31 October 2003

Lessons learned from Blackout 2003

Lessons learned from Blackout 2003: "Lessons learned from Blackout 2003

A report has been submitted to New York mayor Michael Bloomberg highlighting the business continuity and emergency planning lessons that can be learned from the blackouts that affected the city in August.

Entitled Enhancing New York City's Emergency Preparedness' the report is broken down into the following sections:

* Emergency response: mobilization and coordination of agency resources.
* Business continuity: maintenance of critical functions within the public and private sectors, including backup power, telecommunications, and essential workforce.
* The city as employer: ability of agencies to evacuate and communicate with their employees, especially employees required to ensure essential city services.
* Communications: efficacy of communications within agencies, between agencies, to the city's businesses and to and from the public, including the infrastructure that supported these communications and the availability of information to key decision-makers.
* Transportation: ability of people to move within, out of and into the city when various forms of transportation are impaired.
* Public health, safety and preparedness: availability of safe food, water, shelter and other services required to ensure public safety.


COG Forming Citizens Emergency Unit To Augment Homeland Security Efforts

COG Forming Citizens Emergency Unit To Augment Homeland Security Efforts:

Day Staff Writer
Published on 10/31/2003

Local government officials may soon be asking what you can do for your country as a member of the Citizens Corps.

The Southeastern Connecticut Council of Governments announced Thursday it is taking the first steps in forming a Citizens Corps/Community Emergency Response Team, part of the federal Department of Homeland Security strategy to better prepare for terrorist attacks or natural disasters."

30 October 2003

Va.'s anti-terror efforts must strike balance, Warner says

TimesDispatch.com | Va.'s anti-terror efforts must strike balance, Warner says: "Va.'s anti-terror efforts must strike balance, Warner says


Oct 29, 2003

LEXINGTON - Gov. Mark R. Warner paused yesterday to honor a Virginia serviceman slain in Iraq before declaring the state's new doctrine for homeland security.

More than 250 people joined the governor in a moment of silence at Virginia Military Institute for Capt. J.R. Teal, a Hanover County soldier and VMI graduate who was killed Thursday in Iraq.

Warner dedicated the three-day conference he is sponsoring here on homeland security to Teal and other Americans who have died in the war against terrorism since the Sept. 11 attacks.

Then the governor laid out his standards for waging that war in Virginia in ways that maintain the state's economic security, protect people's civil liberties and bolster public confidence in the public institutions that are supposed to serve them.

'Striking the appropriate balance is critical not only to our homeland security but our country's long-term vitality,' he told an audience of military officers, politicians and public officials, academic experts and captains of industry assembled in VMI's Jackson Memorial Hall.

The state of Virginia's economy is the centerpiece of the conference, co-sponsored by a dozen major corporations, including Philip Morris USA, Ethyl Corp., Dominion Resources and some of the nation's leading defense contractors and high-technology companies.

The governor urged the conference to ponder the economic consequences of terrorism."

As an Industry partner of the Virginia Institute for Defense and Homeland Security See IDHS we have just returned from the two day Governor's Homeland Security Conference See VMI.

We walked away with new knowledge, a renewed commitment to preventing terrorism and a new sense of purpose. Surrounded by a collegial mix of academic, military and business leadership for two days focused on the topics of the utmost priority for our nation was more than inspiring for us.

This experience has generated a patriotic "fire" in us to pursue our dreams of serving vital industry sectors of our global economy. Now more than ever we feel that our solutions and our R & D will produce the answers many of our clients are searching for. More than anything, we realize how interconnected the fabric of our society is to the goals of deterring, preventing and defeating significant loss events.

Next week we will embark on a stepped up mission to engage our communities and business neighbors in development and implementation of a localized readiness plan. This will be based upon the structure and standards being developed under the National Response Plan and the efforts of the Virginia Commonwealth Preparedness plans. See Response Plan Fact Sheet

28 October 2003

More banks hit by email fraud

Guardian Unlimited | The Guardian | More banks hit by email fraud: "More banks hit by email fraud

Rupert Jones
Tuesday October 28, 2003
The Guardian

Customers of Halifax and Nationwide are the latest to be targeted in a sophisticated email scam to trick users into disclosing their bank passwords, it
was revealed yesterday.

Halifax took the decision to close its online banking operation for almost 48 hours while it attempted to track down the culprits - thought to be Russian fraudsters - and alert its 1.5m online customers to the scam. The online facility and the bank's main website were both switched back on yesterday afternoon. There were signs yesterday that the fraudsters have increased their activity over the past few days, with previously targeted banks coming under fire.

Barclays yesterday revealed that eight or more customers had had money fraudulently taken from their accounts since the bank was first targeted, early last month. All have been refunded in full, said a spokeswoman for the bank, which has 3.9m online customers across Barclays and Woolwich.

NatWest, Lloyds TSB and Citibank have also been hit by the cyber fraud."

U.S. Issues Saudi Alert Saying Terrorists Targeting Airlines

Bloomberg.com: Top Worldwide: "U.S. Issues Saudi Alert Saying Terrorists Targeting Airlines

Oct. 28 (Bloomberg) -- Terrorists in Saudi Arabia are targeting Western aviation interests, the U.S. State Department said in an alert warning citizens to avoid travel to the Middle East kingdom and the Persian Gulf region.

``There is credible information that terrorists have targeted Western aviation interests in Saudi Arabia,'' the State Department said in an e-mailed statement. ``The U.S. government continues to receive indications of terrorist threats aimed at American and western interests, including the targeting of transportation and civil aviation.''

The alert supersedes a State Department warning issued in August after a raid by Saudi security forces against suspected terrorists revealed notes describing the layout of King Khalid International Airport in Riyadh. The U.K.'s British Airways Plc temporarily canceled flights because the notes included details of where its aircraft parked at the airport."

27 October 2003

Virginia's Institute for Defense and Homeland Security -- September - October 2003 Newsletter

Virginia's Institute for Defense and Homeland Security -- September - October 2003 Newsletter: "Message from the IDHS Executive Director

In the first IDHS Newsletter, I spoke of the rare opportunity provided to those of us at the Institute for Defense and Homeland Security -- the chance to build the institute from the ground up and to lay the foundation for its future. In creating the right vision for IDHS, we must first look at fundamental changes taking place in the national R&D infrastructure and the challenges and opportunities created by those changes.

Today an entire generation of scientists and engineers whose careers began with the race to the moon and the Viet Nam War are retiring or transitioning to new careers. Coupled with this relatively sudden loss of talent and corporate memory is the continuation of the trend toward downsizing of federal R&D activities that began in the early 1990s. Because national defense and homeland security interests demand that we maintain a robust technology base in the face of dwindling federal resources, this century's challenge is to establish appropriate and complementary relationships among the public and private sector components of the national R&D enterprise.

Governor Warner recently challenged IDHS to support his Virginia higher education goals by 'encouraging cooperative ventures "

Healthcare merger: What it means to you

Healthcare merger: What it means to you - Oct. 27, 2003: "Healthcare M&A: What it means to you
A wave of mergers in the healthcare industries will have pros and cons for consumers.

October 27, 2003: 4:19 PM EST

By Jeanne Sahadi, CNN/Money senior staff writer

NEW YORK (CNN/Money) - They'll be bigger, but will they be better for you?

That's the question for millions of consumers whose managed healthcare providers announced on Monday they will merge with other companies.

