29 November 2003

The role of psychological factors in the management of crisis situations

The role of psychological factors in the management of crisis situations

What personality traits tend to exist in successful crisis managers?

Dr Gary Buck C.Psychol. AFBPsS, University of Westminster, presents a paper exploring this issue.

Research literature suggests a number of psychological factors that affect the management of critical situations. Firstly, the complexity of an individual’s information processing has been linked to successful management of critical situations. To be able to process information in a complex manner, an individual must have the underlying capacity to operate at such high levels. This capacity (referred to as conceptual complexity) can be characterised by personality traits such as open-mindedness and flexible, or perhaps better viewed as the non-authoritarian and non-obsessive personalities. The underlying motives of the individual, (whether they are primarily motivated by a need for achievement, power or affiliation), will affect which goals the individual sees as important and in part how they interpret the stressfulness of the situation. The stressful nature of the situation will also be buffered to a greater or lesser extent by the hardiness of the individual (the extent to which they see the situation as a challenge, feel committed to solving the problem and feel they can control the situation). The level of stress perceived by the individual will then lead them to adopt a pattern of coping behaviours, (unconflicted adherence, unconflicted change, defensive avoidance, hypervigilance and vigilance), in order to deal with the psychological conflict caused by the situation and the stress engendered by it. The quantity, quality and more specifically the complexity of the individual’s information processing (and thus the likelihood for success) will vary with the adoption of one of these patterns.
See the Complete Paper

The Audit Committee's Roadmap

The Audit Committee's Roadmap- AICPA Exhibit 4: "

By James W. Bean

Exhibit 4: A Sample Audit Committee Charter Adapted From Glendale Federal's Audit Committee Charter

One committee of the board of directors will be known as the audit committee. Only independent directors will serve on the audit committee. An independent director is free of any relationship that could influence his or her judgment as a committee member. An independent director may not be associated with a major vendor to, or customer of, the company. When there is some doubt about independence, as when a member of the committee has a short-term consulting contract with a major customer, the director should recuse himself from any decisions that might be influenced by that relationship.

The primary function of the audit committee is to assist the board in fulfilling its oversight responsibilities by reviewing the financial information that will be provided to the shareholders and others, the systems of internal controls management and the board of directors have established and all audit processes."

22 November 2003

Sarbanes-Oxley becoming evangelistic in the USA

IT-Director.com: Sarbanes-Oxley becoming evangelistic in the USA

Bob McDowall
Technology Channel: Business and Finance

Sarbanes-Oxley was a body of legislation, which very hastily and reactively codified a range of provisions on the corporate governance and conduct of US domestic companies listed on US stock exchanges. This came in reaction to the corporate greed and excesses, displayed by many US corporations over the past twenty years or so, as the USA started to live beyond its means. According to recent commentary based on research in the USA, Sarbanes-Oxley shows all the signs of becoming the standard for US private companies as well as publicly listed companies.

Some of the Sarbanes-Oxley provisions apply to public and private companies: matters such as document retention, increased penalties for mail and electronic fraud and liability for retaliation against whistleblowers. Infringing this legislation may result in fines and/or imprisonment."

21 November 2003

Hawala system under scrutiny

BBC NEWS | Business | Hawala system under scrutiny:

Kevin Anderson
BBC News in Washington

The US has intensified its war on terrorism on the financial front, targeting an ancient, informal system of money transfers that officials believe funnelled millions of dollars to Osama Bin Laden's al-Qaeda network.

The system is known as hawala, and it has been used for hundreds of years to move money across distances and around legal and financial barriers in South Asia and the Middle East. Billions of dollars flow through the informal hawala system

Arab traders used it on the Silk Road to avoid being robbed, and now millions of Pakistanis, Indians and others working abroad use the hawala system to send money home to their families. Billions of dollars flow through this informal and anonymous system, and officials believe that al-Qaeda is using the system to move money to its operatives around the world.

Difficult to trace

Typically, a transaction begins with a visit to a hawala broker. "

Also known as Informal Value Transfer Systems (IVTS), they are in high use on the Internet. Be on the look out for debit/credit cards being used by multiple individuals or stored value cards that won't leave a paper trail in some cases.

EU hi-tech crime agency created

BBC NEWS | Technology | EU hi-tech crime agency created

Computer viruses do not respect national borders

The European Union is setting up an agency to co-ordinate work to combat the rising tide of cybercrime.

The European Network and Information Security Agency will help educate the public about viruses, hacker attacks and other security problems.

It will also act as a co-ordinator for Europe-wide investigations into virus outbreaks or electronic attacks.

ENISA has a budget of 24.3m euros (£17m), will start work in 2004 and will initially be based in Brussels.

Global problem

'Trust and security are crucial components in the information society and by establishing ENISA we continue the work to create the culture of security,' said Erkki Liikanen, European Information Society Commissioner.

The agency is not expected to be Europe's cybercops but instead will help hi-tech crime units in member nations co-ordinate investigations.

"The internet is worldwide and much of this computer crime is taking place outside the EU", said Graham Cluley, Sophos.

It will also collect and distribute information about the best way that businesses can protect their networks and staff from all kinds of computer security threats."

Remarks by Secretary of Homeland Security Tom Ridge at a Customs and Border Protection Press Conference

DHS | Department of Homeland Security | Remarks by Secretary of Homeland Security Tom Ridge at a Customs and Border Protection Press Conference:

For Immediate Release
Office of the Press Secretary
November 20, 2003

SECRETARY RIDGE: Good afternoon, ladies and gentlemen. As many of you note, I just had the opportunity to speak with some of the nation's top leaders representing nearly 550 international trade and transportation communities.  And it is in partnership with the men and women of these communities in this industry that since September 11th we've been working to really enhance the security of the supply chain that drives the extraordinary economic engine of this country.  

