30 December 2003

Virginia's Institute for Defense and Homeland Security -- November - December 2003 Newsletter

Virginia's Institute for Defense and Homeland Security -- November - December 2003 Newsletter:

Guest Column

Offense vs. Defense: The Risk Management Clock is Ticking

By Peter L. Higgins, 1SecureAudit

What side of the risk field do you play on in your organization? A mix of both offense and defense is a prudent way to hedge any potential losses. Unfortunately, many don't spend nearly enough time being proactive and managing future risk.

Proactive and preventive risk management requires a layered and active intelligence program. It assumes that dedicated resources and personnel are spending a majority of their time scanning the horizon for new threats. It means devoting more time to asking, 'What if'? This kind of investment will produce the new thinking and strategy that can prevent a potential new loss.

At a recent conference, Ms. Frances Fragos-Townsend, Deputy National Security Advisor for Combating Terrorism in the National Security Council, addressed this exact topic of proactive risk management. She urged businesses to get out of consequence-management mode and into the risk-management mode. She was right on target. Businesses don't spend enough time thinking ahead and looking toward the horizon. We need to be actively thinking about where the next risk of loss will come from and prepare for it.

How many play minutes did your board of directors spend in the last meeting on dealing with consequences (defense) as opposed to managing the risks of the future (offense). For a look at what risks your company and our planet will face in the next two decades, take a look at the Seven Revolutions Initiative, which attempts to describe what the world will look like in 2025. This goal of this project is to promote strategic, forward-looking thinking among current and future leaders about how the world will change over the next 25 years and what that change will mean for international leadership. One visit to the Seven Revolutions website will convince you that we all have a tremendous amount of planning to do if we are going to be able to respond to the risk and change ahead of us."

25 December 2003

2004 Insights and Perspectives

By Peter L. Higgins

One only has to look into the mirror of 2003 to see where our world is headed. The globe is preparing itself for the next major breakpoint in its history of commerce and business. Our organizations are in anarchy and the consumers of our products and services are shifting before our eyes.

You only have to look back on the past years major headlines of the New York Times to gain some perspective on where we are headed in the next 12 months. Social consciousness is seeping into the workplace and management is keenly aware of the change factors on the corporate doorstep for 2004.

Several new waves of change are upon us. As providers of products and services to the consumers of the planet, whether businesses or individuals, the writing is on the walls of the corporate boardroom. Survive.

The tides of change are upon us. Look no further than the Seven Revolutions Initiative. See 7 Revs. The social, technological and demographic facets are enough to make anyone wonder where we are all headed in the next 20 years. The financial and healthcare industries are putting the building blocks in place to sustain a dramatic shift in who their customers are today and whom they will be tomorrow.

To survive in 2004 and beyond, the corporate gray matter will have to respond to the changing consumer. See LOHAS 8 to gain more insight on how the thought leaders of corporations large and small are changing to address the demands of a $227 BILLION, values-based consumer market. These are consumers who value health, the environment, social justice, personal development and sustainable living.

2004 will be another year of corporate malfeasance seeded with wondrous accounts of incivility. Spawned by the empowered employee to become a whistle blower and a new generation of crime fighters, now Elliot Ness has transformed into a man named Elliott Spitzer. Ness, was every bit as honest, diligent, and hard working as his modern counter-part but also flawed in terribly human ways. Whether cleaning up the illegal and social misdeeds of the Ness 1920s and 1930s or Spitzers 2000s requires an understanding of the core motivations of the being we call human.

The generations of young workers and consumers on this planet will pay for something they can believe in, rather than something that is less than socially and morally bankrupt. They will work all day in the global banking software development department and work late into the night developing the next Bugbear or Nimda code to impress their peers developing malicious code on the Internet. They will design the new marketing campaign for the next gas guzzling SUV by day and ride home that same evening in their brand new foreign hybrid using electric power.

2004 will be a year of heightened sensitivity to security and terrorism. Our processes and systems will be adjusted and tweaked to accommodate the new threats. The Board Room Buzz will be more about how to protect those vital corporate assets and how to survive the next crisis. What will be most interesting is how the governments of the world cooperate to become more of a global partner on this front. We sense already a growing cooperation among world leaders to deter and defend our citizens from the spread of fear and uncertainty.

Finally, 2004 will be the year we find greater appreciation for things like:

The evening glimmer of sunlight on clean water. The wave from the neighbor who lives next door. Our faith in what or whomever we believe in. Those who serve, so we can remain free of threats or illness to our loved ones and our own well-being. The signs that our bodies are healthy. The hope that exists in all of us for finding peace of mind. In 2004, look with fresh eyes on everyday things.

24 December 2003

This holiday, look with fresh eyes on everyday things

Wishing you a wonderful 2004!

The 1SecureAudit Leadership Team

Peter Higgins
Managing Director

David Bailey
Senior Partner

IC3 - Internet Crime Complaint Center

IC3 - Internet Crime Complaint Center:

The Internet Fraud Complaint Center (IFCC) was established as a partnership between the Federal Bureau of Investigation (FBI) and the National White Collar Crime Center (NW3C) to serve as a means to receive Internet related criminal complaints, research, develop and refer the criminal complaints to law enforcement agencies for any investigation they deem to be appropriate. The IFCC was intended, and continues to emphasize serving the broader law enforcement community, to include federal, as well as state and local agencies, which are combating Internet crime and in many cases participating in Cyber Crime Task Forces.

Since its inception, the IFCC has received complaints crossing the spectrum of cyber crime matters, to include on-line fraud in its many forms, Intellectual Property Rights (IPR) matters, Computer Intrusions (hacking), Economic Espionage (Theft of Trade Secrets), On-line Extortion, International Money Laundering, Identity Theft and a growing list of Internet facilitated crimes. Over the past three years it has become increasingly evident that, regardless of the label placed on a cyber crime matter, the potential for it to overlap with another referred matter is substantial.

The IFCC is therefore being renamed the Internet Crime Complaint Center (IC3), to better reflect the broad character of such matters having a cyber (Internet) nexus referred to the IC3, and to minimize the need for one to distinguish 'Internet Fraud' from other potentially overlapping cyber crimes."

Europe steps up security during Christmas festivities

Europe steps up security during Christmas festivities.:

Security across Europe has been heightened amid fears of possible attacks over Christmas and New Year, prompting France to put its fighter planes on alert and Britain to deploy thousands of police on the streets of London.

The general nervousness was reinforced by public warnings from the United States over the past few days of an 'elevated' general level of risk of attack domestically, and a 'specific' threat in the Gulf kingdom of Bahrain.

Although European officials made no mention of any specific danger to their countries, they stressed that a higher level of vigilance was needed because of the symbolic target that Christmas festivities presented.

'It is a sensitive time of year,' French Defence Minister Michele Alliot-Marie told Europe 1 radio.

She explained that her country's security forces had been on 'orange' alert, the third-highest level, since the beginning of December, meaning stepped-up patrols of airports, train stations and shops as well as churches, synagogues and mosques.

'We have also done so in regards to protecting our air space, with our fighter planes on permanent alert,' she said.

In Britain, the head of London's Metropolitan Police force, John Stevens, told BBC radio there had been a 'quantum leap' in terrorist activity and threats since the September 11 attacks in the United States in 2001."

Rigid IT compounds business risk

Rigid IT compounds business risk:

By Robert Jaques

Rigid IT infrastructures compound business risk and the problem is set to get worse as the pace of change in commerce increases, industry experts have warned.

