30 September 2003

Lost in the Mail

Wall Street & Technology > Compliance > Lost in the Mail: "Dealing With Regulators

At a recent WS&T event on e-mail archiving, Steven Shine, senior regulatory counsel, Prudential Securities, was asked how to deal with regulators.

He explained that if there is an issue, there will be a number of regulators requesting e-mail records - including the Securities and Exchange Commission and multiple self-regulatory organizations, as well as civil litigants (if there is litigation involved). Shine says, 'So what is reasonable under the circumstances and in the case of a joint audit? You've got to be able to deal with regulators and you've got to be able to have the conversation with them and make them understand that no matter what your system capacity is, you're not going to be able to turn around multiple requests and enormous requests in a period of just hours. Twenty-four hours has been the commission standard; sometimes 48 hours. But in the case of enormous requests, multiple requests from multiple regulators and litigants, there's going to have to be a little bit more understanding.'

'What you're going to need to do is have a gatekeeper to make sure priorities are set and that these requests are handled as expeditiously as possible. One other complicating factor - as with any document - before it is turned over to a regulator or to a litigant, it has to be reviewed. You've got to review your e-mails for things such as attorney/client privilege and you've got to do that in electronic medium."

COMMENT:
=======================================
Without deliberate planning, a corporation’s electronic data becomes an uncontrolled beast, feeding on ample supplies of electronic files from e-mail systems, computer backup tapes and
user desktop PC’s. As a result:

• Documents are routinely created and saved without regard to their future evidentiary value.

• Data which must be preserved can be lost or destroyed, subjecting the corporation to claims of spoliation or to severe penalties under the Sarbanes-Oxley Act.

• System backup tapes are sometimes retained far longer than the business or legal requirements of the organization, creating unintentional “de-facto” repositories. Not only are these repositories expensive and unwieldy to search, but they often provide surprise evidence.

• E-mail systems take on a life of their own, housing documents of all types with little regard for storage, organization or retention periods.

The Four Principles of Computer-Based Electronic Evidence

The Four Principles of Computer-Based Electronic Evidence

Principle 1: No action taken by law enforcement agencies or
their agents should change data held on a computer or
storage media which may subsequently be relied upon in
court.

Principle 2: In exceptional circumstances, where a person finds
it necessary to access original data held on a computer or on
storage media, that person must be competent to do so and
be able to give evidence explaining the relevance and the
implications of their actions.

Principle 3: An audit trail or other record of all processes
applied to computer based electronic evidence should be
created and preserved. An independent third party should be
able to examine those processes and achieve the same result.

Principle 4: The person in charge of the investigation (the case
officer) has overall responsibility for ensuring that the law and
these principles are adhered to.

---From the Good Practice Guide for Computer based Electronic Evidence - ACPO

29 September 2003

WSJ.com - Editor's Note - Workplace Security

WSJ.com - Editor's Note: "

Editor's Note

Is it safe?

That's the opening sentence of our cover story, and it's the driving question behind this entire report.

How much has been done, we wanted to know, to make our workplaces safer in the two years since terrorists destroyed the World Trade Center? How prepared are we in case of an emergency? How vulnerable are our mailrooms to anthrax-type attacks? How secure are our computers to a different kind of threat?

A couple of years ago, such questions might have seemed alarmist, even silly, to most of us. And even now, our interest in them rises and falls, depending on our sense of imminent danger.

Terror alerts are raised -- and we fear that our workplaces are too lax. Then months go by without new threats, and we grouse about having to show our ID cards in the office. Viruses attack our office computers, and we brace ourselves for the coming technical mayhem. Time passes, and we complain that our firewalls are annoying.

So in this report, we wanted to cut through the ups and downs of the public's interest, the day-to-day changes in our perception of danger. And instead we wanted to focus on a simple question: Is it safe?

-- Lawrence Rout"

COMMENT:
========================================
Thanks to our colleague Marc Martin at Kirkpatrick & Lockhart LLP for bringing this report to our attention. The WSJ has done a great job of not only addressing the employee at work, but also at home. You'll need to be a registered subscriber to access the host of articles.