In my remarks, as you I'm sure took copious notes, you noted that I was pleased to announce that we're going to go even further to help meet one of our chief objectives with this group, and that's to strengthen Homeland Security while ensuring the free flow of goods and commerce across our borders and through our seaports and airports by requiring all modes of transportation to provide us advanced information.

The rule will allow our inspectors to collect the advanced manifest and cargo information necessary for us to identify high-risk shipments that may pose a threat.

Commissioner Bonner oversees a national targeting center that is an accumulation of business data, import and export data, about businesses and companies and trade."

Terrorism Inc.

"Terrorism Inc.
Al Qaeda Franchises Brand of Violence to Groups Across World

By Douglas Farah and Peter Finn
Washington Post Staff Writers
Friday, November 21, 2003; Page A33

Leaders of the al Qaeda terrorist network have franchised their organization's brand of synchronized, devastating violence to homegrown terrorist groups across the world, posing a formidable new challenge to counterterrorism forces, according to intelligence analysts and experts in the United States, Europe and the Arab world.

The recent attacks in Turkey, Saudi Arabia, Chechnya and Iraq show that the smaller organizations, most of whose leaders were trained in al Qaeda camps in Afghanistan, have fanned out, imbued with radical ideology and the means to create or revitalize local terrorist groups. They also are expanding the horizons of groups that had focused on regional issues."

20 November 2003

Feds' Cybercrime Crackdown Yields 125 Arrests

Feds' Cybercrime Crackdown Yields 125 Arrests:

Cybercrooks go 'phishing,' but it's law enforcement that nets some big catches.

By George V. Hulme

A crackdown on Internet fraud schemes dubbed Operation Cyber Sweep has netted 125 arrests or convictions and more than 70 indictments, federal law-enforcement officials say.

The operation began Oct. 1 and involved more than 125,000 victims with losses estimated to exceed $100 million. Department of Justice officials said Thursday that more than 90 search-and-seizure warrants were conducted.

Operation Cyber Sweep targeted some of the most common online fraud schemes, including identity theft, international money laundering, theft of business trade secrets, auction fraud, Web-site-spoofing schemes, and cyberextortion. The operation was a coordinated effort among 34 U.S. attorneys, the FBI, the Federal Trade Commission, the Postal Inspection Service, the U.S. Secret Service, and the Bureau of Immigration and Customs Enforcement, as well as other local, state, and foreign law-enforcement authorities."

19 November 2003

Authentix Creates Unequalled Brand Protection Solutions in Pharmaceuticals

Authentix Creates Unequalled Brand Protection Solutions in Pharmaceuticals:

"Authentix Creates Unequalled Brand Protection Solutions in Pharmaceuticals, Fuels, Agrochemicals and Spirits Industries

DALLAS, Nov. 19 /PRNewswire/ -- Isotag Technology Inc. and Biocode Inc. today announced the completion of their merger, to create the leading total solutions provider in brand protection and fiscal recovery worldwide. Under the new name Authentix, the merger brings together comprehensive services and technology for the prevention of product counterfeiting, adulteration and diversion. Authentix, which is already the global leader in fuel authentication, is now positioned to lead the pharmaceuticals, spirits, agrochemicals and government security markets. Isotag's patented molecular marking technology enables in-product and on- packaging authentication, and through its acquisition of Calyx earlier this year, the company also has extensive experience with both overt and covert security inks. The merger expands this portfolio to include the unique abilities of Biocode's patented Marker Pair technology to mark ingestible products such as pharmaceuticals, foods and beverages.

Both companies have extensive experience in managing in-market testing programs for clients to ensure and maintain brand and distribution integrity. The combined resources Isotag and Biocode provides brand owners and governments with a total authentication service including; risk analysis, solutions design, program implementation and remediation."

It's a rare occasion when I post a companies press release. This is a great merger and one that the FDA, Pharmaceutical industry and ICE should be looking at to assist them. You see, these kinds of mergers are going to get us to the core of where the terrorism funding is still coming from. It's a fact that the counterfeiting and piracy of the pharma business is putting money in the hands of crime and terror operators. Companies like Biocode have for years been one of the leaders in helping all concerned parties interdict the flood of bogus drugs into the supply chain. Not only are the people who need the right prescriptions being harmed, the health care industry is paying a huge price for a lack of controls on the supply chain.

Utility could have contained blackout, report says

Utility could have contained blackout, report says: "

By H. Josef Hebert
The Associated Press

WASHINGTON - The nation's worst blackout began with three power line failures in Ohio and should have been contained by operators at FirstEnergy Corp., a three-month government investigation concluded today.

The report by a U.S.-Canadian task force said the FirstEnergy operators did not respond properly, allowing the Aug. 14 outage to cascade, eventually cutting off electricity to 50 million people in eight states and Canada.

The task force also cited outdated procedures and shortcomings at a regional grid monitoring center in Indiana that kept officials there from grasping the emerging danger and helping FirstEnergy deal with it.

'This blackout was largely preventable,' Energy Secretary Spencer Abraham said.

The task force said it found 'no computer viruses or any sort of illicit cyber activities' to blame. It also concluded that there was no deliberate damage or tampering with equipment associated with the outage.

Among the faults found at FirstEnergy, however, was a simple failure to keep trees around power lines trimmed."