Link: End of an era for the IT industry

According to GartnerG2, the analyst's research service, enterprises can improve returns and reduce risk by integrating previously autonomous business processes to create a new scope of management capabilities.

This process, which GartnerG2 dubs business process fusion, can dramatically increase IT infrastructure flexibility."

The analyst said that business process fusion will drive stronger alignment of IT with core business processes, and provide linkage of operational and management processes.

23 December 2003

And to All, a Good Night...

And to All, a Good Night:

The coming years promise an increase in security planning to support strategic business planning. Will it be a CSO's dream come true or one big nightmare.


WHAT'S KEEPING YOU awake at night these days? Sharing such security concerns with one another is nothing new. And we mostly do it for good reasons: It's one part learning, one part giving back, and one part enlightened self-interest. The idea is that your problems today will likely be my problems tomorrow, especially if we're in the same business sector.

So I think I keep a fairly good handle on what is in front of us as CSOs, but I'm always struck by the insights of my fellow security colleagues when I ask them about their concerns. I hear a lot about balance—or, more specifically, imbalance. I hear about more risk, less resources. More to do, less to do it with. More regulations, higher expectations.... Well, you get the picture.

"The risk landscape is hugely visible, perhaps the highest it has been in my 25 years in the business," says one security exec. Terrorism now dominates the public mind-set and creates the mistaken impression that it is a much greater threat than anything else. We need to strike the right balance between our biggest worries—people and process integrity, workplace violence, fraud, product tampering, counterfeiting—and terrorism.

Official: Numerous people on terror lists blocked from U.S.

CNN.com - Official: Numerous people on terror lists blocked from U.S. - Dec. 23, 2003:

New warnings for possible al Qaeda attacks abroad

WASHINGTON (CNN) -- Numerous people named on America's terrorist watch lists have been prevented from entering the United States since December 1, after 'credible' intelligence pointed to possible major terrorist attacks, a government official said Tuesday.

The official, who would not provide specifics, said the people were turned back at various locations. Another government official said a handful of flight crew members from other countries also have been stopped in recent days.

The United States has been working with airlines and governments of other countries in an attempt to improve their security, especially after Sunday's move by the Department of Homeland Security to raise the nation's terror threat level from 'elevated' (yellow) to 'high' (orange).

In addition, a senior State Department official said Tuesday the U.S. government has received intelligence that al Qaeda is planning attacks against U.S. interests in Saudi Arabia, Bahrain, Yemen and Kenya. The official said the intelligence spells out 'a general threat of attack' against U.S. interests in those countries, but does not mention a specific target."

Efforts to beat money laundering 'flawed'

Telegraph | Money | Efforts to beat money laundering 'flawed':

By Andrew Cave

Government measures aimed at tackling money laundering suffer from 'serious design problems', according to a report from the European Policy Forum.

The report, Policing of Financial Transactions, by the forum's president, Graham Mather, assesses the impact of the 'dragnet technique' used by regulators since the September 11 attacks brought new urgency to the issue of how terrorism is funded.

Citing a backlog of 58,000 suspicious activity reports in Britain in May, he says there can be 'little confidence' that the system could cope with the 100,000 such reports expected this year or the 150,000 expected in 2004.

He adds: 'The evidence gives grounds for serious concern that current anti money laundering initiatives are not working as well as could be hoped.'"

22 December 2003

Quake With 6.5 Magnitude Strikes California Coast

Quake With 6.5 Magnitude Strikes California Coast : "(Update4)

Dec. 22 (Bloomberg) -- A 6.5-magnitude earthquake struck the central California coast, causing three deaths, injuries and fires near the epicenter in San Simeon, home of Hearst Castle. The temblor swayed buildings as far away as San Francisco and Los Angeles.

The quake at 11:15 a.m. California time was centered about six miles from San Simeon and about 250 miles northwest of Los Angeles, the U.S. Geological Survey said on its Web site. Stronger aftershocks may be felt, Ross Stein, a physicist for the agency, said at a news conference.

``We just have a typical magnitude 6.5 earthquake, which has fortunately occurred far from populated areas,'' Stein said.

Three people were killed when a clock tower collapsed in Paso Robles, 30 miles east of San Simeon, said Greg Renick, a spokesman for the state Office of Emergency Services. A building collapse in Paso Robles, which has a population of 26,000, left some people trapped, said Sergeant Bob Adams of the Paso Robles Police Department. A hospital was damaged and two people were injured at a winery around San Luis Obispo, 42 miles from San Simeon, CNBC reported.

``It felt like a wave -- it was kind of like a rolling feeling,'' said Shannan Hudnall, 20, a front-desk clerk at the Pismo Lighthouse Suites in Pismo Beach, California, a resort town in San Luis Obispo County. ``Everything wiggled around and just rattled.''

Airports, Roads, Businesses

The quake lasted about 30 seconds. Larger airports reported no delays, and authorities said major roads and bridges were fine. Intel Corp., Cisco Systems Inc., Royal Dutch Petroleum Co. and other companies with operations in the state reported no damage."

By the Numbers

By the Numbers:

ID fraud should be a top-five business priority for line-of-business decision-makers at retail institutions. Growth rates are indeed troublesome.

John Adams

THE FINANCIAL INDUSTRY IS EMERGING from a period of considerable media attention on identity fraud in the U.S. Part of the hoopla was fueled by a lack of realistic data and objective analysis of the number of identity fraud incidents and the dollar losses incurred. While Financial Insights believes ID fraud is not as large a problem as recent reports from government agencies have indicated, the problem warrants significant attention and should be a top-five business priority. Institutions must get started sooner rather than later, as growth rates are very troublesome.

Institutions will absorb most losses.

Financial Insights’ projections for direct fraud loss resulting from ID theft and ID fraud in the retail finance industry in 2003 is about $4.2 billion, doubling to about $9 billion in 2006. The good news for consumers, at least, is that they will be on the hook for only about $200 million of this year’s losses.

21 December 2003

US National Threat Level Raised to Code Orange

DHS | Department of Homeland Security | DHS Home Page:

Statement By U.S. Department of Homeland Security Secretary Tom Ridge

December 21 - Today, The United States Government raised the national threat level from an Elevated to High risk of terrorist attack - or from Code Yellow to Code Orange. We know from experience that the increased security that is implemented when we raise the threat level, along with increased vigilance, can help disrupt or deter terrorist attacks.

The U.S. Intelligence Community has received a substantial increase in the volume of threat related intelligence reports. These credible sources suggest the possibility of attacks against the homeland around the holiday season and beyond.

In addition to knowing that homeland security professionals at all levels are working to keep our communities safe, we ask individual Americans to do a few additional things during this time of heightened alert. I have said it before - and I am saying it again - homeland security begins at home. Never has that been more true. Your awareness and vigilance can help tremendously, so please use your common sense and report suspicious packages, vehicles, or activities to local law enforcement.

Finally - no matter your faith or culture - now is the time of year for important celebrations. So, I encourage you to continue with your holiday plans. Gather with your family and friends and enjoy the spirit of this season. There is no doubt that we have a lot to be thankful for - not the least of which the opportunity to live in the greatest country in the world. It is a country that will not be bent by terror. It is a country that will not be broken by fear. But instead, we are a country blessed with a population marked by goodwill and great resolve. We will show the terrorists both this holiday season - goodwill toward our fellow men, readiness and resolve to protect our families and our freedom."

20 December 2003

Real-Life Experiences with Business Continuity

Real-Life Experiences with Business Continuity:

By Rich Schiesser.