Anthem said it was buying WellPoint. Both are major providers of Blue Cross and Blue Shield plans and combined they will create one of the country's largest health insurers.

Meanwhile, UnitedHealth, currently the top U.S. health insurer, said it was buying Mid Atlantic Medical Services.

What does that mean for you? Consider the potential benefits and downsides to each deal."

silicon.com - The Bloor Perspective: Recovery HR, offshoring and Basel II

silicon.com - The Bloor Perspective: Recovery HR, offshoring and Basel II: "

*That Accord*

The Basel Committee on Banking Supervision is to stick to its end-2006 deadline for the introduction of new bank capital rules, despite committing to a lastminute overhaul designed to simplify implementation of the regulatory framework. We think that is commendable - good to see the regulators are not being held to ransom by the market.

Improvements to the current framework include: changing the overall treatment of expected versus unexpected credit losses; simplifying the treatment of asset securitisation, including eliminating the 'Supervisory Formula' and replacing it by a less complex approach; revisiting the treatment of credit card commitments and related issues; and revisiting the treatment of certain credit risk mitigation techniques.

It must be understood that the recommended changes are at the more granular level but the fundamental framework and requirements are not any different - the key drivers remain. So what are these key drivers?

The most significant issue facing banks in relation to Basel II is aligning and upgrading data and existing IT systems infrastructure for completeness, consistency and integrity across the organisation. The systems to comply with Basel II requirements under the advanced approach for both credit and operational risk must be compatible with the existing IT architecture and provide suitable reporting facilities and analytics.

The second driver is governance and buy-in. Executive-level buy-in and awareness, followed by executive-level Basel II champions, must seize the initiative and remove all hurdles to a successful Basel II compliance. The role and responsibilities of each individual and department must be clearly defined to avoid confusion, especially with regard to operational risk.

Another important driver is the enterprise wide scope of the Accord. This means there is a need to bring in a risk culture across the whole organisation.

Shame on the banks that are using the delay in the publication of the Accord as an excuse not to introduce a Basel II program!

It is important to realise that Accord should offer considerable benefits over the existing system. It has brought about a greater awareness of among the businesses of their own processes, risks and infrastructure. It provides an opportunity to reinvigorate stagnant businesses."

24 October 2003

IT's biggest worry--employee blunders

News: IT's biggest worry--employee blunders: "IT's biggest worry--employee blunders
By Andy McCue

Employee blunders and hardware and software failures are more of a worry for IT directors than the much-hyped threat of terrorism when it comes to disaster recovery planning, according to a new survey.

Half of the 877 IT directors interviewed for the research cited human related issues--accidental errors and malicious behavior--as the main threat to the security of their business. Almost two-thirds also cited hardware failure, while 59 per cent said software failure and viruses are a significant threat.

But only a quarter said terrorism is a major concern, and natural disasters such as floods were hardly mentioned by respondents.

Lindsey Armstrong, senior VP for Europe at Veritas, said in a statement: 'What is surprising about this research is the fact that despite the recent obsessive concern with the threat of international terrorism, technology related threats and potential human errors are still far more in the forefront of people's minds.'

Of major concern almost a quarter admitted to not physically testing their disaster recovery plans at all and of those that do 37 per cent test only once a year. Yet 80 per cent said they had experienced unplanned downtime in the past year, with over a quarter suffering downtime on a quarterly basis or more. And 14 per cent had a system outage of between 24 and 48 hours, with 16 per cent of those suffering major data loss as a result.

Time, lack of budget and disruption to employees were the top three reasons given for not testing recovery plans."

Comment: Culture change is key to business continuity management

Comment: Culture change is key to business continuity management:

By David Honour

A shift seems to be taking place from disaster recovery-based attitudes to business continuity to a more holistic business continuity management approach. The former focuses planning activities and budgetary spending upon business resumption and disaster recovery, while the latter has the main objective of preventing business interruption in the first place.

Business continuity management aims to proactively manage all business processes, assets, facilities, supply chains and human resources to ensure that, as far as is feasible, the business will always function at its highest capacity. This is distinct from disaster recovery-based business continuity which concentrates on ensuring that contingency plans and procedures are in place to return to business as usual as soon as possible after a crisis. Business continuity management does not neglect disaster recovery, but it sees it as a last resort.

However, as business continuity management develops it is coming up against a major obstruction in many organisations; that of corporate culture.

To be truly effective, business continuity management must be more than a programme, it must be deeply embedded into the corporate psyche of every employee. The organisation must become risk aware, and each employee must see the management and reporting of the risks under their control as their personal responsibility."

David's comments are dead on. BCM is about a management mindset and about organizational awareness of managing risk. It is also about a deep understanding of change itself.

EU gives cyberdetectives advice

Reuters | Latest Financial News / Full News Coverage: "EU gives cyberdetectives advice
Fri 24 October, 2003 14:06 BST

BRUSSELS (Reuters) - Making evidence of cybercrime stand up in court should be easier after the European Commission released guidelines on how to investigate computer viruses, website hacking and online credit card fraud.

Just like physical evidence, any electronic evidence of online crime contained in website logs, emails or data files can easily be damaged during an investigation.

While police procedures on physical evidence have existed for a long time, the Commission said its guidelines were the first to give comprehensive advice on tackling computer crime.

'The tools developed by the project represent the first complete end-to-end methodology to guide investigators through the difficult task of computer forensics,' it said on Friday.

EU researchers developed the guidelines with advice from police and lawyers as well as French telecommunications firm Alcatel and British government defence agency QinetiQ.

The project's website -- See ctose.org-- gives firms advice of how to deal with typical problems they might face, from a civil dispute over an e-commerce transaction to hackers placing illegal material on a company website.

'The methodology ensures all electronic evidence is legally and properly gathered and preserved, acting as uncontaminated and compelling proof that a crime or fraud has been committed,' the EU's executive said in a statement."

Economic Espionage: hunting for the information

Overseas Security Advisory Council: "Economic Espionage: hunting for the information
from Computer Crime Research Center on Friday, October 24, 2003

Nowadays the most of information is concentrated on not paper carriers: hard disks, diskettes, punched tapes and punched cards, microfilms and films, audio and videocassettes, CDs.

The growth in number of computers and the development of information networks have generated a new kind of crimes. There appeared a branch of economic espionage related to extraction of the information from data processing systems. 'Freaking' - the non-authorized getting of the information (including espionage) by means of electronic devices, and by the non-authorized connection to telecommunication networks. According to experts, 85% of the non-authorized penetration to the data processing systems remain unsolved. The leakage of confidential information causes millions losses. Besides, the offenders can ruin private businesses, or cause an irreparable loss to any branch of industry, or even to the whole country.

The way of virtual information storage is very attractive for economic spies. Any lucrative information stored not on a paper can be potential target. Such information may include all data making a trade secret, starting with new projects and 'know-how' and finishing with paysheets allowing to 'calculate' the business turnover and etc. The most important information is banking's and stock exchange's data.

Copyright © 2001-2003 Computer Crime Research Center. All rights reserved."

23 October 2003

Selling Security to the CFO

Selling Security to the CFO - Computerworld:

"Investment in information security can provide an ROI by reducing your annual loss expectancy (ALE) from a security breach. ALE is a calculation of the actual cost of a security breach multiplied by the probability that such a breach might occur in the coming year. It's much like the actuarial calculations insurance companies use to compute your premiums.