18 November 2003

Bush pushes for cybercrime treaty

Bush pushes for cybercrime treaty:

Last modified: November 18, 2003, 2:15 PM PST
By Declan McCullagh
Staff Writer, CNET News.com

President George W. Bush has asked the U.S. Senate to ratify the first international cybercrime treaty.

In a letter to the Senate on Monday, Bush called the Council of Europe's controversial treaty 'an effective tool in the global effort to combat computer-related crime' and 'the only multilateral treaty to address the problems of computer-related crime and electronic evidence gathering.'

Even though the United States is a non-voting member of the Council of Europe, it has pressed hard for the cybercrime treaty as a way to establish international criminal standards related to copyright infringement, online fraud, child pornography and network intrusions. The U.S. Department of Justice says the treaty will eliminate 'procedural and jurisdictional obstacles that can delay or endanger international investigations.'

Civil libertarians have objected to the treaty ever since it became public in early 2000, arguing that it would endanger privacy rights and grant too much power to government investigators. So have industry groups such as Americans for Computer Privacy and the Internet Alliance. They raised concerns that the treaty could limit anonymity or impose vague record-keeping requirements on U.S. Internet providers."

Australian IT - Companies not ready for disasters

Australian IT - Companies not ready for disasters:

Kelly Mills
NOVEMBER 18, 2003

ALMOST two-thirds of Australian companies do not have an organisation-wide business continuity plan and more than a quarter do not know the cost to business of outages.

Despite increased terrorism risks, the SARS epidemic and natural disasters, many organisations throughout the Asia-Pacific still conduct business relatively unprepared for such events.

A KPMG study of 249 Asia-Pacific organisations found that along with poor business continuity management (BCM) processes, less than 40 per cent of organisations had a disaster recovery plan and less than 45 per cent had rudimentary protection in the area of crisis management.

Asia-Pacific organisations were 'groping around in the dark' building business continuity strategies based on general assumptions, rather than planning for more industry-specific threats, KPMG information risk management Asia-Pacific security partner Peter McNally said.

'They've got the right drivers, developing plans to a large extent around IT issues such as software and hardware failures, communications and power outages, but their perceptions are skewed,' Mr McNally said.

For example, 37 per cent of survey respondents believed their level of risk had increased as a result of terrorism, even though only 9 per cent had actually been, directly or indirectly, affected by terrorist activities."

17 November 2003

SEC chairman says more reforms needed

SEC chairman says more reforms needed:


NEW YORK -- The chairman of the Securities and Exchange Commission said Monday his agency wants to see further reforms at the New York Stock Exchange and plans to step up regulation of the mutual funds business and the corporate proxy process.

William Donaldson, speaking to hundreds of members of Financial Executives International at a New York conference, identified those areas as the SEC's primary targets of scrutiny.

Donaldson praised the work done at the NYSE by its interim chairman John Reed, noting the exchange's release of a report two weeks ago spelling out its plans for self-reform. Reed took the helm of the exchange earlier this fall after it was rocked by outrage over former chairman Dick Grasso's lavish pay package.

But Donaldson said the Reed plan - which includes trimming the NYSE's current board of directors, limits its function and creates a new group to set executive pay - is just a start.

'I believe his (Reed's) efforts represent an important first step, but only a first step,' Donaldson said.

15 November 2003

Offense vs. Defense: The Risk Management Clock is Ticking

What side of the risk management game clock do you play on within your organization? A mix of both is a prudent way to hedge the losses yet the question becomes how much time on the corporate playing field is spent being proactive managing future risk.

A proactive and preventive risk approach requires a layered and active intelligence program. It requires dedicated resources and personnel spending a majority of their time scanning the horizon for new threats. It means spending more time saying "What if"? This will produce the next new thinking and strategy on what to do next to prevent a potential new loss.

Sitting in the audience this week listening to Ms. Frances Fragos Townsend was especially refreshing on this exact topic. She is the Deputy National Security Advisor for Combating Terrorism, in the National Security Council. The comment that struck me the most was about getting out of consequence management mode into a risk management mode. The point she was making is so valid. Business is not spending enough time thinking ahead and over the horizon anymore. We need to be thinking where the next risk of loss will come from on a more active basis.

How many play minutes did your Board of Directors spend in the last meeting on dealing with consequences as opposed to the future. For a look at what your company and our globe is in for in the next two decades see Seven Revolutions Initiative. You have a tremendous amount of planning to do if you are going to be able to respond to the change ahead of us.

Survival in the year 2025 as a company in the healthcare industry might require a radical rethinking about where your profits will be coming from and what type of R&D you should be working on now. If you have children or grandchildren under the age of ten, the introduction of genetic medicines and therapies could help many of them live to be 120 years old - maybe older.

Survival in the year 2025 as a company in the financial services industry will require a mindset shift about the business you are really in. The accumulated wealth of the 225 richest individuals in the world is equivalent to the combined annual revenue of 2.7 billion people at the bottom of the global income ladder.

And what about conflict? More than 100 countries are believed to be seeking to develop offensive information warfare capabilities. About a dozen states now either possess or are actively pursuing offensive biological and chemical capabilities for use against their perceived enemies, whether internal or external. Over the next 25 years, it is expected that the lines between lawlessness, crime, disorder, terrorism and war will become increasingly blurred, challenging governments to the limits in terms of managing and containing threats.

How many offensive minutes did you spend with your team last month, last quarter or last year?