When a disaster occurs, it often reveals the true measure of an organization's preparedness. An unplanned business interruption occurred recently in the company where Rich Schiesser works. This article presents some of the valuable lessons the company learned from this event.

During the past several years, a moderately-sized residential mortgage company in Southern California had been growing steadily into a major player among financial lending institutions. A sizable investment in IT systems helped fuel this growth, and raised the awareness of the importance of assembling a highly proficient IT business-recovery team. The composition of this team was an interesting mixture of IT technical specialists, business analysts, and professional contingency planners. Their charter was to develop and test business and technical recovery plans to enable critical business functions to be restored to full operation in minimal time following a disaster.

One of the most critical of these business functions was the company's asset-management unit. The IT business-continuity team had already developed the business and technical recovery plans for this area, and had conducted a tabletop simulation with business users to validate their plans. The next step was to schedule a full operational-recovery exercise for asset management. Such an exercise would take months of planning to ensure that the test objectives were all identified, agreed upon, and realistic—and, most importantly, would not in any way affect production. The exercise was scheduled for November of 2003. Actual events beyond the planners' control resulted in the date moving up by several months.

In late July of 2003, the manager of asset management was preparing for his quarterly meeting with investors. One of the topics he planned to highlight during his presentation was the company's business-recovery capabilities. Little did he know just how real a demonstration the investors would see. The company's IT business-continuity team was about to demonstrate its effectiveness in responding to unplanned events.

19 December 2003

U.S. Homeland Security Not Confirming New York Threat

U.S. Homeland Security Not Confirming New York Threat (Update3):

Dec. 19 (Bloomberg) -- The U.S. Department of Homeland Security and New York City police said they have no information to confirm a threat to New York City reported by ABC News.

``The New York City Police Department has no credible intelligence pointing to a specific or imminent terrorist threat to New York City,'' Michael O'Looney, deputy commissioner for public information, said in a written statement.

The ABC television network earlier said U.S. intelligence has gotten information that New York is under what the TV network called a ``credible and imminent'' threat of a terrorist attack, possibly by a female suicide bomber. ABC cited unidentified ``sources'' in a report on its Web site. ABC said information was received through intercepted communications, and no specific target was identified.

In a later report, ABC said authorities are evaluating a ``surge of information'' related to possible threats to a number of U.S. cities including New York, Los Angeles and Washington, and that the credibility of the New York threat was still being weighed. In the threats to other cities, no mode of attack, specific cells or locations were identified, ABC said."

Sarbanes-Oxley’s Audit Committee Deadline Sparks Fear, Loathing

Sarbanes-Oxley’s Audit Committee Deadline Sparks Fear, Loathing

Boardroom Buzz
by Randy Myers

As U.S. businesses work overtime to convince the public that they’ve improved their corporate governance practices, it’s easy to find CEOs publicly praising the Sarbanes-Oxley Act and its new mandates for audit committees. But in the trenches, where corporate directors are charged with making sure those mandates are implemented, reviews are much more mixed.

Many board members report good progress in staffing their audit committees with independent directors, establishing confidential whistleblower complaint systems, and putting audit committees in charge of the outside auditors. But there are still plenty of companies where directors are “kind of confused,” says University of Georgia accounting professor Dennis R. Beresford, former chairman of the Financial Accounting Standards Board and a director of three public companies (Kimberly-Clark, Legg Mason, and MCI). “At each company that I’m involved in,” he says, “we have charters that we’re updating and checklists we’re using, but it’s still hard to keep track of everything.”

With the deadline for meeting the new audit committee requirements still months away—companies have until their first annual shareholders’ meeting after January 15, 2004—directors seem most bothered by the rule that compels a public company to put a financial expert on its audit committee or explain to the investing public why it doesn’t have one.
As defined by the Securities and Exchange Commission, the audit committee’s financial expert must, among other things, understand generally accepted accounting principles (GAAP). And that, says Thomas R. Beecher Jr., an attorney and the lead director of Albany International, a pulp and paper supplier, “is trying to raise board competency to an unreasonable level of knowledge. Getting anybody to accept that responsibility will not be easy unless they’ve just retired from an accounting firm.”

18 December 2003

BankRI Announces Security Measures in Response to Stolen Laptop; Potential Release of Data Poses No Risk to BankRI Accounts

BankRI Announces Security Measures in Response to Stolen Laptop; Potential Release of Data Poses No Risk to BankRI Accounts:

PROVIDENCE, R.I.--(BUSINESS WIRE)--Dec. 18, 2003--Bank Rhode Island said today that its principal data service provider, Fiserv, Inc., reported the theft of a laptop computer that contained some BankRI customer information.

The Bank emphasized that it had no indication that this information has been misused or been improperly accessed. As a precaution, BankRI has notified all customers whose information was potentially included on the stolen laptop, is monitoring accounts for unusual activity, and has augmented its internal security procedures.

'There is no risk to any BankRI accounts as a result of this incident,' said Merrill Sherman, President & CEO. 'We deeply regret this incident and sincerely apologize for any anxiety or inconvenience this may cause.'

An investigation into the theft is ongoing as are efforts to recover the stolen laptop. 'Fiserv has been proactive in addressing this incident,' said Sherman, 'and we are assisting them, the FBI and law enforcement agencies in their investigation.'

The information on the laptop potentially included 43,000 customers' names, addresses, and social security numbers, but did not include key account access data such as personal identification numbers (PIN), account passwords, debit or ATM card information, or other financial data. Fewer than 100 BankRI account numbers were included. These, however, were not identified by customer name."

WMD exercises planned - AU

WMD exercises planned:

By Patrick Walters

AUSTRALIAN security forces and diplomats will take part in five new exercises early next year aimed at intercepting weapons of mass destruction carried on sea, air and land.

In two days of talks just concluded in Washington, officials from 16 countries agreed on a series of exercises including an air interception scenario to be staged at a German airport.

Under the US-led Proliferation Security Initiative, participating countries are trying to improve their ability to interdict nuclear, biological and chemical weapons with particular focus on the threat posed by North Korea and Iran.

Of the five training scenarios agreed for 2004, Italy will host two, and the US, France, Germany and Poland one each, according to US officials.

The exercises will involve police and customs officials as well as military forces."

Event Management Systems Defend Against Information and Regulatory Overload

Security Event Management Systems Defend Against Information and Regulatory Overload: "

Yankee Group
Executive Summary

Network and security administrators daily must sift through terabytes of information written as access logs, intrusion detection system (IDS) alerts, and vulnerability and threat information. Most log information is archived without being read. Organizations also need to comply with regulations protecting the confidentiality and integrity of customer and financial information. Defining audit policies and managing log data have become pressing needs in regulated industries.

In this report, we discuss the market for security event management (SEM) systems, which are repositories for log information that manipulate and display the data in a meaningful way. Vendors created SEM systems to assist security administrators with developing policies, managing logs, responding faster to virus and hacker threats, and using the information available to continue improving defenses. SEM vendors are rising to these challenges with extensive device support, better correlation of events and robust data storage architectures. Exhibit 1 illustrates the distributed architecture of a leading security event management system.

The growing number of risks and increasing complexity of our security defenses guarantee SEM a place in the overall security solution and create an opportunity for overlapping network and systems management vendors to add value by integrating with a new breed of security solutions. This report defines a road map for the evolution of SEM. It profiles the leaders and challengers in this $90 million market and forecasts revenue growth for the next five years."

