Merrill Lynch selects SAS for Sarbanes-Oxley compliance, operational risk management:
Compliance and Sarbanes-Oxley
Operational risk management
Merrill Lynch, one of the world's leading financial management and advisory companies, has selected software from SAS, the leader in business intelligence, to help the company manage its operational risk and continue compliance with the Sarbanes-Oxley Act, the New Basel II Accord (Basel II) and other regulations.
The software solution, SAS Corporate Compliance for Sarbanes-Oxley, provides publicly traded organisations such as Merrill Lynch with a repository of financial documents, processes and controls - from across their global operations - that can be monitored, tracked and analysed.
'Merrill Lynch has built a solid reputation of responsibility, integrity and focus on its clients,' said Dr Jim Goodnight, president and CEO of SAS. 'We are very pleased to be able to provide the power of SAS software solutions for compliance and operational risk management to Merrill Lynch.'
Merrill Lynch will also use operational risk management software from SAS to identify, measure and ultimately, reduce and control risk, Goodnight said. This combination will give Merrill Lynch an integrated, consistent interface and framework for risk and control self-assessment. As a result, this will help the company maximise return from data-collection activities while minimising disruption to its business units.
Compliance and Sarbanes-Oxley
The Sarbanes-Oxley Act requires CEOs and CFOs of all publicly traded companies, with revenue of at least $75 million, listed on the New York Stock Exchange, AMEX or Nasdaq, to certify the accuracy of corporate financial reports. In addition, the Act requires external auditors to verify executive management's assertions about the effectiveness of internal control systems for tracking and auditing financial processes and reporting.
This new regulation places the accountability for internal financial controls squarely on the shoulders of senior company management and boards of directors. With personal accountability and corporate reputation on the line, executive management still faces a daunting challenge: collecting, organising, analysing and reporting on financial information from dozens of operational systems and general ledgers located in different business units around the world.
With SAS Corporate Compliance for Sarbanes-Oxley, global organisations such as Merrill Lynch are assisted in compliance by:
a. Assessment and validation of financial statements with sophisticated reporting and analytics.
b. Creation of an auditable, trackable, searchable repository for financial documents, processes and controls.
c. Consolidation of data from disparate sources more quickly and accurately.
d. Tracking, analysing and reporting on risks and material changes.
e. Monitoring the effectiveness of compliance and governance initiatives.
Operational risk management
Operational risk is an emerging field driven by regulations such as the New Basel II Accord (Basel II) and by the desire of financial services firms to implement sound risk measurement and risk management practices. Certain provisions within Basel II require banks and financial services firms affected by the accord's regulations to accurately evaluate and measure potential operational losses resulting from inadequate or failed processes and technology, as well as losses due to external events or human error. Basel II further requires that these firms set aside capital to cover these potential losses.
The integration of software for Sarbanes-Oxley compliance and operational risk management is a natural step for institutions that strive to go beyond pure compliance. Assessing, testing and reporting on financial controls are integral elements of operational risk management.
Operational risk management, however, is more than a compliance issue. It is widely acknowledged as a best practice within the financial services industry because it can enhance shareholder value by driving improvements in business processes, corporate governance, business continuity planning and financial transparency."
27 February 2004
26 February 2004
European differences in business continuity management revealed
European differences in business continuity management revealed:
SunGard Availability Services surveyed businesses across Europe to find out how prepared they would be if disaster should strike and confirmed that there are fundamental differences in attitudes to business continuity across Europe.
The results showed that, as a whole, businesses in the European Community are reasonably well prepared, with 80 percent of all respondents stating they had a business continuity plan in place. However, when the results were analysed by country noticeable differences became evident. While 96 percent of UK and Swedish respondents said they had a plan in place, closely followed by Germany (84 percent) and Italy (76 percent), France lagged behind with less than half of French companies questioned (48 percent) saying they had a business continuity plan.
Upping the stakes to the board
European boards appear to be taking business continuity more seriously. 84 percent of German respondents said that their board was now very aware of the need for business continuity. France and Sweden come second in the league when it comes to the board making business continuity a priority (72 percent), closely followed by the UK (68 percent).
Overall, a third (31 percent) of respondents across Europe said that a board member was now responsible for business continuity. However, only four percent of French respondents said that a board member had this responsibility, with the bulk of the burden remaining with the IT or business continuity manager. The results also show that Swedish boards take business continuity most seriously as 68 percent of those questioned said that a board member was now responsible, followed by Germany (48 percent) and the UK (36 percent).