Inc.com | The Privacy Time Bomb

Inc.com | The Privacy Time Bomb: "The Privacy Time Bomb

You're sitting on a privacy time bomb. Here's how to defuse it.
From: Inc. Magazine, November 2003 | Page 34 By: Alison Stein Wellner

If you provide health insurance, you're sitting on a potential time bomb. That's because on April 14, 2004, tough new privacy regulations under the Health Insurance Portability and Accountability Act of 1996, or HIPAA, go into effect for small companies. You have six months to get in compliance or risk a hefty fine--or even jail time.

The new privacy laws are designed 'to prevent employers from using information received in connection with an employee benefit plan when making employment-related decisions, such as hiring, promoting, or firing,' says Michele Talka, of the McCart Group, a Duluth, Ga., insurance brokerage. To do so, the law erects a formidable privacy shield around your employees' personal health information. It would be a HIPAA violation, for example, for the person handling insurance claims at a small company to tell the CEO that an employee has cancer, even if it will likely affect the organization's insurance premiums.

How to comply?"

14 November 2003

CEOs Concerned About Threats to Their Corporate Reputation

CEOs Concerned About Threats to Their Corporate Reputation:

AccountingWEB.com - November 14, 2003 - In a new national study of nearly 200 American chief executive officers, 81% expressed concern over threats to their corporate reputations, citing customer service problems, financial irregularity, negative press coverage and employee misconduct as among the issues that have the greatest potential to damage their corporate reputation.

'The clear message today is that CEOs live in a fishbowl,' noted Christopher Komisarjevsky, president and chief executive officer, Burson-Marsteller worldwide. 'A demanding regulatory environment, board members who are deeply engaged and the public's call for unimpeachable leadership have resulted in new pressures on CEOs. With these escalating demands on CEOs, this new wave of research demonstrates CEOs' greater respect for communications professionals and the priority they place on good internal and external communications.'

While an overwhelming majority of the CEOs surveyed (87%) cited 'improved employee morale and recruitment' as the area most positively impacted by a good rating on the corporate reputation scorecards, the majority (54%) admitted that their companies did not closely monitor these annual rankings compared to 46% that said they did."

13 November 2003

IT-Director.com: Operational Risk

IT-Director.com: Operational Risk: "Operational Risk

Thursday 13th November 2003
Technology Channel: Data Management
By Phil Howard
Bloor Research

I was recently a speaker at a conference, organised by IBM, on Basel II. I was there to talk about the issues arising from the huge data volumes required to meet the needs of Basel II.

I do not claim to be any sort of an expert on Basel II and, as far as I am concerned, the data issues arising from Basel II are not so very different from those that arise out of Sarbanes-Oxley, the International Accounting Standards or any of the other new forms of corporate governance that are increasingly required. From my perspective, you need to be able to store and retrieve large additional amounts of data; you may well need to access data from multiple, heterogeneous data sources; and you need to be able to track the data. You may also need some form of reference data management system. That is, a 'golden copy' of the meanings of your data.

However, while all of that may be interesting, the best part of conferences is talking to delegates and it appeared to me, from the conversations I had, that data was not the major issue for most of the banks at this conference, but business processes. More particularly, they did not know how to model their operational risk, which is the key requirement of Basel II."

Any ORM project is going to be similar to any other software engineering project. You have got to do your Business Reference Models first. See Adaptive for some people who really get it.

OSAC - Crime gangs extort money with hacking threat

OSAC - "Crime gangs extort money with hacking threat:

from Financial Times on Wednesday, November 12, 2003

Evidence of a new type of international extortion racket emerged on Tuesday with revelations that blackmailers have been exploiting computer hacking techniques to threaten the ability of companies to conduct business online.

Gangs based in Eastern Europe have been found to have been launching waves of attacks on corporate networks, costing the companies millions of dollars in lost business and exposing them to blackmail.

The most recent cases of affected companies have surfaced in Britain where the National Hi-Tech Crime Unit (NHTCU) is investigating how one betting site was brought down and then received a threat that it would be attacked again unless tens of thousands of pounds were paid. It is co-operating with international law enforcement agencies, with the perpetrators thought to be based in Eastern Europe."

12 November 2003

Experts comb web for terror clues

Experts comb web for terror clues:

Cyber investigators are scouring the world wide web for clues on any future suicide bomb attacks, deploying satellites and other high-tech wizardry to hone in on suspicious Web surfing activity.

Intelligence officials had warned some kind of attack would occur in Saudi Arabia before Sunday's suicide bomb blast in Riyadh after finding evidence on anonymous postings on Arabic Web sites and other forms of Internet chatter. The strike killed at least 18 people and wounded 120 others.

'The Internet is a very useful open source for investigators. But as with any unattributable piece of information, tips must be corroborated and verified, and only then can they be added to the overall intelligence mix,' a British cyber investigator told Reuters.

Intelligence experts say they have evidence extremist groups are using the Web and e-mail for a variety of purposes ranging from recruitment and fund-raising to spreading propaganda and scouting out potential targets."

Cyber Intelligence from open sources like the Internet are good for gathering lots of suspects. The investigator still needs to spend countless hours putting the grey matter to work. Only then can you correlate what your algorithms are pointing you to. The most skilled know where to look and how to gain the information needed to validate and verify.

11 November 2003

Getting Traction with KRIs: Laying the Groundwork

Getting Traction with KRIs: Laying the Groundwork

by Charles Taylor and Jonathan Davies

This article summarizes insights on the incidence of operational risk gleaned from Part I of the KRI Framework Study and discusses the direction of future work.

In recent years, a good deal of the focus in operational risk in large banks has been on quantifying risks and losses as precisely as possible. Behind much of this effort has been the Basel II requirement that by 2007 banks should be able to estimate how much capital they need to hold against their operational risks.