17 December 2003

Homeland Security and European Commission Reach Agreement on PNR Data

DHS | Department of Homeland Security | Homeland Security and European Commission Reach Agreement on PNR Data:

Press Releases

For Immediate Release
Office of the Press Secretary

In an historic effort to keep the United States' and European Union's borders safer from terrorism and international crime while protecting travelers' privacy, Department of Homeland Security (DHS) Secretary Tom Ridge and European Commissioner Frits Bolkestein have reached an agreement regarding the legal transfer of Passenger Name Record (PNR) data to Homeland Security. The agreement finds that Homeland Security's handling of the PNR data is sufficient for an 'adequacy finding.'

'This determination by the European Commission enhances the Homeland Security mission of fighting terrorism and crime while still ensuring that the privacy of travelers will be protected,' said Ridge. 'After a year of frank and earnest negotiations, this outcome shows the world that the United States and the European Union share the goals of keeping our people safe and our air travel network secure.'

This finding by the European Commission affirms under European law that protections to be implemented by Homeland Security are appropriate to guard passenger privacy. By using 34 key elements of PNR data at borders and ports of entry, U.S. Customs and Border Protection (CBP) officers will be able to better screen passengers for the purposes of preventing and combating terrorism and transnational crimes. The PNR data will be generally retained for no longer than three and one-half years.

Additionally, the Department will continue to negotiate with the European Commission to reach a permanent agreement for the transfer of PNR data to the Transportation Security Administration (TSA) for operational use by the Computer Assisted Passenger Prescreening System II (CAPPS II), which will identify high-risk passengers for additional screening.

After review by the European Parliament, the agreement will enter into effect and be in place for three and one-half years with renegotiations beginning in two and one-half years."

16 December 2003

Calpers Sues NYSE, Firms, Alleging Fraudulent Trades

Calpers Sues NYSE, Firms, Alleging Fraudulent Trades: "

(Bloomberg) -- The California Public Employees' Retirement System, the largest U.S. pension fund, sued the New York Stock Exchange and seven specialist firms alleging they used the trading system to profit at the expense of investors.

The specialists, who match buyers and sellers, used their knowledge of pending orders to trade for their own accounts, and intervened in trades when it wasn't necessary, said Calpers President Sean Harrigan. ``The NYSE not only knew these practices existed, but perpetuated them. It profited from them,'' he said.

The aim of the lawsuit is to recoup at least $150 million in trading losses and to push the NYSE to more governance and regulatory changes, Harrigan said. Calpers, which has $155 billion in assets, has pressed the NYSE to separate its regulatory and commercial functions and Harrigan said the specialists are ``the poster child of a failed system of self-regulation.''

Bush signs bill aimed at controlling spam

InfoWorld: Bush signs bill aimed at controlling spam:

By Stacy Cowley, IDG News Service

President George W. Bush signed a bill into law Tuesday establishing federal rules for commercial e-mail and penalties for unsolicited mass spamming.

Known as the CAN-SPAM Act, the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 takes effect Jan. 1. The law prohibits the use of false header information in bulk commercial e-mail and requires unsolicited messages to include opt-out instructions. Penalties for violations include fines of up to US$250 per e-mail, capped at up to $6 million.

The bill's authors, Montana Republican Senator Conrad Burns and Oregon Democrat Senator Ron Wyden, praised the legislation as a powerful tool for countering the spam onslaught cluttering inboxes.

'Swift and aggressive enforcement will be essential, and Senator Burns and I will continue to push the Federal Trade Commission and others to use the tools this law gives them to fight against spam,' Wyden said in a written statement."

15 December 2003

Finance sector bracing for upswing in Internet fraud

Finance sector bracing for upswing in Internet fraud - Computerworld

Cyberscams expected to soar in 2004, experts say

Story by Bernhard Warner

DECEMBER 15, 2003 ( REUTERS ) - LONDON -- Banking officials and computer security experts predicted today that the wave of cyberscams targeting the financial services sector will soar in 2004 as the industry braces for a new onslaught of fraud schemes.

The gloomy prediction comes amid a string of e-mail and Web site spoofing scams preying on banking customers.

Police call the relatively new phenomenon 'phishing,' so named because fraudsters try to lure unwitting customers into divulging their bank details.

In the past few months, a rash of e-mails posing as correspondence from some of the world's biggest banks have flowed into various e-mail in-boxes. The scams have been reported in the U.K., the U.S. and Australia, to name a few.

'We see phishing as just the toe in the water,' said a security expert at one of the U.K.'s largest banks who spoke on condition of anonymity at a summit in London dedicated to security matters in the financial services industry.

'It's like credit card fraud. Phishing is not big yet. But it will be,' the expert said."

Tube attack exercise shows flaws | UK

BBC NEWS | UK | England | Tube attack exercise shows flaws:

More work needs to be done on plans for dealing with a terror attack on London after a simulation on the Tube threw up glaring deficiencies, says a report.

Hundreds of emergency personnel were involved in the pretend chemical attack on Bank station in September.

The report into the exercise found that while much had been done to improve responses, more action was needed.

It found new rescue plans for the Underground were needed and rescuers could not talk through their gas masks.

Rescuers wore full protective clothing on the premise that the attack could be similar to that on the Tokyo underground in 1995 when deadly sarin gas was released.

It left 12 people dead and thousands seriously ill, including firefighters who tried to rescue victims.

In the London exercise, decontamination units were set up at ground level and the immediate area around the strike - the so-called "Hot Zone" - was sealed off.

Hacking for Dollars

OSAC -Hacking for Dollars

from Newsweek International

The lone computer geek a bit rebellious, but with a heart of gold is being eclipsed by the hardened professional criminal, who uses the Internet for spying, stealing and extortion.

In the high-tech battlefield of cyberspace, the thirtysomething Russian with the jet black goatee and the new denim coat considers himself a freedom fighter a descendant of those legendary computer geeks whose cyberstunts drove the establishment wild and helped define a unique Internet culture. Like his hacker predecessors, he has his own subversive code, this one tinged with the slogans of anti-globalization. He talks of 'freedom,' 'the unhindered flow of ideas' and the need to break the stranglehold of 'monster corporations like Microsoft.' (He won't hack into Russian companies.) 'I live in the shadows. That is where I want to be,' says the hacker we'll call him Dmitry over a late-night meal in a Moscow restaurant. 'I don't need to prove anything to anyone.'

Dig a little deeper and you'll find there's something that differentiates this New Age cybersurfer from his high-minded brethren. Last year Dmitry netted $300,000 stolen from major American corporations. Like a slick businessman, Dmitry arrives for his secret rendezvous with NEWSWEEK accompanied by his lawyer. He works as part of a hacker team, composed of 10 or so experienced criminals, each with his own specialty. His job: to break into networks, opening the way for his confederates to steal and decode company information. He'll work 16-hour days for six months preparing for an assault on a Western corporation that might last just minutes. 'It's like a military attack,' he says. 'At first you do intelligence. You watch their behavior. You get ready for X-Hour. When you're 90 percent sure of success, you attack.'"

12 December 2003

The rise and rise of IT continuity

The rise and rise of IT continuity:

Information systems remain the number one mission critical priority for most businesses.

David Honour explains why this is so and looks at the key priorities in this area.

The discipline of business continuity emerged from the primordial swamps of computer disaster recovery. In the early days most companies simply ensured that data was backed up regularly. Larger enterprises normally utilised centralised mainframes which were supported through hot, or warm site recovery centre contracts. However, although some of the business continuity solutions remain current, the nature and complexity of the systems that need protecting have changed vastly.