SEC Policy Statement: Business Continuity Planning for Trading Markets

Policy Statement: Business Continuity Planning for Trading Markets:

"A critical 'lesson learned' from the events of September 11, 2001 is the need for more rigorous business continuity planning in the financial sector to address problems of wider geographic scope and longer duration than those previously addressed. These events made clear the possibility of a large-scale regional disaster, resulting in a broad consensus in the financial community that business continuity planning needs to adapt to plan for events of wider scope and, in general, become more robust and resilient.

Since the September 11 attacks, the U.S. securities markets and market participants have taken significant steps toward this goal by demonstrably improving the robustness of their business continuity plans.

The Commission and other financial regulators also have been devoting substantial resources to efforts designed to strengthen the resilience of the financial sector. For example, the Commission, together with the Board of Governors of the Federal Reserve System and the Office of the Comptroller of the Currency, recently published an Interagency Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System that identified "sound practices" relating to business continuity planning for certain key market participants.

COMMENT:
=======================================
While they have emphasized the need to more rigorously test the plans they still have given the organizations the flexibility they require for specific operational functions. As an example, they have not "yet" mandated the minimum distance that operational facilities need to be located from each other. At some point, organizations will realize their vulnerability by placing both facilities within the same geographic region. This was ever more apparent in the United States with the recent northeastern blackout and the Mid-Atlantic hurricane events.

26 September 2003

You've Been Indicted. The Most Feared Words in the Boardroom

boardmember.com Resource Center - : "You've Been Indicted. The Most Feared Words in the Boardroom
From Corporate Board Member - Resource Center

By Peter L. Higgins

Every Fortune caliber organization from financial services to health care has already implemented a pervasive compliance program to mitigate the risk of ending up with the SEC or US Attorney in the lobby.

The catalyst behind these initiatives is generated from the U.S. Sentencing Commission's Organizational Sentencing Guidelines. They allow for more lenient sentencing if an organization has evidence of an 'effective program to prevent and detect violations of law.'

The Guidelines contain criteria for establishing an 'effective compliance program.'

These include oversight by high level officers, effective communication to all employees, and reasonable steps to achieve compliance such as:

1. Systems for monitoring and auditing

2. Incident response and reporting

3. Consistent enforcement including disciplinary actions

Yet the corporate incivility continues. Why is it that we can't pick up the morning paper or listen to the news on the way to work without hearing about a new indictment of a top ranking officer?

Here lies the question many Board of Directors are scratching their heads about these days. How can we avoid these ethical and legal dilemmas and how can they be addressed without creating a state of fear and panic?

25 September 2003

Risk officers serve well as nags

Risk officers serve well as nags: "By BILL VIRGIN
SEATTLE POST-INTELLIGENCER COLUMNIST

Whatever business they're in, most companies follow a fairly standard model for organizing the executive suite: Chairman, president, chief executive officer (often combined in one person), chief financial officer, chief technology officer, chief risk officer, chief ...

Wait a minute. What was that last one?

Chief risk officer isn't a title you see very often in corporate executive structures. Expect to see it more frequently."

COMMENT:
========================================
The Chief Risk Officer will in most cases also have a VP of Operational Risk and Credit or Market Risk reporting to them. The goal here is to put specialists into roles that have high accountability to the CEO and the Audit Committee. Now if we could just get the CSO (Chief Security Officer) to report into the same suite instead of being imprisoned by the CIO and technical side of the business.

24 September 2003

Davis To Sign Anti-Spam, ID Theft Legislation

NBC 4 - Technology - Davis To Sign Anti-Spam, ID Theft Legislation: "Spammers Could Be Fined Up To $1 Million

LOS ANGELES -- California will become the first state in the nation to prohibit Internet advertisers from sending unsolicited e-mails known as spam, under legislation that Gov. Gray Davis said he would sign Tuesday.

The anti-spam legislation targets not only the firms that package and send the unwanted e-mails to consumers, but also the companies whose products and services are being advertised. The measure covers all unsolicited commercial e-mail sent or received in California and imposes fines of up to $1 million per incident.

'There are no loopholes, no way of getting around it,' said the bill's author, state Sen. Kevin Murray, D-Los Angeles. 'We are confident that this is going to stop the billions that we are losing to spam.'

Murray said California is the first state to take such a step against spam."