For example, let's assume you have a Web site that does $2 million of business per day. The security assessment shows the site is vulnerable to a denial-of-service attack, which would result in a three-day outage, and there's a 60% likelihood of a successful attack occurring. The ALE is $2 million per day X three days X 60% = $3.6 million.

The security improvement costs $500,000 and will reduce the likelihood to 15% and the outage to one day. The improved ALE is $2 million per day X one day X 15% = $300,000. This yields a first-year return of $3.3 million ($3.6 million minus $300,000) from a $500,000 investment.

Now you've got all the raw ingredients for a successful business case. The next step is to let your IT finance person produce your company's standard ROI financial tables and then wrap the assessment summary, the security plan with its five-year TCO, the risk/solution matrix and the ROI calculations into the standard company format. Remember, you want the business case for security to look exactly like the business case for any other company investment."

All the ROI calculations in the world will not reallocate funds from the marketing department to the IT department. What it will do is help justify needed projects. While this approach is a prudent one, the focus should be on how a comprehensive Enterprise Architecture See Adaptive can align the needs of the business with the necessary projects that need funding in IT. Security becomes a component of every project, not just one to plug a severe threat uncovered in the latest risk assessment.

22 October 2003

SARS Experts Want Tighter Testing Process

ABCNEWS.com : SARS Experts Want Tighter Testing Process: "SARS Experts Want Tighter Testing Process

The Associated Press

LONDON Oct. 22 — Experts planning how the world should respond if SARS returns proposed Wednesday that diagnostic testing procedures be tightened to ensure more accurate results and reduce the number of false alarms.

Scientists meeting this week at the World Health Organization headquarters in Geneva said they agreed that in most places, when patients go to their doctors with an apparently inexplicable bout of pneumonia, SARS testing should be done as a last resort.

"With influenza season coming, the last thing we want to do is have a number of false positives, so we hope that not everyone would be tested for SARS," said the meeting's leader, Dr. John MacKenzie of WHO. SARS testing is still under development and false positive readings do occur.

What controls and process do you have in your organization for monitoring employee sick days and illness? This is a threat to the organization that is now more of a "Code Red" than good old strep throat or a bad cold. A comprehensive system for managing global absences, travel threats See iJet and WHO alerts need to be correlated in real-time.

Operational Risk Management: A Leadership Message

by Peter L. Higgins
Managing Director
1SecureAudit LLC

The leader "self-talk" in all of us says that we can't do it all. We realize that the only way to make it all happen everyday is through your people, everyday that self-talk is reinforced. Until someone or some thing fails you.

The anticipation that change is going to bring us continued chaos is the key to really understanding what operational risk management is all about. The leaders who have taught their teams to understand that "chaos" is just around the next corner are the leaders whose mission will succeed.

The Operational Risk Management profession has long preached about the proactive mantra of being prepared. They realize that training, testing and planning is not a once a month or quarterly exercise. It is a daily if not hourly task that warrants the best decision making, the correct strategy and the acknowledgement that "Risk" is never totally defeated.

The anticipation that change is going to bring us continued technological advancement is the next key to really understanding what operational risk is all about. The leaders who realize that the threat of "technology" itself warrants an intensified strategy to protect and defend precious corporate assets are the ones who will survive.

A framework for operational risk is emerging, consisting of a set of integrated processes, tools and mitigation strategies. Yet leaders need to consistently support the efforts of the most effective weapon for managing operational risks. Planning and training with their employees, partners, suppliers and community.

Prepare for a new scenario that has not yet been identified. You can't predict when or what event in the next day will be a substantial threat to your well being. You can only prepare so that you have the edge no matter what the circumstances are. Get your people ready by training them and educating them on the most unlikely events. It is only then that you have started the awareness that is needed for your first layer or perimeter of defense.

Your investment in planning and training for your people is your duty. Invest in them and they will manage the inadequate or failed processes, other people, systems and external events that may bring you and your organization new and unexpected loss events.

21 October 2003

Romania Emerges As Nexus of Cybercrime

Overseas Security Advisory Council: "Romania Emerges As Nexus of Cybercrime
from Associated Press on Tuesday, October 21, 2003

The e-mail on a computer at the South Pole Research Center warned: 'I've hacked into the server. Pay me off or I'll sell the station's data to another country and tell the world how vulnerable you are.'

Proving it was no hoax, the message included scientific data showing the extortionist had roamed freely around the server, which controlled the 50 researchers' life-support systems. The FBI traced the e-mail to an Internet cafe in Bucharest and helped Romanian police arrest two locals -- the latest evidence that computer-savvy Romanians are fast emerging as a bold menace in the shadowy world of cybercrime.

'It's one of the leading places for this kind of activity,' said Gabrielle Burger, who runs the FBI's office in Bucharest and is working with Romanian authorities to arrest suspects 'and avoid the Sept. 11 of cybercrime.'

Law enforcement documents obtained by The Associated Press portray a loosely organized but increasingly aggressive network of young Romanians conspiring with accomplices in Europe and the United States to steal millions of dollars each year from consumers and companies.

Their specialties: defrauding consumers through bogus Internet purchases, extorting cash from companies after hacking into their systems, and designing and releasing computer-crippling worms and viruses.

Alarmed authorities say the South Pole case underscores the global impact of this new breed of cyber-outlaw.

Regulators hold to Basel II deadlines

IT-Director.com | Regulators hold to Basel II deadlines:

Monday 20th October 2003

The Basel Committee on Banking Supervision is to stick to its end-2006 deadline for the introduction of new bank capital rules, despite committing to a last-minute overhaul designed to simplify implementation of the regulatory framework. I think that is commendable - good to see the regulators are not being held to ransom by the market

Improvements to the current framework include: changing the overall treatment of expected versus unexpected credit losses; simplifying the treatment of asset securitisation, including eliminating the 'Supervisory Formula' and replacing it by a less complex approach; revisiting the treatment of credit card commitments and related issues; and revisiting the treatment of certain credit risk mitigation techniques. This means that the Final Accord will be out by mid-2004, and not end 2003 as promised, but on the whole the Basel Committee does not believe that it will impede financial institutions from implementation of the Accord by the 2006 deadline.

It must be understood that the recommended changes are at the more granular level, however the fundamental framework and requirements are not any different - the key drivers remain. So what are these key drivers?

The most significant issue facing banks in relation to Basel II is aligning and upgrading data and existing IT systems infrastructure for completeness, consistency and integrity across the organisation. The systems to comply with Basel II requirements under the advanced approach for both Credit and Operational risk must be compatible with the existing IT architecture and provide suitable reporting facilities and analytics."

20 October 2003

When Your Company Should Have a Chief Compliance Officer

When Your Company Should Have a Chief Compliance Officer: "Corporate Board Member November/December 2003

Feature Story

When Your Company Should Have a Chief Compliance Officer
by Randy Myers

The job's a luxury some companies can't afford or don't need. But the more opportunity you have to run afoul of the law, the more compelling the argument for filling the position becomes.

As a heavily regulated global insurance and reinsurance company, Bermuda-based ACE Ltd. has employees around the world who are expected to make sure it complies with insurance regulations that vary from country to country and, within the U.S., from state to state. ACE uses internal and external auditors to vet the accuracy of its financial statements; in-house attorneys at headquarters and various subsidiaries provide ongoing legal advice; and in keeping with governance reforms in the U.S., the CEO and CFO now personally certify the financial statements accuracy.