According to recent research by the Business Continuity Institute and the Chartered Management Institute information systems remain the number one mission critical priority for most businesses. A survey published in March found that 79 percent of the business continuity plans of UK organisations cover IT functions; far in advance of any other area. Finance came second in importance (57 percent) followed by facilities management (53 percent) , human resources (53 percent) and security (51 percent). There are a variety of reasons why the protection of information systems is of such vital importance:

The importance of data

Data is the lifeblood of information systems, which, in turn, are the lifeblood of most organisations. Yes, people are incredibly important assets to businesses, but few firms would go out of business due to the loss of an employee, however highly valued. Many more companies would go out of business if they irretrievably lost critical information. According to the National Archives & Records Administration in Washington, 93 percent of companies that lose their data centre for 10 days or more due to a disaster file for bankruptcy within one year of the disaster. Even short periods of downtime can be very costly."

Cyber-terror is here for real

Cyber-terror is here for real:

from Al-Jazeera

Security agents are confronting a new threat - teams of computer hackers aiming to maximise the death toll in armed attacks by paralysing the emergency rescue services.

Since the 11 September attacks, police and intelligence officials have been forced to add a new dimension to their planning: groups of highly skilled 'cyber-terrorists'.

'The first cyber-terrorism attack will most likely not be somebody targeting a company. What we will see is a blended, or multi-prong attack,' said Richard Starnes, director of incident response for British telecom firm Cable & Wireless and an adviser to Scotland Yard's Computer Crime Unit.

A potential scenario might be this: A truck carrying explosives races towards the main entrance of a city centre rail station at rush hour, just as a computer whiz hacks into the emergency response telephone network.


There is a huge blast. With the communications system knocked out, police and rescue units are paralysed. Emergency teams lose precious minutes attending to the scene and the toll of dead and injured climbs.

This type of chain of events was, until recently, spoken about in hypothetical terms. Now, police forces and intelligence agencies around the world say it's not a matter of if, but when."

11 December 2003

Globalizing Internet Brings Unexpected Problems

Globalizing Internet Brings Unexpected Problems:

Thu December 11, 2003 10:49 AM ET

(Page 1 of 2)
By Bernhard Warner, European Internet Correspondent

GENEVA (Reuters) - The United Nations' push to transform the developing world into tech-ready nations could partly backfire, delegates to an IT summit aimed at bridging the 'digital divide' said on Thursday.

The overwhelming consensus at the U.N.-sponsored World Summit on the Information Society (WSIS) summit this week is that bringing the Internet and telecoms innovations to the world's poor is a noble cause that needs embracing now.

But there are unpredictable consequences that also need to be considered, experts said.

'There are a number of non-trivial issues that come with overcoming the digital divide,' said Alan Greenberg, a Canadian IT consultant who works with the World Bank on programs aimed at bringing new technologies to the developing world.

'Security is one of them. Whether it be viruses or worms, or various forms of fraud, they will be coming to developing countries too. There are no barriers,' he said.

The need for international measures to fight computer virus outbreaks and step up prosecution of 'cybercriminals' has been a constant topic of the three-day event -- particularly among representatives of the developed world."

USSC - Critical Components for an effective Governance & Compliance Program

These are the seven components of the United States Sentencing Commission guidelines for an effective program:

1. Policies and Procedures
2. High-level Oversight
3. Proper Delegation
4. Communication Channels
5. Monitoring and Reporting
6. Uniform Enforcement
7. Prevention

See USSC for more details on their web site. Buyers beware. At 1SecureAudit, we are approached by dozens of software and solutions companies each month. They want us to resell their products to our clients who they assume have a problem that their product will solve.

With literally thousands of product vendors to choose from, any client has a tremendous burden to find the right solution for their particular requirements. Cutting throughout the noise and finding the ideal combination of products and services is the ultimate challenge.

If there is one thing we have learned in our twenty + years in this business, it is this. You must diagnose before you prescribe. Taking this trite yet accurate approach has saved our clients millions of dollars in wasted software licensing and internal resources. While the seven steps in the USSC compliance program may grant a company more lenient sentencing in the case of loss, it will not take into account the behavioral mechanisms of management.

All said and done, the civility of the organization is going to be based upon the right training, processes and intellect of the people running it. No software program will ever get humans to comply with policy and rules.

Compliance is a cultural issue that can be supported by software tools to assist in monitoring and what becomes essentially a knowledge management exercise. However, what is most important is a framework and management system by which the organization operates its functional lines of business. Without an enterprise architecture in place to accommodate the rapid changes going on in the organization, you raise the risk of failure and new potential losses.

An effective enterprise architecture will allow the organization to adapt to changes and foresee the downstream impact of those adaptations more rapidly. This provides management with the opportunity and insight to dissect the root causes of the change and determine the level of risk associated with the change and the adaptations to the change itself.

Most organizations already have a compliance program in place. They have a human resources and legal department with ethics watchdogs in place. They have a physical security and cyber security unit that is protecting the perimeter. They all have their respective information systems to help them do their jobs more efficiently. Yet the losses continue. As the transparency of the organization increases and the speed that mistakes and failed processes are discovered increases, the faster the losses will come. This is because the organization will not allow itself to adapt rapidly enough to the changes being made in all the impacted departments and units within the enterprise.

Some of the best organizations have utilized business process management and enterprise architecture to facilitate a more adaptable and resilient enterprise. Those organizations will survive the next wave of business change on our door step.

10 December 2003

Welcome, Stranger

Welcome, Stranger -Corporate Board Member

Feature Story

Welcome, Stranger

What is the single piece of advice you’d most want to give a new director?
Hire a private eye, says one seasoned board member. Others chime in with different counsel.

SURVEY SAYS: Where directors come from
Answers to a multiple option question show directors look for talent in many places:

92.5% say they use boardroom contacts to find new members,
68.7% say they use management contacts, and
44.9% use search firms.

Dutch release corporate governance code

Dutch release corporate governance code:

Seattle Post-Intelligencer: AP - Business

AMSTERDAM, Netherlands -- The Netherlands unveiled a new set of rules Tuesday to help corporate boards prevent executives from abusing their power.

The code was drawn up by a panel of business executives at the request of the Finance Ministry to reform governance after a number of crises at Dutch companies.

Its work was made urgent by the accounting scandal at the retail giant Ahold NV, often seen as a European parallel to Enron.

The code requires corporate board members to undergo 'training and education' to help them do their job properly, and limits the number of boards they may serve on.

Compliance with the code is voluntary, but companies choosing to ignore it should explain why to shareholders."

09 December 2003

1SecureAudit Information Risk Management Policy

This policy provides guidance on determining appropriate controls that must be implemented for information resources, based on the information classification of those resources. This policy also provides standards for handling, labeling, duplicating, distributing, storing, transporting and disposing of sensitive electronic or hard copy media.

Scope: This policy applies specifically to information owners, resource administrators and also contains information to which all Firm personnel must adhere.

Statement: Appropriate security controls must be built into the Firm's information resources. This protection must be commensurate with a resource's value to the Firm, as determined by the results of a formal risk assessment.