More recently, the banking industry has begun to devote attention to improving tools used in hands-on management of risks and, as a part of that effort, more scrutiny has been given to 'indicators' of areas of higher risk and loss"

SEC Rules Limit Who Qualifies As 'Independent'

WSJ.com - SEC Rules Limit Who Qualifies As 'Independent'


WASHINGTON -- After more than a year of negotiations, the Securities and Exchange Commission has approved long-awaited rules to improve the independence of corporate boards at companies that list on the New York Stock Exchange or the Nasdaq Stock Market.

The rules require that listed companies have a majority of independent directors and impose tighter restrictions on who qualifies as 'independent.' But some corporate-governance experts said the rules don't go far enough, in part because they don't give shareholders greater power in nominating directors. (The SEC is considering such a move as part of a separate process.)

Under the approved rules, a director who is declared 'independent' can't be employed at the company or have worked there within a prior three-year period; nor can any of the director's family members. There are also restrictions on how much money directors can receive from the company other than payment for board service, with Nasdaq limiting annual payments to $60,000 and NYSE capping it at $100,000 a year.

The NYSE and Nasdaq proposed the rules in August 2002 and October 2002, respectively, after a series of corporate scandals put pressure on the markets to consider new governance rules. The SEC has been trying to narrow differences between the two proposals for months and worked to get the NYSE and Nasdaq to align their rules more closely.

But Patrick McGurn, senior vice president at Institutional Shareholder Services, a proxy-advisory firm in Rockville, Md., said the SEC agreed to relax some of the standards in the interest of uniformity. The NYSE's original proposal called for imposing a five-year 'look back' period to consider a director's independence, but that has been narrowed to three years to conform with Nasdaq."

London 'is top terrorist target'

London 'is top terrorist target':
Last Updated: Tuesday, 11 November, 2003, 03:41 GMT

London 'is top terrorist target' - BBC NEWS | UK |
Security has been increased at likely targets such as Heathrow

London is at greater risk of a terrorist attack by Islamic extremists than any major city in the US or Western Europe, a study has found.

The Control Risks Group said the UK's role in the Iraq war and big Muslim population meant there was a 'serious possibility' of a suicide bomb.

Its 2004 RiskMap report on security in 195 countries raised the risk rating for London from 'low' to 'medium'.

The rest of Britain - not seen as a political target - remained 'low' risk.

'London has become the pre-eminent terrorist target in Western Europe,' said research director Jake Stratton.

Previously the Muslim extremist threat had been 'vague, undefined war against the West', he said.

'But in the last year Britain has reinforced its position in the eyes of the Islamic world as the major ally of the US.'

Mr Stratton said that while the US remained at risk from terrorists, there were several targets across the country which reduced the risk to each individual city."

Bill for remote card fraud climbs to £300,000 a day

Bill for remote card fraud climbs to £300,000 a day:

Mary O'Hara
Tuesday November 11, 2003
The Guardian

Credit card fraud in transactions using the phone, internet and mail order has climbed by a third in two years to more than £100m, according to research

A study by trade body, the Association of Payment and Clearing Services, found that 'card not present' fraud - where somebody uses the details from another person's card to make a purchase by remote means - has become a problem costing up to £300,000 a day.

It is now the second largest cause of card fraud in the UK. Since 1998 it has increased tenfold to £109m a year, and there are concerns that it will grow further as consumers in crease their spending in the run-up to Christmas.

'Fraudsters are constantly looking for new targets and organised criminals are probably behind the large growth in 'card not present' fraud,' the study concluded.

The study also reported a significant rise in fraud caused by identity theft - where a card holder's personal details are stolen and used by fraudsters to apply for credit. This is up from £15.4m to £25m a year, according to the latest figures."

10 November 2003

Risky business to top 2004 IT spending

Risky business to top 2004 IT spending | CNET News.com:

Last modified: November 10, 2003, 1:27 PM PST
By Dawn Kawamoto
Staff Writer, CNET News.com

Security and data disaster recovery rank among the top information technology priorities for 2004--a year in which overall technology spending is expected to remain cautious, according to a Forrester Research report released Monday.

North American IT budgets are expected to increase to $729.2 billion next year, up 1.7 percent from the level anticipated for this year, according to a survey of more than 800 technology decision makers. Forrester itself says budgets could grow as much as 4 percent, as IT spending catches up with the economy.

'More firms are saying they expect their budgets to increase over last year. But I would not say the increase will be dramatic,' said Tom Pohlmann, research director at Forrester. 'We expect much of the growth to occur in the latter half of next year as the economy improves.'

More than half the companies surveyed listed risk management initiatives as their top priority for next year.

Twenty-one percent surveyed listed upgrading disaster recovery systems as the critical theme for 2004, while 20 percent cited security upgrades. Thirty-one percent listed both areas."

Drill tests rescuers’ response to tragedy civilians learn disaster relief

Drill tests rescuers’ response to tragedy
Civilians learn disaster relief


As incident commander at a disaster drill yesterday, Meg Barnhizer’s first mistake was to go inside the house that supposedly had been hit by a tornado.

One of 10 "victims" in the dust-choked house grabbed her ankle, shouting, "Don’t leave me!" When Mrs. Barnhizer got back outside, another drill participant had assumed command and, unbeknownst to each other, the two began issuing conflicting orders.

Even so, the 17 volunteers in the community emergency response team exercise at Owens Community College’s Fire Science and Law Enforcement Center managed to evacuate and stabilize eight "survivors" before help arrived.

"That would be a real-life situation that we might have to deal with," Mrs. Barnhizer said afterward, calling her CERT training extremely valuable.