ACE clearly doesn't think this goes far enough. In March the company yanked Robert Blee out of his job as chief accounting officer, in which he was responsible for corporate accounting policy and all corporate financial reporting, and gave him the newly created title of chief compliance officer. This top-cop job means he has to ensure that ACE meets all the new governance standards with particular emphasis on the mandates handed down by the Securities and Exchange Commission under the Sarbanes-Oxley Act of 2002.

No law or regulation requires a publicly traded company to employ a chief compliance officer, and many do not. But the idea is slowly gaining currency among companies eager to distance themselves from the accounting scandals that have rocked investor confidence in the capital markets. The procession of those that have added the title in the past 12 months includes Bristol-Myers Squibb, Cinergy Corp., CMS Energy, Cooper Industries, Eli Lilly & Co., and Mellon Financial Corp. "

U.S. Prescription Drug System Under Attack

U.S. Prescription Drug System Under Attack (washingtonpost.com): "A Vast, Unregulated Shadow Market

U.S. Prescription Drug System Under Attack
Multibillion-Dollar Shadow Market Is Growing Stronger

By Gilbert M. Gaul and Mary Pat Flaherty
Washington Post Staff Writers
Sunday, October 19, 2003; Page A01

First of five articles

For half a century Americans could boast of the world's safest, most tightly regulated system for distributing prescription drugs. But now that system is undercut by a growing illegal trade in pharmaceuticals, fed by criminal profiteers, unscrupulous wholesalers, rogue Internet sites and foreign pharmacies.

In the past few years, middlemen have siphoned off growing numbers of popular and lifesaving drugs and diverted them into a multibillion-dollar shadow market. Crooks have introduced counterfeit pharmaceuticals into the mainstream drug chain. Fast-moving operators have hawked millions of doses of narcotics over the Internet.

The result too often is pharmaceutical roulette for millions of unsuspecting Americans. Cancer patients receive watered-down drugs. Teenagers overdose on narcotics ordered online. AIDS clinics get fake HIV medicines.

Normally, drugs follow a simple route. Manufacturers sell them to one of the Big Three national wholesalers -- Cardinal Health Inc., McKesson Corp. and AmerisourceBergen -- which sell to drugstores, hospitals or doctors offices. Regulators and industry officials have long considered this straightforward chain to be the gold standard.

The shadow market exploits gaps in state and federal regulations to corrupt this system, creating a wide-open drug bazaar that endangers public health."

This is just one example of how our distribution chains are being hijacked. The pharmaceutical companies have been aware of the problem for years and have tried several ways to mitigate this operational risk. In some drugs, they are placing "inert" ingredients in the pills themselves that can be tested in the field with a special "test kit" to determine if a pill is counterfeit. Unfortunately, the test kits are only being used by the people who are catching the bad guys, like the DEA and other law enforcement. See Biocode

Other diversion of controlled substances have made their way to the Internet to be sold on web sites. For example, the tobacco companies have acknowledged the fact that minors are buying cigarettes via web sites developed and operated from American Indian reservations. These sites sell cigarettes at discounted prices and the consumer is avoiding steep taxation on these types of controlled products. Again, the problem is not about a lack of awareness about the issue, it is about the lack of resources and funding to stop the problem.

19 October 2003

Internet Fraud Complaints Rising

WOWT | Home

Internet Fraud Complaints Rising
Auction fraud the most common complaint

Fraud on the Internet rose sharply in 2002, with the FBI reporting more than 48,000 complaints referred to prosecutors. That's triple the number of the year before.

By far, the most common complaint was auction fraud, followed by non-delivery of promised merchandise, credit card fraud and fake investments, according to the report from the Internet Fraud Complaint Center, run by the FBI and the National White Collar Crime Center based in Richmond, Virginia.

The total dollar loss of Internet fraud reported to the center in 2002 was $54 million, compared with $17 million the year before. The 48,252 complaints referred for prosecution were far more than the 16,755 such complaints referred in 2001, but they still represent only a fraction of the crimes authorities believe are occurring.

The center also received almost 37,000 other complaints in 2002 that did not constitute fraud but involved such things as unsolicited e-mail or SPAM, illegal child pornography and computer intrusions.

18 October 2003

Official: E-Mail Warned of Plan to Hide Items on Planes

ABCNEWS.com : Official: E-Mail Warned of Items on Planes:

Official: E-Mail Warned of Plan to Hide Items on Planes, but Sender Not Considered Threat

The Associated Press

WASHINGTON Oct. 18 The man suspected of hiding box cutters on two airline flights warned the government in an e-mail of his intention to conceal similar suspicious items on six planes and provided dates and locations for the plan, but was not considered a threat, a senior Bush administration official said Saturday.

Federal authorities 'reviewed the correspondence and determined this individual did not pose an imminent threat to national security,' said the official, who spoke on condition of anonymity.

No charges have been announced, the man's identity has not been disclosed by the government and FBI statement said legal proceedings were expected Monday in federal court in Baltimore"

17 October 2003

Terror Alert on Planes

Headline news from Sky News - Witness the event: "TERROR ALERT ON PLANES

All commercial aircraft in the United States are being searched after bags filled with a clay-like material, bleach and boxcutters were found on two flights.

The items were discovered in the toilets of two Southwest Airlines planes that are now on the ground in Houston and New Orleans, officials said.

A note in both packages indicated the items were intended to challenge security procedures.

A search of all aircraft, within 24 hours, was directed by the Department of Homeland Security and its Transportation Security Administration.

The airline said the bags were found during routine maintenance on the plane in New Orleans on Thursday.

The items were 'intended to simulate a threat', Southwest said in a statement.

A similar discovery was made in Houston on Thursday during routine inspection of another aircraft.

The company examined all of its 385 aircraft and nothing else was found.

The 19 al-Qaeda operatives who hijacked planes and crashed them on September 11, 2001, used box cutters as weapons.
Last Updated: 18:58 UK, Friday October 17, 2003"

SSL Filtering Won't Increase Security

Overseas Security Advisory Council: "SSL Filtering Won't Increase Security
from eWeek on Friday, October 17, 2003

The genie of SSL filtering is out of the bottle. Even if the feature is eliminated, its capabilities can be duplicated.

If you use the Web, you use Secure Sockets Layer connections. SSL is the technology that secures your connection so you can safely submit your credit card number to online merchants such as Amazon.com. It makes it possible to securely use Web-based mail clients from kiosks or shared computers. It is also used to provide clientless VPN connections to company networks. And it has been broken.

Not by a virus or worm, or a newly discovered security hole, or a malicious hacker. SSL has been broken by well-intentioned security vendors trying to provide requested capabilities to their customers. Both the vendors and at least some of their customers see SSL as a potential hole in their firewall and security infrastructure. Because SSL is a secure and encrypted connection, it has been impossible to scan SSL connections for viruses or to apply content filters to the information that passes through an SSL connection.

So, to close this potential hole, security vendors such as Secure Computing and Webwasher recently have added a feature known as SSL filtering to their products. This feature works as a sort of virtual proxy between clients and SSL servers, decrypting and scanning SSL links before sending the information on.