23 September 2003

Software Helps Banks Comply With Patriot Act

Bank Systems & Technology > Software Helps Banks Comply With Patriot Act > September 23, 2003: "Software Helps Banks Comply With Patriot Act
Steve Marlin
Sep 23, 2003

As financial institutions scramble to comply with the federal government's Oct. 1 deadline for implementing strict customer-identification procedures, they're looking for technology to scour transactions for patterns of fraud. The USA Patriot Act is aimed primarily at banks, investment firms, insurance companies, and stock and commodities exchanges, regarded as gatekeepers of the nation's financial system. At a minimum, they must put in place procedures to collect information on customers when they open accounts to verify that customers are who they say they are and check whether customers appear on terrorist lists. Records must be retained for five years after an account is closed. The law applies to any organization deemed a likely target for illicit cash, including pawnshops, travel agents, casinos, precious-metals dealers, and money-transfer agents. "

Cyber Threat - Some Fear Computer Attacks Could Cause or Intensify Physical Terror

Overseas Security Advisory Council: "Cyber Threat - Some Fear Computer Attacks Could Cause or Intensify Physical Terror
from ABC News on Tuesday, September 23, 2003

Evildoers commandeer thousands of home computers, creating a virtual army that knocks down chunks of the Internet. Computer infections hit a nuclear plant, crash a 911 system, snarl train service and shut down ATMs. A neighborhood glitch compromises air traffic control computers. It's all happened before, security experts say.

Luckily for America, it hasn't happened all at once  yet.

There is skepticism, but some fear it could. The recent accidental power outage which took out tens of millions of electricity consumers also spurred concerns.

'The Northeast power blackout & could happen as a result of a terrorist attack using cyber [methods],' said Richard Clarke, America's former cybersecurity czar, now an ABCNEWS consultant.

'[There are] a lot of people in the Department of Homeland Security that believe the only terrorist events worth worrying about are the ones with explosions and bodybags, and that's a very 20th-century way of looking at the problem,' Clarke added. 'In the 21st century, cyberspace is what controls the country.' "

22 September 2003

Report: Lenders miss most ID theft

Report: Lenders miss most ID theft : "To banks, cell phone firms, it just looks like unpaid bills

By Bob Sullivan
MSNBC

ID theft has grown so far, so fast, because financial institutions and other lenders have missed it. A massive study of 200 million new credit card, checking account and cell phone accounts opened during 2001 with participants like Citibank, Dell, Bank of America, and T-mobile shows that 7 out of 8 identity thefts are mis-categorized as simple credit losses by lenders."

19 September 2003

JetBlue violates privacy policy

CNN.com - JetBlue violates privacy policy - Sep. 19, 2003: "NEW YORK (AP) -- Violating its own privacy policy, JetBlue Airways gave 5 million passenger itineraries to a Defense Department contractor that used the information as part of a study seeking ways to identify 'high risk' airline customers.

The study, produced by Torch Concepts of Huntsville, Alabama, was titled 'Homeland Security: Airline Passenger Risk Assessment.' The apparent goal of the report was to determine whether it was possible to combine travel and personal information to create a profiling system that would make air travel safer.

The New York-based airline sent an e-mail apologizing to angry customers and said it has taken steps so the situation will not happen again. 'This was a mistake on our part,' JetBlue chief executive David Neeleman said.

Neeleman insisted the data JetBlue provided was not shared with any government agency and that Torch has since destroyed the passenger records"

COMMENT:
========================================
Actually, now that I think about it, I have no comment. Except that Mr. Neeleman has lost this customer.

Corporate governance isn't a dirty word, honest [16sep03]

Herald Sun: Corporate governance isn't a dirty word, honest [16sep03]: "By Geoff Elliott
16sep03

SOME executives might have dismissed it as a concept revolving around the right words in an annual report but it looks like the new buzzwords in business - corporate governance - are going to start affecting balance sheets.

Once the interest rate a company was charged on its borrowings was simply a judgment on the kind of financial numbers a company could report.

But it's increasingly going to become a judgment on less tangible factors: like the quality and transparency of board practices.

Global rating agencies like Moody's, Standard & Poor's and Fitch are starting to take into account corporate governance when rating a company's balance sheet. "

Who moved my CEO? The board of directors guide to managing operational risk

Who moved my CEO? The board of directors guide to managing operational risk: "

By Peter Higgins

Operational risk is on shareholders minds. The topics of interest at a recent NACD - Capitol Area chapter event in McLean, VA USA, included the state of the economy, the stock market and our outlook for the remainder of this year. Corporate governance and Sarbanes-Oxley were fuelling the fire for much of the debate on what was going to fix the current sentiment of investors.