But for it to have real benefit in a true emergency, others from Mrs. Barnhizer’s Sylvania neighborhood will have to take the class. One person alone, even with special training, could do little when faced with large-scale destruction.

"As more people take the CERT class, the idea would be to organize it like Block Watches," said Philomena Caratelli, a course student from Toledo.

Teaching civilians how to respond to a neighborhood disaster - be it a twister, flood, ice storm, or some other natural or man-made calamity - is the idea behind CERT, whose participants learn "light" search and rescue and firefighting skills, basic injury evaluation, and other response techniques geared toward bridging the gap between a disaster’s occurrence and rescue workers’ arrival.

Whether you organize your neighborhood or your company in the high rise building you work in the goal is the same. People need training to handle both the physical and psychological demands of incident response, especially those with designated commanders. We are amazed at the number of Mid-Atlantic businesses who still got caught unprepared by hurricane Isabel. In the next few years we can expect the tornado and hurricanes to disrupt our businesses just as the last one. Yet why haven't we trained and prepared? Even more of concern in the next year are the continued threats of loss from attacks by organized terrorists such as al Qaeda. One can only imagine events more sinister and devastating that will require our John Q. Citizens to help our First Responders more than ever. This time, let's be more prepared and show our ability to plan, train and recover from any threat from Mother Nature or OBL.

08 November 2003

New Terror Warnings Raised in Mideast, Southeast Asia, US

VOANews.com: "New Terror Warnings Raised in Mideast, Southeast Asia, US

VOA News
08 Nov 2003, 15:54 UTC

The United States has temporarily closed its embassy and diplomatic missions in Saudi Arabia amid new terrorist threats in the Middle East and a warning that al-Qaida terrorists may attempt to blow up nuclear power plants in the United States.

A U.S. statement issued in Riyadh said 'the embassy continues to receive credible information that terrorists in Saudi Arabia have moved from the planning to the operational phase of planned attacks.'

The warning of a threat to U.S. nuclear power plants came from the Department of Homeland Security, which warned that al-Qaida terrorist might try to hijack cargo flights in Canada, Mexico and the Caribbean and crash them into U.S. nuclear plants and other strategic targets. It said the warning was based on a single source, but U.S. officials said they believe the threat is credible enough to justify a new security advisory."

BCP's Balancing Act

Wall Street & Technology > > BCP's Balancing Act > Oct 27, 2003:

"BCP's Balancing Act
Cover Story

It seems some IT projects are so critical they should be exempt from the return-on-investment analysis that is at the core of a financial institutions' budgeting process. If such a list of projects existed, somewhere near the top would have to be business-continuity planning - the complex and costly process of ensuring that no matter an event's impact on a firm, it can resume critical operations within a reasonable period of time.

But in today's economic climate and with the overspending of the dot-com era still fresh in the minds of financial executives, there are no wish lists. BCP budgets are fully vetted and often scaled down in boardrooms across Wall Street. Thus, 'How much BCP is enough?' is best countered with the question, 'How much do you have to spend?

Morgan's two trading floors, at 745 7th Ave. and at the former Texaco headquarters in Westchester, along with its backup facilities in Jersey City and Brooklyn, fall within the range necessary to do synchronous data transfer. That means a transaction at a primary data center is replicated, or mirrored, at another location before a subsequent transaction is processed at the primary center.

Though it seems no two executives in the financial-services industry will give the same answer when asked for the distance limitations on synchronous data transfer (figures range between 30 and 100 miles), most answers average out to around 60 miles.

For some BCP planners, however, that range just isn't far enough. In fact, the first draft of an interagency white paper - originally released in September 2002 by the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency and the Securities and Exchange Commission - suggested a 200-300 mile separation between data centers. ''

How can BCP planners explain to the boss that both facilities are under back-up power due to a failure in the power grid for the whole region? The risk of losing thousands of transactions because you are backing up data in asynch mode vs. synch mode is only part of the equation here. You have to take more than this into consideration in the holistic view of your Business Continuity Management (BCM).

As this article indicates, the EMC, IBM's and Hitachi's are all working on this technology problem to eliminate the risk of using asynch mode to keep your people and operations several hundred miles apart. Nasdaq thinks that they can't wait and that the upside of having one facility in New York and one in Maryland is well worth the risk of losing a very small percentage of overall transactions.

07 November 2003

The Check's in the Mail

Bank Systems & Technology > The Check's in the Mail > November 4, 2003:

Ivy Schmerken

Concerns over compliance with e-mail-retention rules dominated a recent discussion moderated by Wall Street & Technology at InformationWeek's annual technology conference in Tuscon, Ariz.

One of the major challenges facing the securities industry is not only storage of all electronic records -- including e-mails and instant messages -- but being able to access the material in the event of an investigation. 'Retention without accessibility is not retention,' warns Jay Cohen, vice president and chief corporate compliance officer of The MONY Group, a diversified financial services firm that owns Advest, a retail-brokerage firm.

Another lesson learned by financial services firms is that backup is not retention. Cohen, a former prosecutor, cited a recent case involving the research investigation of five major securities firms fined by the National Association of Securities Dealers $1.65 million apiece. Although the firms had stored e-mails on backup tapes for several years, they were fined because they were unable to retrieve the e-mails according to the rule's requirements.

In the course of regulatory review or litigation, firms must be able to 'access what the regulators are looking for,' and companies that don't have that ability will be in a difficult situation, Cohen says."

06 November 2003

PC security audits for businesses? | CNET News.com

PC security audits for businesses? | CNET News.com: "PC security audits for businesses?