This feature makes it possible to apply anti-virus scanning, firewall rules and content filtering to SSL connections. Unfortunately, it also makes it possible to scan and store all the information that employees and others within the network send to online merchants, including credit card numbers. If a visitor to the company uses the network to access a secure Web-mail client, it makes it possible to break this security and scan a user's mail.

If this sounds bad, imagine this technology being used by an ISP or, even worse, a repressive government. And if outraged employees and corporate visitors aren't good-enough reasons to think twice about deploying SSL filtering, think about this: SSL filtering may very well be illegal.

If online merchants such as Amazon. com found out that companies were using SSL filtering to break the secure connection they are providing to their customers, they probably wouldn't be very happy. And they could very well take action using the extremely broad federal DMCA (Digital Millennium Copyright Act) law. "

ID Theft being subsidized by Financial Services firms?

Global banking institutions are spending millions on marketing their brand of credit card. Retailers like Starbucks are announcing their entry into the affinity card craze.

Pioneers in the industry have realized for some time that you need to send a targeted offer to the correct individual to get them to sign up. This direct mail approach has gone off line and now is also growing on line.

Credit card marketers have grown on the Internet using affiliate marketing partners to expand their presence and reach across the digital world. The question now remains if these 3rd party marketing affiliates are subsidizing the potential for increased risk of ID theft.

What if the secure forms that you fill out on line to qualify for that new low interest credit card were being hosted by someone other than the bank itself? What if your vital personal identifiable information such as social security number, date of birth and mothers maiden name were being collected by these 3rd party marketers without your knowledge?

There are incentives and commissions being paid by large banking institutions to these 3rd party marketers to sign-up new customers. Millions of unsuspecting consumers are filling out these pre-qualified offers or searching on Google for credit cards for people with bad credit and being subjected to an "instant qualifier" ploy.

How many millions of records of unsuspecting consumers are being stolen, sold or diverted to entities that have one only one thing on their mind? To steal your identity to get more credit from another banking or lending institution in a fraudulent manner.

External fraud is an Operational Risk that could be more effectively mitigated by our financial services industry. The write offs are increasing because of the race for market share and the uncontrolled use of third party marketing affiliates.

We suspect that over the next few months the credit card industry is going to have to take a closer look at who they are paying to acquire new customers. They are going to audit their third party marketing affiliates to make sure that our personal information is protected and the controls are in place to safeguard it from theft.

16 October 2003

For Some, ASPs Are Worth the Risk

Wall Street & Technology > ASPs > For Some, ASPs Are Worth the Risk > : "

When it comes to managing risk, Anthony Patti looks for technology that not only crunches numbers but also helps keep his costs down. That's why the managing director and chief risk officer for Americas at Merrill Lynch Investment Managers in Plainsboro, N.J. has turned to application-service providers for the provision of risk-management software. 'Generally, what we have found is that we're saving tons of money by using an ASP solution.'

That's because he doesn't have to worry about hiring technologists and maintaining infrastructure. 'It's saving us time and effort,' he says of the two ASP services, one from RiskMetrics Group and the other from Barra.

Firms that manage the task themselves 'can have anywhere from 10 to 40 machines running analytics and that can cost a lot of money' in implementation and maintenance costs, he explains. 'ASPs work great. They're very, very cost efficient.' "

ASP's are worth the risk if you audit their Business Continuity Plans. When was the last time your web site hosting supplier was down? Think twice about hosting mission critical applications without substantial testing and due diligence to weigh the severity and likelihood of a significant loss event.

15 October 2003

Homeland Security issues interim rule on industry liability

Government Executive Magazine -

Homeland Security issues interim rule on industry liability

By Greta Wodele, National Journal's Technology Daily

The Homeland Security Department on Tuesday announced an interim rule designed to limit the liability risks associated with anti-terrorism technology. The announcement came during a seminar with industry officials.

'It is in the public's interest to have this interim rule effective immediately because its aim is to foster the development and deployment of anti-terrorism technologies,' said the rule signed by Homeland Security Secretary Tom Ridge late on Friday.

The regulation also seeks to clarify the process for seeking protection under the law in order to provide 'an instant incentive for prospective applicants ... and for others to begin exploring new measures that will prevent or reduce acts of terrorism."

Reputation Risk...more than PR and Marketing Communications

By Peter L. Higgins
Managing Director
1SecureAudit LLC

Reputation risk is becoming more of a topic of discussion these days. The loss of reputation results in several outcomes both economic and personal. The fact is that most of the time organizations are "Reacting" to a crisis, news leak or some other corporate failure.

You don't have to name names of people or companies to understand the impact that reputation has on the success or demise of an organization. What has to change to lower the severity and likelihood of loss events associated with "Reputation"?

First you have to ask yourself a couple of key questions:

1. What is your reputation worth?

2. Are you being Proactive or Reactive in managing and safeguarding your reputation?

The PR and marketing communications processes in your organization may have certain facets of the solution to better reputation risk management. However, these processes are designed with out the consciousness of proactive threat anticipation, detection, prevention and remediation.

What has become more clear to executives in proactive oriented companies is the requirement for a specific and strategic approach to Reputation Risk Management. This approach encompasses an emerging theme from the early nineties pioneered by author Peter Block. We call it Organizational Stewardship.

Organizational Stewardship as a core guiding principle is the cornerstone in managing an institutional reputation risk management process. It has three components that support this rekindled idea of applying the concepts of stewardship to the organization:

- Economic Accountability

- Information Management

- Business Integrity

Reputation Risk Management is about the proactive monitoring and management of a portfolio of threats in the organization. Several categories include:

1. Intellectual Property and Information Assets

2. Demonstrations, planned boycotts and social activism

3. Physical infrastructure including employees and suppliers

4. Legal threats including class actions, insider trading or whistle-blowers

Today Microsoft is due to begin closing its free Internet chat rooms in 28 countries because of threats from pedophiles and junk e-mailers. This is an example of proactive reputation risk management. Unfortunately, this has opened the door to another related threat of hackers hijacking Instant Messaging (IM) accounts.

Although Microsoft contends that IM is safer than the chat rooms it is already known that both AOL and MSN messenger systems are already being exploited with malicious code and worms that can potentially expose organizations to additional digital risks.

Organizational Stewardship is a guiding principle. Once it is embedded into the organization it begins to permeate the mindsets of the individuals who are responsible for the conscious reputation risk management processes. Over time, these individuals help influence the corporate mindset, philosophy and ethics to a new found level.

Someday soon the executives in the board room will realize that managing reputation is not about keeping secrets and fighting fires. They will realize that they need to find a proactive, preventive and relevant strategy for achieving Organizational Stewardship in their company.

14 October 2003

Laggard Firms Face Liability on Do Not Call

Bank Systems & Technology > Laggard Firms Face Liability on Do Not Call > October 14, 2003: "Laggard Firms Face Liability on Do Not Call

Anthony O'Donnell

Last week's federal appeals court ruling on the Do Not Call Registry made suddenly real the possibility of penalties to financial services companies for failure to comply. The Denver court ruled the FTC could begin enforcing the list while legal challenges to it continue. And while many financial services firms with hardcore telemarketing operations were prepared, many others with less obvious exposures may face significant liability.