The current state of mind is one of optimism and as the speaker Dr. Robert Sweet, the chief economist and managing director of MTB Investment Group admitted, he was a little above the glass being half full. As an economist with a BA, MBA, JD and PhD he was confident that all the numbers were headed the right direction. He only had one caveat. The risk of more corporate malfeasance was something that could change his rosy view of the economy's crystal ball.

Even in the face off huge US government deficits, our greatest threat to achieving a turn around lies in the behaviour and ethics of our US corporate chief executives rather than the next moves by George Bush et al."

18 September 2003

Operational Significant Event Imagery

Operational Significant Event Imagery:

"The Operational Significant Event Imagery team produces high-resolution, detailed imagery of significant environmental events which are visible in remotely-sensed data available at the NOAA Science Center in Suitland, Maryland."

COMMENT:
========================================
This site will give you a "Bird's Eye View" of potential environmental threats to your organization including fires, floods, storms and other events.

Arkansas Rulings May Hurt Reputation Of Pricewaterhouse

By JONATHAN WEIL and CASSELL BRYAN-LOW
Staff Reporters of THE WALL STREET JOURNAL

TEXARKANA, Ark. -- A pair of judicial orders sanctioning PricewaterhouseCoopers LLP for misconduct in a civil lawsuit here cast a harsh spotlight on the accounting firm and its top U.S. partner, Chairman Dennis Nally, as well as their recent efforts to restore public trust in the firm.

The orders by Miller County Circuit Court Judge Kirk D. Johnson include findings of document destruction by the firm and misrepresentations by the firm to the court about Mr. Nally's knowledge of the facts underlying the suit. The findings prompted Judge Johnson to sanction PricewaterhouseCoopers $50,000 in a March 28 order for engaging in a "systematic course of conduct intended to obstruct the discovery process."

A PricewaterhouseCoopers spokesman Wednesday said Mr. Nally was unavailable to comment. In a court filing Friday, opposing a motion by the plaintiff in the case for further sanctions, PricewaterhouseCoopers wrote that "PwC has taken steps to preserve, collect and produce documents responsive to plaintiff's discovery requests. Those efforts have resulted in the production by PwC of hundreds of thousands of pages of documents, approximately 80 CD-ROMs of engagement letters (roughly equivalent to one million additional pages of information) and an additional 24 CD-ROMs and 2 DVD-ROMs of billing and invoice data (roughly equivalent to an additional two million or more pages of documents.)."

COMMENT:
=====================================
Two items worth mentioning here:

1. Reputation Risk is an intangible reality. For a firm who counsels their clients on the same, this will cost them dearly. I trust they are using some of their own strategy here on how to handle this.

2. Electronic Discovery and Retention Planning. This firm already has experience in the forensic investigation process. They already know how to meet the toughest demands on their data centers. Desktop data, e-mail documents and backup tapes are frequently sought as part of the litigation process. In addition to your active systems, you may be required to analyze data residing on equipment which is no longer
supported, or on tapes for which you no longer possess compatible drives. As a discovering party, you may be tasked with creation of a database of responsive documents, having been provided with large volumes of electronic files in a host of various data formats. Then you have to search and filter these files, de-duplicate them and convert them into formats compatible with your input requirements.

Australia law aims to cut spam

CNN.com - Australia law aims to cut spam - Sep. 18, 2003: "CANBERRA, Australia (AP) -- People sending unsolicited e-mail advertisements and messages known as spam could be fined more than a million Australian dollars (US$660,000) under tough new laws proposed by the Australian government.

Introduced to the Australian Parliament by federal Communications Minister Richard Alston, the Spam Bill 2003 would fine spammers up to A$1.1 million (US$726,000) a day for sending illegal messages.

'Spam is a menace to home and business e-mail users and is a major scourge to productivity,' Alston said in a statement Thursday. 'It is commonly used to promote illegal, offensive and unscrupulous ventures such as black market drugs, celebrity porn, bogus prizes, Nigerian money laundering and other false and or fraudulent material.'