Key Points: Information resources must have a designated information owner
Information owners must classify their information resources into one of the following classifications: Internal Use Only, Confidential or Restricted

Information resources must have designated resource administrators who are responsible for implementing, maintaining, monitoring and reviewing information security controls

A formal risk assessment must be performed to determine the security controls required for implementation on information resources

Information resources must undergo an initial risk assessment evaluation and receive a "certification" prior to deployment in a production environment

Information resources must undergo a re-evaluation when specific events have taken place

Specific controls must be followed when handling, labeling, duplicating, distributing, storing, transporting and disposing of sensitive electronic or hard copy media

Managing major operational disruption in the City of London

Managing major operational disruption in the City of London

Bob McDowall
Bloor Research

Tuesday 9th December 2003

A recent review on the City of London's preparedness for major operational disruption was published this week, following review by a group under the Chairmanship of Andrew Large, the Deputy Governor of the Bank of England. While there is a need for the City of London to invigorate its preparations, the review rejected the proposal from the Chancellor of the Exchequer that Emergency Statutory Powers should be granted to the UK Treasury to take control of Financial Markets in the event of major operational disruption.

This review, supplemented by a briefing organised last week by CityCompass on "Business Continuity, the Big Issue ? " provides an insight into the progress and refinement of thinking, plans and actions in the area of business continuity within the City of London by financial institutions, financial services regulators and those, who provide technology and communications services to enable business continuity.

Holistic Compliance

Holistic Compliance- Wall Street Technology

Holistic Compliance
Feature Story

When Jay Cohen, vice president and chief compliance officer at MONY Group - a diversified financial-services company - spoke at this fall's InformationWeek conference on compliance in financial services, he enumerated a laundry list of IT projects on his firm's agenda.

Heading up that list were: spending on Sarbanes-Oxley, enhancing surveillance technology to keep track of all sales practices, anti-money-laundering compliance, privacy and security technology, as well as e-mail supervision and retention issues.

"Yes, I spend a lot of time with my CIO these days," says Cohen, a former prosecutor who is responsible for preventing illicit activity in the firm's retail brokerage, mutual-fund and insurance businesses.

It's no secret that financial-services firms like MONY Group are grappling with requirements to comply with multiple regulations. According to a recent compliance study conducted by the InformationWeek Media Network: 81 percent of the 36 securities and investment firms interviewed are taking steps to comply with SEC Rule 17a-4 regarding retention and surveillance of e-mails and instant messages; 72 percent are addressing the USA Patriot Act; and 62 percent are dealing with the Sarbanes-Oxley Act, which requires the certification of financial controls and the integrity of data impacting financial statements.

But if financial-services firms are so busy coping with a bevy of urgent regulations, why are they buying one-off technology solutions?

08 December 2003

A New Moral Compass For The Boardroom

Corporate Board Member What Directors Think: Special Issue 2003: "

Special Report

by Peter Keating

Under pressure from outsiders and from themselves, directors are struggling to redefine the delicate balance of serving society as well as the bottom line. Here's how some of them are doing it.

Enron's board members were not rubes. Robert Jaedicke, for example, who chaired the company's audit committee, is the former dean of Stanford business school. But the directors took guidance from a world that has since imploded, and their actions defined an extreme and now discredited concept of directorial duty. What will replace it is the hottest question facing boards.

Day after day, directors around the country must make difficult decisions about their companies standards and behavior, about how to handle issues of disclosure, financial management, and compensation, about how to treat workers, communities, and the environment. The answers are often anything but clear-cut, and history shows that there are ebbs and flows to how companies respond"

UK cold on mandatory security audits

ZDNet UK - News - UK cold on mandatory security audits:

Graeme Wearden
December 08, 2003, 18:05 GMT

Government and businesses agree that British companies should not be forced to conduct an audit of their IT security each year

Companies, politicians and analysts are united in their belief that the introduction of compulsory IT security audits in the UK would not be a welcome development.

There is little support for a British version of the Corporate Information Security Accountability Act -- a piece of legislation under scrutiny in America that would force publicly traded US corporations to certify that they have conducted a computer security audit each year.

The UK government says that it is concentrating its efforts on protecting the nation's critical national infrastructure -- telecoms, water, energy and public services -- and that other companies must take responsibility for their own IT security. But Jeremy Beale, head of e-business at the Confederation of British Industry (CBI), believes that the vast majority of medium-sized and small businesses don't have the in-house technical expertise to make themselves secure and to engage with suppliers. 'These small firms will be part of a supply chain with larger companies, and the security and robustness of a supply chain is only as strong as its weakest link,' Beale told ZDNet UK. Despite this knock-on effect, the CBI says it doesn't support the introduction of compulsory IT audits because suitable standards aren't yet in place.

And many other experts claim that making firms vouch for the security of their networks and systems annually would actually encourage them to neglect the issue for the rest of the year."

We predict that even though the US government requires this for it's own agencies a.k.a. (FISMA) that corporate will have time to get it's own act together. Uncle Sam will not mandate this either for some time to come. What will be more of interest is how many public traded companies provide evidence in it's reports about the results of the latest security audit. Not only as a gesture of good corporate governance but also as a clear market differentiator. Where will you keep your bank account or personal health records information? With the company that gets an "A" or an "F" for their latest audit report card?

Dirty Bomb Warheads Disappear

Dirty Bomb Warheads Disappear (washingtonpost.com):

Stocks of Soviet-Era Arms For Sale on Black Market

By Joby Warrick
Washington Post Staff Writer
Sunday, December 7, 2003; Page A01

TIRASPOL, Moldova -- In the ethnic conflicts that surrounded the collapse of the Soviet Union, fighters in several countries seized upon an unlikely new weapon: a small, thin rocket known as the Alazan. Originally built for weather experiments, the Alazan rockets were packed with explosives and lobbed into cities. Military records show that at least 38 Alazan warheads were modified to carry radioactive material, effectively creating the world's first surface-to-surface dirty bomb.

The radioactive warheads are not known to have been used. But now, according to experts and officials, they have disappeared."

Offense vs. Defense: The Risk Management Clock is Ticking

Offense vs. Defense: The Risk Management Clock is Ticking - Complete Article

By Peter L. Higgins
Managing Director
1SecureAudit LLC

What side of the risk management game clock do you play on within your organization? A mix of both is a prudent way to hedge any potential losses yet the question becomes how much time on the corporate playing field is spent being proactive managing future risk.

A proactive and preventive risk approach requires a layered and active intelligence program. It requires dedicated resources and personnel spending a majority of their time scanning the horizon for new threats. It means spending more time saying "What if"? This will produce the next new thinking and strategy on what to do next to prevent a potential new loss.

05 December 2003

Foreign firms must toe US security line

vnunet.com Foreign firms must toe US security line:

New agreement could improve good security practice

Non-US companies working on US defence and government contracts will soon have to demonstrate the security of their computer systems to meet guidelines issued by the US Customs and Border Protection (CBP) department.

The 'Foreign Manufacturer Security Recommendations Customs-Trade Partnership Against Terrorism (C-TPAT)', has been drawn up in the wake of the increased threat of terrorism.

It will be implemented in a phased approach to foreign companies, with Mexican manufacturers being the first to fall under the rules. It will then be extended to a select group of foreign manufactures in Europe and Asia, who will be invited to participate.

Within 90 days of signing the C-TPAT Agreement for Foreign Manufacturers, companies will have to provide an executive summary outlining the elements of the security procedures they have in place.

At a minimum, non-US companies must demonstrate they have information security controls proving the integrity of automated systems, and a process established for reporting and correcting problems."

04 December 2003

IRS Auditing Executive Compensations - US

ABCNEWS.com : IRS Auditing Executive Compensations:

The Associated Press

WASHINGTON Dec. 4 — The Internal Revenue Service is auditing two dozen companies to make sure they followed the rules for compensating executives, scrutinizing corporate perks such as stock options and the use of private jets and luxury apartments.

The examinations will focus on more companies and possibly mean auditing the personal tax returns of some corporate leaders, said Keith Jones, the agency's director of field specialists.