Firms that have not taken Do Not Call (DNC) seriously are making a mistake, according to Craig Weber, an analyst with Celent Communications (Boston) and author of a new study, 'Crunch Time for Do Not Call Compliance: Are Financial Institutions Ready?' Even with the final outcome of the national registry in doubt, DNC regulations have already been enacted in the vast majority of states, and are pending in all the others. 'Companies will need to manage DNC issues across 50 jurisdictions anyway, whatever happens with the federal DNC registry,' Weber comments. 'The other issue is simply that more than 50 million Americans have clearly said, 'Do not call me and try to sell me something.''

Across the financial services verticals there are no great differences in the compliance requirements and potential impact faced by companies. Differences do exist, however, in where banks, securities firms and insurance companies are likely to be exposed to liability."

Have you updated your CRM systems to reflect the wishes of your existing or potential customers?

It you haven't automated this process already, you are putting yourself at additional risk in compliance with DNC.

Pillow Bombs Feared on Planes

Pillow Bombs Feared on Planes (washingtonpost.com): "

U.S. Says Al Qaeda Explosives Could Also Be Stuffed Into Coats, Toys

By John Mintz and Sara Kehaulani Goo
Washington Post Staff Writers
Tuesday, October 14, 2003; Page A05

Airport screeners in this country and overseas are on the lookout for suspicious pillows, coats and even stuffed animals after U.S. intelligence concluded that al Qaeda operatives are being trained to apply special chemicals to the material inside to transform them into bombs.

American intelligence officials have picked up several indications that al Qaeda is attempting to create a chemical called nitrocellulose to fashion explosive devices that could be smuggled aboard jetliners, according to a warning the Department of Homeland Security sent in August to airlines and airport security officials around the world. "

13 October 2003

Whistle-Blower Woes

Whistle-Blower Woes - CFO Magazine - October Issue 2003 - CFO.com: "Whistle-Blower Woes

Many companies think the whistle-blower provisions of Sarbanes-Oxley will spark nuisance suits by disgruntled employees. The truth is far more complex.

Alix Nyberg, CFO Magazine
When Matthew Whitley was laid off from his job last March as a finance manager at The Coca-Cola Co., along with about 1,000 other employees, he didn't take it lying down. Two months later, Whitley approached his former employer seeking a whopping settlement $44.4 million on the grounds that he had been fired in retaliation for raising concerns about accounting fraud. When Coke balked, Whitley turned for relief to a new ally: the Sarbanes-Oxley Act of 2002. He filed for whistle-blower protection under the act's Section 806 provisions, and initiated federal and state lawsuits that charged seven Coke executives, including CFO Gary Fayard, with crimes ranging from racketeering to mail and wire fraud."

Many companies are scrambling to establish toll-free hotlines and Web-based mechanisms that allow audit-committee members to hear directly from employees, suppliers, and customers who want to voice concerns about accounting or internal controls. According to the Sarbanes-Oxley Act of 2002 and Securities and Exchange Commission rules, such systems must allow for anonymity and be in place by a company's first annual meeting after January 15, 2004, or by October 31, 2004, whichever comes first.

But CFOs may do well to become better listeners. Most whistle-blowers say they never would have gone public with their concerns about the financial statements if senior management had been more attentive to them. And opening up the lines of communication doesn't necessarily mean opening Pandora's box.


The key to Pandora's Box is sitting in front of every CFO at any firm who has skeletons in the closet. The internal audits that are common in large public companies put these issues on the table each quarter. Individuals who uncover items that are questionable have been hired to do so. It is their job to raise "red flags" when audit practices need more questioning.

Mitigation of risk is about addressing each of these red flags early and often. This is when your investigation will uncover the truth and determine whether there are any other related matters that could be impacted. The big picture is vital here in understanding any down stream implications of making a change or fixing a problem. One thing is for certain. Fixing the problem immediately and all the connected issues will be far less costly in the long run. Waiting until later could put that Internal Auditor under Section 806 provisions of the Sarbanes-Oxley Act of 2002. This is when the key to Pandora's Box is no longer in your control anymore.

11 October 2003

SEC filings: Revenue, profit...cybersecurity?

Overseas Security Advisory Council: "SEC filings: Revenue, profit...cybersecurity?
from CNet on Friday, October 10, 2003

Publicly traded companies could be required to disclose whether they are doing anything to secure information on their computer systems, U.S. Office of Homeland Security Secretary Tom Ridge said Thursday.

Ridge said he had met with William Donaldson, chairman of the U.S. Securities and Exchange Commission, to discuss whether companies should be required to disclose cybersecurity efforts in their SEC filings. 'I think we need to talk about some kind of public disclosure: What are you doing about your security, physical and cybersecurity? Tell your shareholders, tell your employees, tell your communities within which you operate,' Ridge told the software industry trade group.

The government used a similar approach to encourage companies to fight the Year 2000 bug, or 'Y2K,' the worry that data could be lost when computers' internal clocks switched over to the year 2000.

While Y2K ultimately did little or no damage, computer systems have been ravaged in recent years by a string of hacker attacks, viruses and worms, and many security consultants say businesses are not taking online security seriously enough.

The Bush administration has largely shied away from requiring businesses to improve their cyberdefenses, opting instead to encourage better practices through voluntary measures.

The SEC was not immediately available for comment. "

10 October 2003

FBI to open five computer crime labs

Government Computer News (GCN) daily news -- federal, state and local government technology; FBI to open five computer crime labs: "FBI to open five computer crime labs

By Wilson P. Dizard III
GCN Staff

The FBI plans to open five new Regional Computer Forensics Laboratories by the end of 2004. The labs in Buffalo, N.Y.; Houston; Newark, N.J.; Portland, Ore.; and Salt Lake City will be added to four existing computer crime labs around the country.

The FBI cooperates with local law enforcement agencies to create and operate the labs. Local agencies provide computer specialists to serve as examiners, while the bureau provides training, advisory and advanced forensic services, the FBI said in an announcement yesterday. "

09 October 2003

If you can't stand the risk...

If you can't stand the risk

by Maurice H. Hartigan II,
President and CEO - Risk Management Asssociation

With greater consensus that the world is several decades into global warming, we should all be used to 'feeling the heat,' although the heat we're feeling is being brought to us by Mother Nature and our regulators. And after years of sweating through mergers and consolidations and trying to do more with less, I guess it should come as no surprise that we've shrunk liability to a four-letter word.

As risk managers, we look at various risk/reward equations and decide when to forgo the reward to avoid a major burn. Managements at many smaller accounting firms, acting in a similar manner, are dropping their public corporate clients like hot potatoes to avoid registering with the Public Company Accounting Oversight Board and preparing for intense scrutiny and possible harsh discipline for red flags they didn't see while performing audits.

Some, mostly larger, firms have chosen to stand the heat and are sinking resources into ensuring they meet the new rules. Others are waiting it out a bit to see where the dust settles. The implication for risk managers is profound if the result of this uncertainty is that their clients are unable to produce audited statements. "

How to test IT systems within the guidelines of the Data Protection Act

How to test IT systems within the guidelines of the Data Protection Act : "How to test IT systems within the guidelines of the Data Protection Act

BSI has published new guidelines for the use of personal data in system testing, providing a practical tool to help companies in the financial sector avoid potentially reputation damaging and costly security breaches when processing computer-based customer data. The publication, BIP0002: 2003 - Guidelines for the use of personal data in system testing explains how to test IT systems within the guidelines of the Data Protection Act 1998.