Last modified: November 6, 2003, 12:28 PM PST
By Declan McCullagh
Staff Writer, CNET News.com

Publicly traded U.S. corporations would have to certify that they have conducted an annual computer security audit, according to a draft of long-awaited legislation the U.S. House of Representatives is preparing.

The audit must be conducted by an independent party and assess 'the risk and magnitude of the harm that could result from the unauthorized access,' alteration or destruction of company computers, says the draft, prepared by Rep. Adam Putnam, R-Fla. Putnam is chairman of a House technology subcommittee.

'Given the magnitude of the threat and the depth of the vulnerabilities that exist today, it is imperative that we address this matter aggressively and collaboratively in order to enhance the protection of the nation's information networks on behalf of the American people and the U.S. economy,' Putnam said in a statement this week. He warned that the Federal Information Security Management Act established detailed security regulations for agencies to follow, but private companies have no such obligations."

Naval Facility Closes After Possible Anthrax Detected (washingtonpost.com)

Naval Facility Closes After Possible Anthrax Detected (washingtonpost.com): "Naval Facility Closes After Possible Anthrax Detected

Thomas E. Ricks
Washington Post Staff Writer
Thursday, November 6, 2003; 8:25 PM

The Anacostia Naval Air Station closed a mail-handling facility late Thursday afternoon after preliminary tests indicated that anthrax spores were detected by an automated biological sensor, a Navy spokesman said.

A separate facility where U.S. government mail is sorted in the 3000 block of V Street NE also was closed as a precaution, a spokeswoman for the U.S. Postal Service said.

The mail facility at the air station was closed immediately after the detection by the sensor, said the Navy spokesman, Cmdr. Conrad Chun. An initial test for anthrax done at the facility was positive, but a 'definitive finding' will not be available for several days, Chun said.

Chun said there was no indication that workers at the small Naval air station were infected with anthrax, adding that no ciprofloxacin or other antibiotics had been dispensed. 'Nobody infected, nobody hospitalized,' he said, emphasizing that the test results were still preliminary. 'We're not even sure there is anthrax.'

New precautions against anthrax and other deadly agents were put in place after deadly anthrax-laced mailings killed five people and sickened 17 others two year ago."

05 November 2003

Microsoft offers cash rewards for catching virus writers

Silicon Valley:

"WASHINGTON (AP) - Applying Wild West bounties to modern Internet crimes, Microsoft Corp. set aside $5 million Wednesday to pay large cash rewards to people who help authorities capture and prosecute the creators of damaging computer viruses.

Flanked by federal and international law enforcers, Microsoft executives promised to pay the first rewards of $250,000 each to anyone who helps authorities find and convict the authors of the original ``Blaster'' and ``Sobig'' Internet infections unleashed this year.

The world's largest and wealthiest software company also pledged to continue making its popular Windows operating system software, the most common target of hackers, more resistant to such threats.

``We do believe this will make a difference,'' said Microsoft's general counsel, Brad Smith said. ``We can't afford to have these criminals hide behind their computer screens.''

The Blaster and Sobig programs spread rapidly among hundreds of thousands of computers running Windows, exposing weaknesses in the Microsoft software the company had billed as its most secure ever.

The FBI, Interpol and the U.S. Secret Service said the $5 million pledge was an unprecedented figure for a corporation to set aside for payments in future criminal investigations.

Microsoft urged anyone with information about the two computer infections to contact local offices of the FBI, Secret Service or Interpol, or send tips using the Web sites for Interpol, See Interpol, or the FBI's Internet Fraud and Complaint Center, ."

The State of Information Security - CSO Magazine - October 2003

The State of Information Security - CSO Magazine - October 2003: "

A worldwide study conducted by PricewaterhouseCoopers and CIO magazine


THE BEST PLACE to start is with what 'The State of Information Security 2003' survey doesn't include. It doesn't include some stark bit of data that will make you slap your forehead and exclaim, 'Oh, that's the problem!' It doesn't include figures that suggest a secret formula for setting a security budget. Nowhere in its hundreds of pages of raw numbers will you find The Answer, because The Answer is a fiction, even if the problem is not. Information security is a difficult, nuanced and immature craft. Silver bullets are for people who aren't serious about solving the problem.

What this survey does include, in its depth (more than 7,500 respondents) and intricacy (44 questions cross-tabulated by company size, security budget, geographical region and dozens of other categories) is a comprehensive profile of the imperfect and evolving world of information security.

According to the survey findings, it seems you're all just now coming to terms with information security as a problem. You understand that fixing the problem won't be easy--that it will take a complex combination of infrastructure, education, proactive risk analysis and regulation."

04 November 2003

SEC Approves NYSE, Nasdaq Corporate Governance Rules

Bloomberg.com: U.S.: "SEC Approves NYSE, Nasdaq Corporate Governance Rules (Update4)

Nov. 4 (Bloomberg) -- The U.S. Securities and Exchange Commission approved stricter corporate governance standards for more than 6,000 companies that list their stock on the Nasdaq Stock Market and the New York Stock Exchange.

The new rules require that the boards of listed companies have a majority of independent directors and comply with a more detailed definition of independence, an SEC press release said. The standards also put independent directors in charge of corporate governance, audits, director nominations and compensation, the SEC said.

``These rule changes are at the core of a broad movement by our markets to enhance the corporate governance practices of the companies traded on them,'' SEC Chairman William Donaldson said. ``Investors will recognize significant benefits from these actions today and long into the future.''