But Alston acknowledged the proposed law, which would likely come into force next year if it passes Parliament, would only tackle spam originating in Australia and that the legislation must be backed up by software designed to stamp it out. "

MediaGuardian.co.uk | Web firms rubbish ministers' email plan

MediaGuardian.co.uk | New media | Web firms rubbish ministers' email plan: "Owen Gibson
Thursday September 18, 2003

Internet giants including Freeserve, AOL and BT have lambasted government plans requiring them to retain every email and web page accessed by their customers for up to a year.

They have warned such a move could lead to chaos and higher prices for customers, and attacked legislation for amounting to snooper's charter out of keeping with consumer rights legislation.

'The government has not satisfied the industry that the data they wish to retain is of use to law enforcement agencies,' said Jessica Hendrie-Liano, who heads up a lobby group for ISP firms.

The government has outlined proposals to force internet service providers to retain logs of every email their customers send and every internet site they visit for up to 12 months.

It believes it is a vital weapon in the fight against online crime and particularly paedophilia, with growing evidence from high profile cases of internet child porn, online fraud and paedophiles using online chat rooms to 'groom' possible victims."

COMMENT:
========================================
Look for increased prices in the next year from your ISP as they have to lease more expensive real estate and build out additional infrastructure.

17 September 2003

Weakened NYSE Faces Host of Challenges 


SEC Is Investigating Governance;
Rivals May Be Able to Capitalize;
Lobbying in Capitol Is Hampered

By KATE KELLY and SUSANNE CRAIG
Staff Reporters of THE WALL STREET JOURNAL

With Dick Grasso stepping aside, the New York Stock Exchange now faces a series of challenges without its most ferocious and familiar advocate.

The NYSE chairman and chief executive officer tendered his resignation at an emergency board meeting late Wednesday, ending a 36-year career at the Big Board.

Mr. Grasso's resignation came amid intensifying criticism about his compensation, details of which were released in late August. The compensation package included $139.5 million in deferred compensation that Mr. Grasso had agreed to withdraw as part of a contract extension into 2007. Last week, the NYSE disclosed that he had also opted to forgo an additional $48 million in deferred compensation. The Wall Street Journal had reported details of Mr. Grasso's compensation in May.

Among the issues facing the Big Board were a Securities and Exchange Commission inquiry into the NYSE's corporate-governance policies; an SEC examination of market structure; and questions about the NYSE's status as a self-regulatory organization.

16 September 2003

Va. Executive Yoran Named Government Cybersecurity Chief

Va. Executive Yoran Named Government Cybersecurity Chief (TechNews.com): "By John Mintz
Washington Post Staff Writer
Tuesday, September 16, 2003; Page E05

The Bush administration announced yesterday that a well-regarded cybersecurity executive from Virginia will become the government's top computer security official, with responsibility for protecting networks from computer worms, viruses, hackers and terrorists.

The selection yesterday of Amit Yoran as cybersecurity chief in the Department of Homeland Security follows months of complaints from private technology executives that the Bush administration had failed to focus adequate attention on safeguarding computer networks."

12 September 2003

Firms' Newest Security Measure: Their Chief Governance Officers

Today in Investor's Business Daily stock analysis and business news : "Firms' Newest Security Measure: Their Chief Governance Officers

BY DONNA HOWELL

INVESTOR'S BUSINESS DAILY

It took Robert Lamm two weeks to drive up the East Coast and get settled for a new job as director of corporate governance at Computer Associates International. (CA)  But during that time, his workload grew by miles.

'I think it was a two-week period during which the SEC issued more proposed regulations than it ever had in its existence,' Lamm said. 'I got here and said, 'Oh my goodness, I'm really behind the eight ball. I'm going to kill a lot of trees keeping up.' '

Jobs like Lamm's are hot now. More firms are hiring integrity watchdogs, now that corporate scandals have spurred tighter regulations and focused a spotlight on reputation. Some firms are adding a new high-level executive: the CGO, or chief governance officer."

COMMENT:
========================================

Why does Mr. Lamm report to the General Counsel?

11 September 2003

Two Years Later, Still Adrift?

Two Years Later, Still Adrift? - CFO Magazine - September Issue 2003 - CFO.com: "Two Years Later, Still Adrift?

After 9/11, business continuity got plenty of attention, but many companies remain ill-prepared for disaster.