The publication is supported by the Financial Services Authority (FSA), who's spokesperson Mike Frost, said: 'This is a practical and very useful work of reference for the cost conscious manager, who understands the benefits both of legal compliance and systems proven to be efficient by valid and credible system testing. At worst, it removes any excuse not to give full consideration to data protection in system testing procedures. It provides a practical methodology that can save considerable time and effort.'"

What does this publication offer?
From the point of view of the customer, security of personal data is paramount.  This new guide advises on avoiding data protection breaches during system testing. Most organizations gather and use personal data and process it automatically. This requires them to undertake system testing of live data that increases the possibility of breaches.

SEC to Vote on Corporate Governance

SEC to Vote on Corporate Governance (washingtonpost.com): "SEC to Vote on Corporate Governance

AP Business Writer
Wednesday, October 8, 2003; 9:22 AM

Federal regulators are moving to make it easier for major shareholders to install directors on company boards over opposition from corporate CEOs -- an effort to make companies more accountable.

The far-reaching proposal by the Securities and Exchange Commission not only is designed to make companies more answerable for their actions, but it also is aimed at preventing boards from functioning as rubber stamps for executive action. The goal is to bolster investor confidence rattled by last year's wave of corporate scandals. "

Look for more companies to go private over the next few years.

08 October 2003

Mobs Turn Net into Money Machine

Wired News: Mobs Turn Net into Money Machine: " LONDON -- Organized crime syndicates have stepped up their presence on the Internet, operating extortion rackets, child-pornography rings and elaborate financial scams, Britain's top cybercop told Reuters.

And the most vulnerable target is the individual Web user, said Detective Chief Superintendent Len Hynds, head of the U.K.'s National Hi-Tech Crime Unit, or NHTCU.

'Organized crime is turning to the weakest element in the chain, which is the people. It's the hands on the keyboard on either end of the transaction that is the actual weak point,' Hynds said.

The crime syndicates, he said, are based in every corner of the globe. Investigations have led the NHTCU repeatedly to Eastern European countries, including Ukraine, Russia and Latvia.

The groups have honed their Internet skills as a greater flow of business is conducted online.

'Organized crime in all its guises is extremely flexible. It does spot the new and lucrative opportunity,' Hynds said.

In the NHTCU's two-year existence, the 55-person task force has made nearly 110 arrests for such age-old crimes as blackmail and extortion as well as decidedly high-tech computer hacking cases.

Law-enforcement officials throughout the world suspect crime rings are recruiting technically savvy programmers to concoct fraud schemes against banks and businesses. "

Why is ID Theft a global issue? Crime syndicates have recruited and successfully exploited the online world to collect personal information. Social security numbers, dates of birth, mother's maiden names and other key information to open fraudulent accounts both online and offline.

ID Theft has become a global issue because of our societies thirst for "instant" approval" and a credit line to make those purchases today, not tomorrow. Our financial services institutions are eating their operational losses because of failed processes and systems with credit card marketing affiliates.

If you have been a victim of ID Theft then you know how hard it is to prove your innocence. Now more than ever it is important to read the fine print in privacy policies and question the security of your personal information. One day, the laws will realize that "Opt-out" should not be the default. "Opt-in" will be become the new marketers weapon against increasing operational losses.

OSAC - Cyber Terrorism

Overseas Security Advisory Council: "Cyber Terrorism
from Directions Magazine on Wednesday, October 08, 2003

Business, government and industry have all become addicted to information. Their reliance on information creates opportunities for terrorism. Imagine a day without the Internet. What would the impact be? Just what is considered to be cyber terrorism?

Cyber terrorism is the premeditated use of disruptive activities, or the threat thereof, against computers and/or networks, with the intention to cause harm or further social, ideological, religious, political or similar objectives, or to intimidate any person in furtherance of such objectives.

If your look at the projected eCommerce number for this year, the Internet being down for just one day could disrupt nearly $6.5 billion worth of transactions. More than just eCommerce transactions flow over the Internet. eMail, voice communications, some banking machines, credit card authorizations for physical stores and the list goes on and on. Information is the life blood of commerce, regulatory oversight and even social status. The importance of the information and the ability to access it, transfer it and act upon it has increased to the point that it is unfathomable for all but the smallest of businesses to operate without computers or networks. As the value of the computing infrastructure increases so to does the value of disruption. The financial implications are one thing, but the psychological impact of the Internet disruption could be even more damaging.

How likely is this to happen? It is not, if it will happen, but when. The likelihood of a cyber terrorism attack disrupting the Internet increases every day. The increased reliance on the Internet by business, government and society has made it a prime target for terrorist intent on disrupting our economy and way of life. "

05 October 2003

Holistic approach to governance

thestar.com.my: Business News: "Holistic approach to governance"


MANY people view corporate governance as a means by which organisations can ensure their activities do not put at risk a key feature of business, that of reputation.

Much of the literature addressing corporate governance focuses on the duties and responsibilities of company directors, members of company boards and those of the senior executives of organisations.

This literature also tends to be around the appropriate financial structures and reporting mechanisms that need to be in place to ensure good decision-making and to minimise the occurrence of damaging behaviour such as fraud and corruption.

There can be no doubt as to the need for organisations, and in particular the senior executives and directors of organisations, to take these duties and responsibilities seriously. However, solely financial or accounting based approaches to governance are a limited and incomplete approach.

Organisations need to recognise that the financial and legalistic framework of corporate governance is in fact underpinned by ethics and morality."

Reputation Risk is an intangible reality for any substantial business. Mr. Segon has suggested that the civility of the organization is a key indicator of it's exposure to future reputational risk. In fact, the aggregate of peoples day to day management and decision making is what dictates the barometer of daily risk. We agree that the roots of any successful governance strategy begins with the operational layer of managers who make the split second decisions during the course of a business day. This is where the companies reputation is won or lost on every transaction and every proposal put in front of a customer.

03 October 2003

Consumers make ready for anti-fraud credit cards

Guardian Unlimited | The Guardian | Consumers make ready for anti-fraud credit cards: "Press Association
Thursday October 2, 2003

At least half of all cardholders are likely to have a new-style 'chip and Pin' credit or debit card by spring next year, with one in five expected to have one by Christmas, it was announced today.

The new cards aim to combat card fraud through the use of a 'smart chip' which can store information more securely than a magnetic strip. Consumers will also have to verify a transaction by keying in a four-digit Pin number, rather than signing a receipt. Following a three-month trial in Northampton involving around 150,000 people, card issuers will begin sending the new cards to consumers this month. By spring 2004, the new system is expected to account for one in three transactions."

Watch your back...

Watch your back...: "

Corporate kidnapping is a very real threat that companies face. David Honour explores the subject.

Corporate kidnapping hit the headlines in June with the abduction of sixty gas pipeline workers in a remote area of the Peruvian Andes. The kidnap gang demanded a $1m ransom from the workers' company, Techint.

The Peruvian case was unusual in that it involved a large number of victims. Much more common is the kidnap of individual company executives or members of their families. This can be for attempted financial gain though the demanding of a ransom or to bring political or social issues to the attention of a wider audience.

Companies have a duty-of-care to protect employees who may be working or travelling to areas where the kidnap risk is high. It also makes good business continuity sense. Too often business continuity planning seems to focus upon IT and communications systems and the availability of data. Human resource aspects of business continuity are often neglected; but people are mission critical business assets that need protecting.