The listing rules come as the NYSE, the world's largest stock exchange, wrestles with questions about the independence of its own board after the disclosure of former Chairman Richard Grasso's $140 million compensation package. The NYSE and Nasdaq originally proposed the listing standards more than a year ago to restore investor confidence after accounting scandals at Enron Corp. and other companies."

Identity Theft Crackdown Promote

Identity Theft Crackdown Promoted:

Legislation would force companies to tell customers when they're at risk.

Rita Chang, Medill News Service
Tuesday, November 04, 2003

WASHINGTON -- As identity theft becomes the fastest-growing crime in the United States, some companies endorse legislation requiring them to disclose theft of personal data, while privacy advocates urge lawmakers to go even further to protect consumers.

At a Tuesday hearing called by the bill's author, Sen. Dianne Feinstein (D-California), witnesses applauded S. 1350 as a much-needed first step in guarding against increasing security breaches on databases.

Bill's Specs
'There are few consumer issues more worthy of the attention than this topic,' said David McIntyre, president of TriWest Healthcare Alliance, at the hearing. His company's computer hard drives, containing data for a half million customers, were stolen last December.

Under the bill, companies must notify customers whenever their personal data--such as Social Security, driver's license, credit, or debit card numbers--are compromised through computer hacking or other unauthorized access.
Companies that fail to comply would be fined up to $5000 per violation or up to $25,000 each day."

CERT - Corporate Emergency Response Team

by Peter L. Higgins
Managing Director
1SecureAudit LLC

What have you done lately to help deter, defend or defeat acts of crime or terrorism in your business, building, office park or community? It's about time the leaders in our respective organizations stood up and volunteered their time, resources or in kind contributions to do so.

The CERT has been around for some time and it is now making it's way to your own "ground zero". Now our US first responders are finally getting the funds they need to make the leadership and citizen soldiers of our corporate organizations more prepared. The awareness and education wave is now ready for prime time in a conference room near you. The funds may be here, but a lack of manpower is still our greatest risk.

Incident Management is about taking command in crisis situations, whether they be the loss of a key employee or the integrity of a mission-critical database. The leaders of the next decade will stand out as true patriots in the fight against corruption, fraud, espionage and theft, not in a foreign land, but just around the corner. While we need to be prepared for the likely events we know will happen, it is the training for the ever more likely events that will deter the force that is creating ongoing acts of "corporate terrorism".

If you haven't done so already, think about the leaders in your company, the company next door to yours, on the floors above and below you. Band together. Only then will we have the momentum we require to deter, defend and defeat the enemy on a continuous basis.

ID theft center planned

ID theft center planned: "Washington -- Victims of identity theft who do business with the nation's 100 biggest financial institutions will have a one-stop center to help alert their creditors to the crime, under a program Wells Fargo & Co. announced Tuesday.

Wells Fargo's announcement of the Identity Theft Assistance Center came as the Senate prepared to open debate on new legislation that would gut part of California's new financial privacy law.

The measure proposes to override the state's law blocking financial institutions from sharing customers' information with affiliated companies without the customers' permission.

Consumer groups and California's two senators, Democrats Barbara Boxer and Dianne Feinstein, say that such data sharing feeds the growing crime of ID theft, a charge the financial industry contests.

The proposed renewal of the fair credit reporting law before Congress would extend the existing federal pre-emption against California's financial privacy safeguards. Proponents of the federal legislation say it will help make consumer loans more available and includes several provisions to strengthen federal ID theft laws.

'The Identity Theft Assistance Center will offer a single point of contact for victims of identity theft and transfer information to law enforcement,'' said Timothy Muris, chairman of the Federal Trade Commission."

03 November 2003

New corporate code comes into force - UK

New corporate code comes into force - UK: "New rules to reform the way UK businesses are run came into force over the weekend, with the aim of preventing corruption and other corporate scandals.

The new corporate code, drawn up by former investment banker Derek Higgs, has finally become law after months of consultation between business groups and the Financial Reporting Council (FRC), which decides whether to implement proposed accounting rules.

The measures, which are designed to stop any Enron-style corporate scandals and boost shareholder confidence, include:

* A chief executive is now not allowed to go on and become a chairman of the same firm.

* Company audits are to be toughened up to ensure that businesses’ accounts are in order.

* A higher proportion of company boards should consist of non-executive directors (NEDs).

* Appointment of directors should be done in a more transparent and scrutinised manner and from a wider range of candidates.

Although the new regulations will be more strictly applied to larger firms, small businesses will have to comply with the rules or explain to authorities the reasons why they have not done so.

The FRC said that companies that do not follow the code will risk their reputation with other businesses, shareholders and customers."

Information Security: Room for Improvement

Bank Systems & Technology > Information Security: Room for Improvement: "

Ivan Schneider
November 3, 2003

A recent Ernst & Young survey of 56 financial institutions in the U.S. and Canada reveals that there's room for improvement in information security practices at financial institutions, particularly in the frequency and quality of communications about incidents, security policies and business unit requirements. The survey sample included 17 commercial or consumer banks, 22 insurance companies, 13 investment banks and four other financial firms.

The top five reported problems: viruses/worms, employee misconduct, denial-of-service attacks, loss of customer data and amateur hackers. From these threats, security has attained a higher profile within the industry. 'There has clearly been an elevation of information security to a senior leadership position within the organization, as well as to the board level,' says William Barrett, partner at Ernst & Young LLP (New York).

But the topic may not make the agenda often enough. 'It's still a little surprising that 43 percent do [board-level security reports] annually or longer,' says Barrett. 'Where you have identified gaps in information security or vulnerabilities...you would want to have a quarterly update to the board of directors around how you're closing those gaps.'"