Scott Leibs, CFO Magazine September 01, 2003
In the weeks following September 11, 2001, the New York Board of Trade (NYBOT) was praised, in these pages and elsewhere, for having invested in a disaster recovery plan that proved nearly priceless. The commodities exchange had been spending $300,000 annually for a backup facility that sat idle for years, an expense that had been questioned but that paid off: the exchange not only used the site in the days after 9/11 but continues to use the site as its de facto headquarters as it transitions to a new one in lower Manhattan this month.

That was the kind of success story that was supposed to galvanize the business-continuity market, highlighting as it did the vulnerability not only of computer systems but also of phone, power, and transportation grids. What had been seen as an issue affecting primarily a company's data center was now framed as a strategic imperative affecting every aspect of infrastructure."

COMMENT:
========================================

This article reinforces the reality of this fact. Even if you have tested your BCP, it doesn't mean that your suppliers and partners have. As part of the audit of your continuous continuity (C2) include the check up on your most vital 3rd party companies. They must be as prepared and resilient as you are. You may require that they be included in all of your scenario exercises to make sure that you know their level of readiness.

Oversight of Mortgage Giants Sought

Oversight of Mortgage Giants Sought: "Oversight of Mortgage Giants Sought

By MARCY GORDON AP Business Writer

WASHINGTON (AP) - The Bush administration is seeking a stronger hand over government-sponsored mortgage giants Fannie Mae and Freddie Mac, amid accounting turmoil at Freddie Mac that has brought the departure of two chief executives since early June.

Administration officials are putting forward a legislative proposal that would shift financial regulation of the two - the biggest players in the multitrillion-dollar home mortgage market - to the Treasury Department from the Department of Housing and Urban Development and widen the government's authority over them.

Congress, which created the two companies and has been loath to rock the economically vital housing market, now may be receptive to such a plan. After Freddie Mac's accounting and management woes surfaced in the spring and brought federal investigations, members of the House and Senate proposed legislation that would tighten regulatory oversight of the two politically influential companies whose stock is widely traded."

Here are ten steps to Practice Continuous Continuity (C2) to Secure your Enterprise

From the 1SecureAudit Operational Risk eLetter - September 8, 2003

Here are ten steps to Practice Continuous Continuity (C2) to Secure your Enterprise:

1. Develop and practice a contingency plan that includes a succession plan for your executive team.

2. Train backup employees to perform emergency tasks. The employees you count on to lead in an emergency won't always be available.

3. Consider creating offsite crisis meeting places for top executives and operational teams.

4. Make sure employees—as well as executives—are involved in the exercises so that they get practice in responding to an emergency and following orders in potential chaos.

5. Make exercises realistic enough to tap into employees' emotions so that you can see how they'll react when the situation gets stressful.

6. Practice crisis communication with employees, customers and the outside world.

7. Invest in an alternate means of communication in case the phone networks go down, including wireless devices.

8. Form partnerships with local emergency response groups—firefighters, police and EMTs—to establish a good working relationship. Let them become familiar with your company and site.

9. Evaluate your company's performance during each test, and make changes to ensure constant improvement. Continuity plans should reveal weaknesses.

10. Regularly test your continuity plan to reveal and accommodate changes. technology, personnel and facilities are in a constant state of change at any company.

New purported bin Laden tape raises fear of new attacks - Sep. 11, 2003

CNN.com - New purported bin Laden tape raises fear of new attacks - Sep. 11, 2003: "CNN) -- On the eve of the second anniversary of the September 11 attacks, a taped statement purportedly from two al Qaeda leaders is raising concerns of new terror attacks against U.S. interests.

The Arabic-language news network Al-Jazeera broadcast Wednesday what it said was a new tape of Osama bin Laden and his top deputy, Ayman al-Zawahiri encouraging new attacks against Americans.

The voice claiming to be bin Laden praises the suicide hijackers who crashed jetliners into the World Trade Center, Pentagon and a Pennsylvania field two years ago, killing more than 3,000 people. He mentions several of the hijackers by name. "

10 September 2003

How to "HIPAA" - Top 10 Tips

How to "HIPAA" - Top 10 Tips

With the April and October deadlines approaching, the AMA is offering physicians these tips, which are thoroughly explained in the free booklet (PDF format) How to "HIPAA" - Top 10 Tips

1. Understand the deadlines and move to compliance.

2. Know your compliance requirements.

3. Prioritize your compliance activities.

4. Ask the right questions.

5. Choose and use consultants wisely.

6. Learn from trusted sources.

7. Separate fact from fiction.

8. Visit Web site resources often for the latest updates.

9. Talk to your patients.

Look to the AMA for updates - http://www.ama-assn.org

"Security: it's your job, managers told"

Overseas Security Advisory Council: "Security: it's your job, managers told" from MIS on Wednesday, September 10, 2003

Corporate managers, rather than security professionals, should be accountable for IT security breaches, according to the federal Attorney-General's department.