"Executive pay packages have become much more complex. We're taking a close look at these vehicles to make sure they fully comply with the law," IRS Commissioner Mark Everson said.

The IRS started its inquiries this summer to find out whether companies were following the rules for fringe benefits and other forms of paying top officers. The review came as corporate bankruptcies exposed the lavish lifestyles of some executives.

The audits, geared toward companies with $10 million or more in assets, intensified this fall. The IRS, which is not identifying the companies, plans to use its findings from the first batch of audits and expand the investigations.

The agency identified eight areas of scrutiny. The list includes rules regarding the business and personal use of fringe benefits such as private jets and vacation homes. Golden parachutes, or benefits packages granted to executives when they leave a company, are under review. The IRS is examining deferred compensation programs and stock options to make sure they are taxed appropriately.

Also being studied are laws that cap deductible compensation at $1 million, arrangements that transfer compensation among family members and employee leasing programs.

Jones said the IRS views the audits part of the government effort to increase its oversight of corporate America in the wake of a series of business and accounting scandals.

"This is a corporate governance issue," Jones said.

Final rule on Regulation Y (Bank Holding Companies and Change in Bank Control)

FRB: Press Release--Final rule on Regulation Y (Bank Holding Companies and Change in Bank Control):

For immediate release

The Federal Reserve Board on Thursday announced its approval of a final rule that expands the ability of all bank holding companies, including financial holding companies, to process, store and transmit nonfinancial data in connection with their financial data processing, storage and transmission activities.

The rule will be effective January 8, 2004.

The Board's order is attached."

BBA president speaks out about business continuity

BBA president speaks out about business continuity:

Sir George Mathewson, chairman of the Royal Bank of Scotland and president of the British Banking Association has used the BBA’s ‘Regulating Banks in Britain’ conference to express his views on business continuity management.

“One of the things I think we should congratulate the [UK] authorities on is their response to the continuing threat of business disruption,” said Mathewson.

“I am told it is not a case of ‘if’, but ‘when’. Two years after 9/11 the power blackout on the eastern seaboard reminded us that business continuity management is not just about planning for the threats to our business that a team of suicide bombers can bring.

“But plan we have to and, as I say, the Treasury, the Bank of England and the FSA have been doing an impressive job in improving the sector's resilience behind the scenes. They have identified in some detail ahead of time how priorities and timelines, roles and responsibilities would be established, so that they could work with the market to co-ordinate collective action to get the City up and running again with as little delay as possible. In particular I would commend to you the Triparty committee's website - financialsectorcontinuity.gov.uk - which has got a lot of very useful information on it.

“I firmly believe that business continuity management is a critical element of good corporate governance. Without a strong awareness of this by the executive team there will be poor buy-in in other parts of the organisation. Business continuity management has to be integrated into all levels of our banks, into our change management processes and into our new business programmes, so that it really does become part of the culture of our institution.

“One of the key learning points from 9/11 was the need to start doing things very promptly, rather than running around like headless chickens for the first two hours. And to be able to do that we need to be able to communicate with each other. Again the authorities have been doing a good job in establishing large scale teleconferencing facilities and emergency information phone lines. And I am glad to say that the BBA has been playing its part too, by establishing a web-based, password protected contact database which would only be activated after a catastrophic event and which is designed to help people get in touch with their opposite numbers in other banks, so that we can get things going again.

“Ours is a highly competitive business, but in the area of business continuity planning it is essential that we all work together - and your trade association is providing a key communication tool to make that happen.”

We agree that corporate governance and business crisis and continuity management should be more integrated. Industry is headed in the right direction although sometimes they do need a little nudge to get to full compliance. What business will not do on it's own, government will soon follow to ensure such matters are satisfactory. Frankly, this topic is so critical that leaving it up to the government alone would be opening business up to even more regulation. Here is a nudge: As a CxO in your organization, take a quick test of your preparedness by asking your administrative staff who on the floor is trained in using an AED (Automated External Defibrillator) in case you have a heart attack? If they have an answer, go ask that person where the AED is located. If they can't answer you, then maybe that's the nudge you need. You see, there is nothing more that gets CxO's off a dime these days. A call from their lawyer and/or a little Angina Pectoris. Hopefully not in that order.

10 face charges in online drug sales

10 face charges in online drug sales:

By Jerry Seper

A federal grand jury in Alexandria yesterday returned a 108-count indictment against 10 persons and three companies, charging them with illegally selling controlled substances and other prescription drugs ” including Viagra” over the Internet.

The indictment charges that customers were able to purchase the drugs with inadequate or no medical supervision, little diagnostic testing and scant monitoring of the person's response to the drugs as required by law.

The Internet sites used mass e-mail and advertising to sell drugs, giving discounts to customers who bought large quantities.

'This case is about a dangerous new spin on an old problem,' said U.S. Attorney Paul J. McNulty. 'Drug trafficking in cyberspace is just as harmful to public safety as drug trafficking on street corners. The advent of the Internet does not mean doctors and pharmacists can bypass rules concerning the dispensing of prescription drugs, particularly controlled substances.'

Directors face fines to beat fraud - UK

Directors face fines to beat fraud:

Patrick Hosking, Evening Standard
4 December 2003

DIRECTORS could for the first time be prosecuted and fined for concealing relevant information from auditors under a fresh clampdown aimed at preventing Enron-style frauds.

The new criminal offence is detailed in a Companies Bill published today, which also gives Department of Trade and Industry inspectors extra powers and aims to keep auditors objective.

Industry minister Jacqui Smith hailed the Bill as a comprehensive package of measures aimed at restoring investor confidence in corporate governance, accounting and company auditors.

'There is no denying that financial markets around the world have been badly shaken by the corporate failures of the last few years,' she said.

The Bill, introduced to the House of Lords today, would give auditors greater powers to get information they needed and give DTI inspectors extra powers to uncover misconduct, she said.

CFOs produce risk management guide - AU

CFOs produce risk management guide - http://www.theage.com.au:

As investor scrutiny of AU public companies intensifies, chief financial officers of Australia's major enterprises have moved to strengthen their risk management processes.

A group of chief financial officers (CFOs) have released a comprehensive guide in response to Principle Seven of the Australian Stock Exchange Corporate Governance Council's better practice requirements, which relates to risk recognition and management.

The Group of 100 chief financial officers (G100), together with professional services firm Deloitte, said the guide, released on Wednesday, specifically outlines what companies should do in complying with Principle Seven.

G100 national president John Stanhope said the guide provided greater clarity as to the internal certification requirements for both chief executives and CFOs as well as company boards.

Mr Stanhope said that with CFO certifications under Principle Seven commencing from December 31, rapid adoption of the guide is imperative.

'The G100's guide will help by providing information and guidance to the relevant officers,' he said. "

03 December 2003

Internet security gets checkup / Tech leaders, feds take new look at plan

Internet security gets checkup / Tech leaders, feds take new look at plan:

Carrie Kirby, Chronicle Staff Writer

Homeland Security Secretary Tom Ridge will meet today with Silicon Valley leaders to assess how much progress has been made in protecting the nation's computer networks and what steps still need to be taken.

The Santa Clara meeting is a follow-up to the Bush administration's National Strategy to Secure Cyberspace, a plan that was criticized by some security experts as too light-handed.

That plan, released last year, called for the government and the private sector to work together to secure the Internet and the growing infrastructure, like power plants and 911 systems, linked to it. These systems are at risk from the growing plague of Internet worms and hackers.

But the strategy did not include any strict rules or mandates.