There are many measures that firms can take to protect employees against the risk of kidnap. They can be summed up under the following broad headings:
Awareness and information, Security, Response and Insurance."

David suggests several resources to help you learn more about this. As a U.S. based company, we are a constituent member of OSAC - Overseas Security Advisory Council. We highly recommend their training, alerts and other briefings.

The Overseas Security Advisory Council (OSAC) was established in 1985 by the U.S. Department of State to foster the exchange of security related information between the U.S. Government and American private sector operating abroad. Administered by the Bureau of Diplomatic Security, OSAC has developed into an enormously successful joint venture for effective security cooperation. Through OSAC, the American private sector, including colleges and universities, is provided timely information on which to make informed corporate decisions on how best to protect their investment, facilities, personnel and intellectual property abroad.

Big Concerns: New Financial Regs

Bank Systems & Technology > Big Concerns: New Financial Regs > October 02, 2003:

By Ivan Schneider

"The following is a brief, and by no means complete, list of the major topics preoccupying compliance officers at financial institutions, large and small. While these regulations include those that affect all companies and those that only affect certain lines of business in banks, they all have one thing in common-the IT department will have to get involved."

02 October 2003

Confusion hampered SARS fight, inquiry told

The Globe and Mail

Confusion hampered SARS fight, inquiry told


Disorganization, poor communication and the province's antiquated data collection system hampered the efforts of scientists to understand and contain SARS, a representative of the Ontario SARS Scientific Advisory Committee testified yesterday at public hearings.

A provincial centre for disease control should be created to manage future outbreaks of infectious diseases and monitor provincewide surveillance, Brian Schwartz recommended to the SARS Commission on the final day of hearings.

"There were times when we were concerned as an organization that we could have done better. I'm an emergency physician used to making order out of chaos, and the fact of SARS was it was chaotic," said Dr. Schwartz, vice-chairman of the scientific advisory committee and a physician at Sunnybrook & Women's College Health Sciences Centre.

The members of the scientific committee, which was struck to help the province manage the SARS outbreak, had no direct access to data on SARS patients, Dr. Schwartz said.

Operational Risk encompasses the risk of loss from external events like the SARS incidents across the globe. Biological viruses and digital viruses have common traits in many ways. They both travel undetected for days and even weeks before symptoms of their attack becomes apparent. Without systems to constantly monitor and correlate information, (EMPHASIZE "CORRELATION"), then the threat matrix will become useless. Change management is the key to more effective operational risk mitigation.

How does management decide what strategies will work? That will be dependent on several factors:

1. Are members of management and the board ready for change? (as a result of new losses from new threats such as SARS, declining sales or new legal exposures) Is there enough uneasiness among stakeholders to create the catalyst for new plans or strategies? If this dissatisfaction doesn't exist, is there audit evidence that it should?

2. If management is ready for change, how might internal or external stakeholders react to proposed changes? This could involve regulators, customers, employees, unions and strategic partners.

Communication of information that is uncorrelated can trigger events that increase your risk of loss. That is why the most savvy OPS Risk organizations have overhauled their enterprise architecture to facilitate a rapid and optimized response to new threats, be they biological or digital.

01 October 2003

OSAC | Package Bomb Delivered to U.S. Company in Colombia

Overseas Security Advisory Council: "Package Bomb Delivered to U.S. Company from Colombia

The following message is from the US Embassy Colombia:

Begin text of wardens message:

Unknown perpetrators recently sent a package bomb to the Bogota offices of a major U.S. company. An alert employee was suspicious of the package and called the Colombian authorities, who responded and determined it was a bomb. The device was deactivated. The Embassy has learned a similar device was also delivered recently to a Colombian hotel. American citizens in Colombia should be alert for any suspicious packages and should know how to respond if one is delivered.

The device delivered to the U.S. company consisted of a Colombian-manufacture fragmentation grenade mounted inside a wooden box. The detonating pin of the grenade was fastened by a string to the roof of the box, so that if a recipient opened the box the pin would be pulled and the grenade's detonation sequence initiated. "

American citizens in Colombia are advised to take the following steps to counter attempts to deliver package or letter bombs: 1. Identify a safe area where all packages and mail can be received and screened before they are brought into the general work area or delivered to individual addressees. 2. Establish procedures for the receipt of packages and mail, to include methods of inspection, checklist of package and letter bomb indicators, and recording identity of couriers. 3. To the extent practical, install video surveillance equipment at reception point for packages and mail. 4. Train employees on indicators of package and letter bombs. 5. If a suspicious letter or package is delivered, immediately notify the Colombian National Police.

BS7799-2:2002 Controls for Section A.7 - Physical and Environmental Security state:

Objective: To prevent unauthorized access, damage and interference to business premises and information.

A.7.1.3 Securing offices, rooms and facilities

Secure areas shall be created in order to protect offices, rooms and facilities with special security requirements.

The selection and design of a secure area should take into account the possibility of damage from fire, flood, explosion, civil unrest, and other froms of natural or man-made disaster.

A.7.2.1 Equipment siting and protection

Equipment shall be sited or protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access.

DHS | Department of Homeland Security | WMD-Ready National Urban Search and Rescue Response System

DHS | Department of Homeland Security | WMD-Ready National Urban Search and Rescue Response System: "WMD-Ready National Urban Search and Rescue Response System

For Immediate Release
Federal Emergency Management Agency
October 1, 2003

Today the Department of Homeland Security's Federal Emergency Management Agency (FEMA) announced that it has completed an aggressive program to train and equip the nation's Urban Search and Rescue teams to respond to a WMD event.  This strengthening of a key element of the nation's federal response capabilities follows a significant contribution of resources, training and equipment from the Bush Administration during the last year.  The National Urban Search and Rescue (US&R) Response System is a framework for structuring local emergency services personnel into integrated disaster response task forces. These task forces complete with the necessary tools and equipment, skills and techniques, can be deployed by the Department of Homeland Security for the rescue of victims of structural collapse.  

The Urban Search and Rescue System

There are 28 national US&R task forces located throughout the continental United States, trained and equipped to handle structural collapse. Any task force can be activated and deployed by FEMA to a disaster area and provide assistance in structural collapse rescue, or may be pre-positioned when a major disaster threatens a community. Each task force must have all its personnel and equipment at the embarkation point within six hours of activation. The task force can be dispatched and en route to its destination in a matter of hours.

Each task force is comprised of 70 specialists, and is divided into six major functional elements: search, rescue, medical, hazmat, logistics and planning. The task force is divided into two 35-member teams, which allows for the rotation and relief of personnel for round-the-clock search and rescue operations. "

OFAC and When Every Name Counts...

LAS- : "Language Analysis Systems is the world's recognized leader in providing multi-cultural name recognition software solutions for mission critical applications. LAS has worked with U.S. Intelligence and Border Protection agencies for nearly two decades, developing a revolutionary and patent-pending approach to name matching and searching, going far beyond simplistic Soundex and key-based approaches. They offer a variety of proven commercial products to government, law enforcement, and commercial organizations that solve a multitude of name related problems"

Are you doing business with a "Specially Designated National" (SDN)? Contact Jim or Jack at LAS to answer your detailed questions. They can help you mitigate some of the operational risks associated with doing business with entities of concern by the US Treasury Office of Foreign Assets Control (OFAC).