Security is 'everyone's business', but managers must accept ultimate responsibility for their department's IT protection, says Peter Ford of the Attorney-General's department's information and security law division.

'Managers, for example, should be accountable for breaches of security in the same way as they are accountable for working within their budgets,' Ford told delegates at last week's Information Security World conference and expo in Melbourne. 'While this is a simple proposition, it is a radical departure from the traditional rule-based approach to security, which allows managers to leave security issues to the attention of security professionals and encourages a culture of compliance.'

Security issues must be taken into account as 'an integral part of discharging one's responsibilities', says Ford, whether they be software designers, managers of an enterprise or consumers. "

09 September 2003

How Hackers Break In To Enterprise Networks--A Step-By-Step Demo

Overseas Security Advisory Council: " How Hackers Break In To Enterprise Networks--A Step-By-Step Demo
from Internet Week on Tuesday, September 09, 2003

The SetUp

Ryan Breed is a hacker. He's honed his skills since his undergraduate days at the University of Rochester, where a cryptography course piqued his interest in network security. Breed, 28, enjoys the analysis of computer systems and 'decomposing systems and figuring out how they work.'

As a security consultant for Unisys, hacker Breed tests his mettle against company security systems, pointing out weak spots. He's gearing up to do his thing. But this evening's hack is sanctioned, commissioned, and paid for by the targeted company. Breed is an ethical hacker, a security consultant for Unisys, and tonight he's conducting a penetration test on an international business-consulting firm with 10 servers and more than 150 desktops. The name of the company and information that would disclose its identity have been withheld at the company's request. "
========================================
Comment:

This article will give you a taste of how companies like Unisys use ethical hacking exercises to put the fear into a client that they are vulnerable. It shouts of "Hire us Now Before its Too Late". What is important here is to realize that any large enterprise is in a dynamic environment full of moves, adds and changes. It requires a daily proactive program of internal risk management exercises to be effective against the sales tactics of vendors threat exercises like this one.

08 September 2003

An EU commissioner warned that U.S. antiterror efforts could breach European privacy laws.

Overseas Security Advisory Council: " An EU commissioner warned that U.S. antiterror efforts could breach European privacy laws.

The European Commission this week warned that a trans-Atlantic row may soon result if U.S. demands for airlines to reveal passenger information as an antiterror measure aren't backed by adequate privacy safeguards. In a letter to Secretary of Homeland Security Tom Ridge, the European Union commissioner in charge of customs issues, Frits Bolkestein, said that only a 'tightly worded undertaking' about the manner in which passenger information is handled and shared is acceptable.

'Data protection authorities here take the view that [passenger] data is flowing to the U.S. in breach of our Data Protection Directive,' Bolkestein said in his letter. 'It is thus urgent to establish a framework which is more legally secure.'

The letter was originally sent to Ridge in June but was released to journalists this week after a meeting on the topic by European Commission representatives, who said they hadn't won any significant concessions from the U.S. so far. "

05 September 2003

InformationWeek > Operational Risk > European Banks May Face Big Bill For Basel II > September 2, 2003

InformationWeek > Operational Risk > European Banks May Face Big Bill For Basel II > September 2, 2003: "Large European banks will spend, on average, 115 million ($124 million at current exchange rates) over five years to comply with Basel II, a set of guidelines to overhaul banking supervision put forward by the Basel Committee on Banking Supervision, an international regulatory body, according to Forrester Research.

The research firm advises clients to embed Basel II changes into core business-improvement strategies, tying investments to improved capital efficiency and reduced operational losses. Among Forrester's recommendations: Make governance dynamic, use enterprise visibility to manage data complexity, design Basel II systems with business users in mind, and partner in industry groups to overcome operational-risk hurdles. "
This is the public version of Operational Risk Blogspot.