Today, government and industry representatives will wrangle more concrete steps for protecting the infrastructure, said Howard Schmidt, formerly the White House cyber-security adviser. Schmidt is co-chairing one of five committees of tech industry representatives."

Feds Crack Down On Cyberfraud

Bank Systems & Technology > Feds Crack Down On Cyberfraud:

Jim Middlemiss, Wall Street & Technology, and George V. Hulme, InformationWeek

Federal authorities and investment firms are getting serious about Internet-related fraud. Recently, Operation Cyber Sweep, which included 34 U.S. attorneys, the FBI, and various federal, state, local, and foreign law-enforcement agencies, targeted cyberfraudsters and netted 125 arrests and more than 70 indictments.

The operation targeted some of the most common online fraud schemes: identity theft, international money laundering, theft of business trade secrets, auction fraud, Web-site spoofing, and cyberextortion. These schemes involved more than 125,000 victims with losses estimated to exceed $100 million.

In one case, a Pennsylvania man allegedly used a Trojan horse to capture the password of an investor's online account, a stark example of the security scams that investment firms face."

02 December 2003

Privacy concerns mount over retail use of RFID technology

EE Times UK - Privacy concerns mount over retail use of RFID technology

By Charles J. Murray
EE Times

Park Ridge, Ill. - Engineers and consumer advocates are pushing suppliers and corporate retailers to take a harder look at privacy concerns related to the use of radio frequency identification technology. Noting that such issues could undermine RFID's enormous potential, engineers at a recent RFID Privacy Workshop at the Massachusetts Institute of Technology called for implementation of 'powerful and flexible privacy mechanisms.'

'This issue must now be addressed or the RFID explosion may not occur, or may occur in a much more limited fashion [than expected],' wrote Kenneth P. Fishkin of Intel Research (Seattle) and Sumit Roy of the University of Washington in a paper presented at the MIT conference last month.

Such calls for high-tech intervention have put backers of RFID technology on the defensive, as consumer groups and the media press for safeguards.

'This technology is like an electronic frisk or a form of X-ray vision,' said Katherine Albrecht, the founder of Customers Against Supermarket Privacy Invasion & Numbering (Caspian). 'It really could create a total surveillance world. It's very dangerous.'"

Flaws Persist In U.S. Terror Intel

CBS News | Flaws Persist In U.S. Terror Intel | December 2, 2003?09:27:11

WASHINGTON, Dec. 2, 2003

The Markle task force says there is confusion about the respective roles of the center and Homeland Security Department.

(AP) The federal government has made limited progress in improving how it gathers, shares and responds to information that could prevent terrorist attacks, says a new report by technology and intelligence experts.

In a report released Tuesday by the Markle Foundation, the experts said 'sharing of terrorist-related information between relevant agencies at different levels of government has been only marginally improved in the last year.'

They added that sharing 'remains haphazard and still overly dependent on ... personal relations among known colleagues.'

The Markle Task Force on National Security in the Information Age, which wrote the report, advocates creation of a decentralized information network to spread information about terror threats while safeguarding against violations of civil liberties.

The panel is overseen by the Markle Foundation, a private philanthropic organization. The experts proposed building an information network, called the Systemwide Homeland Analysis and Response Exchange, or SHARE.

01 December 2003

Corporate governance

vnunet.com Corporate governance:

While the need for organisations to comply with legislation and laws has been around for some time, high-profile scandals such as Enron and WorldCom really caught people's attention.

Powerful images of suited company executives being led away in handcuffs induced a degree of panic. Corporate governance was pushed to the top of the company agenda, highlighting the seriousness of lapses, with no room for clemency over whether they were deliberate or accidental.

Compliance is now becoming a matter of survival for businesses, and a question of freedom for directors. But understanding what corporate governance actually means varies widely, depending on the business and its inclination towards compliance.

The CBI defines it as 'the system by which companies are directed and controlled'.

It states: 'Boards of directors are responsible for the governance of the companies and for setting the company's strategic aims, providing the leadership to put them into effect, supervising the management of the business and reporting to shareholders on their stewardship.'

There are numerous regulations to which businesses must adhere if they want their data and processes to stay on the right side of the law. Sarbanes-Oxley is perhaps the most prominent piece of legislation so far.

It was introduced in the US last year, covering corporate governance, financial reporting and auditing requirements. While it is a US law, international companies with offices in the States also have to comply.

Other, perhaps more familiar, regulations with which businesses must comply include Basel II in the financial world, the Data Protection Act and the Freedom of Information Act.

And then there are new ones, such as the EU Directive on Privacy and Electronic Communications, which comes into force on 11 December.

In this Special Report, Computing examines how best to ensure your business complies with the law, and the positive impact governance can have on the day-to-day running of the business, if it is done properly."

In need of a quick fix

In need of a quick fix:

Agencies turn to automated patch-delivery tools to counter fast-moving security threats

BY Rutrell Yasin
Dec. 1, 2003

Anyone who has ever tried to keep up with software patches knows the struggle can be akin to being trapped in a horror movie” something like 'A Nightmare on Patch Street.' Yet, with system security becoming more important in a networked world, managing all of those patches is increasingly a mission-critical function.

If agencies weren't already aggressively applying patches to fix critical security flaws, then the onslaught of computer worms that globally disrupted network operations last summer probably gave them a new sense of urgency.

Last August, the Blaster worm and its Welchia variant underscored the need for better procedures and tools for applying patches as soon as vulnerabilities are exposed.

There is little doubt that they are portents of things to come. Worms or malicious code can exploit a security flaw shortly after it has been exposed. These two worms exploited a remote procedure call vulnerability in several versions of Microsoft Corp. Windows software, overloading systems with self-generating bogus traffic.

Indeed, information technology managers in both the public and private sectors are finding it increasingly difficult to keep up with patches as the length of time continues to shrink between the awareness of vulnerabilities and the introduction of worms that exploit them."

We agree that any comprehensive enterprise security risk management program should include automated patch management. Shavlik is one of our favorites here based upon our experience. However, it is only a small percentage of the total solution. With automated scanning and deployment of security patches to thousands of computers you would think that this solves the problem. Before purchasing any COTS (commercial off the shelf) solution, you should make sure that the product has been certified and tested to be in compliance with security criteria. Areas such as data and system integrity, security administration, guidance documentation and security functionality and scalability are key aspects of a sound software application. While patch management is a piece of the puzzle, you will still need to address policy, threat, asset, risk and incident management as part of a holistic program.

7 Steps to crisis readiness

MIS | Magazine > 7 Steps to crisis readiness

By Jimmy Yap

More often than not, IT heads are put in charge of their companies’ business continuity plans.

Jimmy Yap finds out what they must do to come up with an effective program.

As the head of I.T., you have been put in charge of the company’s business continuity plan (BCP). While you know a lot about data recovery, business continuity is a different kettle of fish altogether.

After all, it is easy enough to work out smart strategies to recover data. Solutions range from an off-site live mirror of the data to regular tape backups, also stored off-site. The final decision will be guided by clear technical requirements like how much down time you can afford and the speed of recovery needed.

However, recovering the business demands more than just recovering data, as the events of September 11 made amply clear.

Business continuity management (BCM) is no longer solely in the hands of the CIO. In fact, there is a growing move to take business continuity planning out of the hands of the IT department (see box, “Don’t Give Business Continuity Planning To IT”).

However, until all companies decide to appoint a full-time BCP manager, most IT chiefs will end up wearing the BCP hat as well.

We find out how some BCP managers put an effective business continuity program in place.