) (formerly Schedule 541)
  • Logistics Worldwide (LOGWORLD) (formerly Schedule 874 V)
  • Environmental Services (formerly Schedule 899)
  • Language Services (formerly Schedule 738 II)

Services including IT, HR, energy, travel, security, and healthcare staffing can be offered under different GSA Schedules.

Online Privacy Rules can be Gamed - So Require Credentials

Added by Tom over 1 year ago

With the introduction of Europe's General Data Protection Regulation, firms in Europe and around the globe should be aware that social engineering tactics can be used to acquire an individual’s sensitive data.

“…For social engineering purposes, GDPR has a number of real benefits, Pavur said. Firstly, companies only have a month to reply to requests and face fines of up to 4 percent of revenues if they don't comply, so [the] fear of failure and time are strong motivating factors.

In addition, the type of people who handle GDPR requests [is] usually admin or legal staff, not security people used to social engineering tactics. This makes information gathering much easier….” See this article

Direct email marketing, for example, is already regulated under the EU's e-Privacy Directive. Such rules require consent before someone can be sent direct marketing. A so-called "soft opt-in" makes this slightly easier. If a firm has an existing relationship, for instance, if a customer has bought a product from them before, they may still contact that recipient. The European Union is updating the rules on electronic communications just as the UK is hustling to engage its own Data Protection Act in place, considering how Brexit will affect tech firms. The continued flow of data between the UK and the rest of Europe (and the world) depends on governments’ ability to interact.

Security Means More than a Certificate

Added by Tom over 1 year ago

Bluedog takes security seriously, and the coding of Workbench supports our assertion that the best protection for data is to encrypt it when it is at rest. We know that access to encrypted data ultimately comes down to access to the key, and we use a combination of public, private, and symmetric keys to encrypt and decrypt data using RSA, DSA, or DH encryption algorithms in the database that is behind Workbench.

Transport Layer Security (TLS -- and its now-deprecated predecessor SSL, Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser, and, when properly implemented, it assures the end user that data passed between the web server and the user's browsers remains private and intact. It is useful in preventing so-called "man-in-the-middle" snooping on data in transit. But having a certificate doesn't mean data is secure. TLS/SSL certificates have a usability problem because web browsers mark all HTTPS websites as secure—and users have been trained to look for the padlock or the word “Secure” to determine the site’s legitimacy. Yet all that padlock or the word “Secure” means is that communications are encrypted. It doesn’t say the owner has been validated; a site can be encrypted and still be unsafe because the owner has been spoofed by a phisher or other malevolent force.

At the core of our security is database access -- in Workbench this is isolated at a low-level change in our data model. Nothing outside of our data layer/models/business objects are even aware that the stored data is encrypted. Even if data isn't terribly sensitive, we ensure that the loss of records will never be embarrassing to anyone because that data is unusable without the keys to decrypt it.

Read more here about Bluedog's model for end-to-end security of data.

Using AWS for Fast ATO Approvals

Added by Tom almost 2 years ago

Team Bluedog attended an Amazon workshop on standardized architectures for NIST-based Assurance Frameworks based on Amazon cloud infrastructure. The all-day affair discussed architectural considerations and steps for deploying security-focused baseline environments on the Amazon Web Services (AWS) cloud.

The moderators went step by step through the process optimized for getting an Authority to Operate (ATO) quickly: choosing an AWS region that fits the impact level of your project; choosing standardized reference architecture to use as a base; making it friendly and recognizable for the people who will be reviewing the ATO proposal (which replaces many aspects of the former A&A/C&A process).

Of note were the anecdotes about the early days of AWS with improperly configured budgets/alerts. Or researchers who spin up a massive amount of computational power on a Friday afternoon and then leave it running for the whole weekend. Apparently, they often forgive accidental expenditures like that if you're an important enough client.

Skepticism abounds about those who try to play the cloud computing providers like the stock market, running their stuff on whatever service happens to be cheapest at a particular time. We theorize this means you can only easily use the controls common to every service provider if you go that route.

A number of the speakers placed a large emphasis on compatibility with common standards like NIST, HIPAA, etc. A handy security controls matrix (provided as a Microsoft Excel spreadsheet) maps architecture decisions, components, and configurations to security requirements within NIST, TIC, and DoD Cloud SRG publications; indicates which AWS CloudFormation templates and stacks affect the controls implementation; and, specifies the associated AWS resources within the templates and stacks.

Contact our team for more information on how we can help with an AWS / FedRAMP-compliant migration strategy.

Click for larger version:

Jumping onboard the GSA OASIS vehicle is no small task

Added by Tom about 2 years ago

Recent work suggests there are a number of obstacles in substantiating self-scoring and complying fully with all RFP requirements for the GSA OASIS On-Ramp. With all OASIS pools more than doubling in size and previous minimum scores no longer applicable during open season, many contractors believe earning a spot on the coveted GSA professional services best-in-class contracts is practical.
However, detailed, extensive backup documentation is required to substantiate self-scoring.

Read more here


Also available in: Atom