The top reason across all countries for the board taking an interest in business continuity was the realisation that they relied heavily on IT to remain in business. This was followed by customers starting to ask for evidence of business continuity programmes, which was compounded by increased industry regulation. However, only France (12 percent), the UK (10 percent) and Italy (6 percent) cited September 11th or the threat of terrorism as a factor that made the board put business continuity on the priority list."
SunGard Availability Services surveyed businesses across Europe to find out how prepared they would be if disaster should strike and confirmed that there are fundamental differences in attitudes to business continuity across Europe.
The results showed that, as a whole, businesses in the European Community are reasonably well prepared, with 80 percent of all respondents stating they had a business continuity plan in place. However, when the results were analysed by country noticeable differences became evident. While 96 percent of UK and Swedish respondents said they had a plan in place, closely followed by Germany (84 percent) and Italy (76 percent), France lagged behind with less than half of French companies questioned (48 percent) saying they had a business continuity plan.
Upping the stakes to the board
European boards appear to be taking business continuity more seriously. 84 percent of German respondents said that their board was now very aware of the need for business continuity. France and Sweden come second in the league when it comes to the board making business continuity a priority (72 percent), closely followed by the UK (68 percent).
Overall, a third (31 percent) of respondents across Europe said that a board member was now responsible for business continuity. However, only four percent of French respondents said that a board member had this responsibility, with the bulk of the burden remaining with the IT or business continuity manager. The results also show that Swedish boards take business continuity most seriously as 68 percent of those questioned said that a board member was now responsible, followed by Germany (48 percent) and the UK (36 percent).
The top reason across all countries for the board taking an interest in business continuity was the realisation that they relied heavily on IT to remain in business. This was followed by customers starting to ask for evidence of business continuity programmes, which was compounded by increased industry regulation. However, only France (12 percent), the UK (10 percent) and Italy (6 percent) cited September 11th or the threat of terrorism as a factor that made the board put business continuity on the priority list."
CSO and CERT Security Capability Assessment Tool
CSO and CERT Security Capability Assessment Tool:
Welcome to the Security Capability Assessment Tool, created by CSO Magazine and the Software Engineering Institute’s CERT Coordination Center. This is an exercise for security professionals to assess their current security practices and to determine which practices are repeatable, documented, and regularly reviewed and updated -- characteristics that enhance security strategy and policies. Results of the overall Security Capability Assessment Tool findings will be available at CSOonline.com later this year.
HOW IT WORKS
The tool is organized into four topic areas -- Risk Assessment/Management, Management and Policy, System and Network Management, and Physical Security. Questions within each practice topic area are listed in the recommended order for moving from least capable to more capable. The first column captures the presence or absence of a particular practice (initial condition or starting point). The presence of repeatable processes (column 2) indicates greater capability. And the presence of assigned roles (column 3), process documentation (column 4), and process review and update (column 5) is even more capable.
After completing each section and submitting your responses, the tool will calculate your score for each section. Along with your score you will also receive a customized list of online resources tailored to your information needs as determined by the Security Capability Assessment Tool.
Welcome to the Security Capability Assessment Tool, created by CSO Magazine and the Software Engineering Institute’s CERT Coordination Center. This is an exercise for security professionals to assess their current security practices and to determine which practices are repeatable, documented, and regularly reviewed and updated -- characteristics that enhance security strategy and policies. Results of the overall Security Capability Assessment Tool findings will be available at CSOonline.com later this year.
HOW IT WORKS
The tool is organized into four topic areas -- Risk Assessment/Management, Management and Policy, System and Network Management, and Physical Security. Questions within each practice topic area are listed in the recommended order for moving from least capable to more capable. The first column captures the presence or absence of a particular practice (initial condition or starting point). The presence of repeatable processes (column 2) indicates greater capability. And the presence of assigned roles (column 3), process documentation (column 4), and process review and update (column 5) is even more capable.
After completing each section and submitting your responses, the tool will calculate your score for each section. Along with your score you will also receive a customized list of online resources tailored to your information needs as determined by the Security Capability Assessment Tool.
25 February 2004
Anti-Terrorism Network Launched
Anti-Terrorism Network Launched:
System Allows Agencies Across Country to Share Data Instantaneously
By Spencer S. Hsu
Washington Post Staff Writer
Wednesday, February 25, 2004; Page B01
Hundreds of federal, state and local intelligence and law enforcement agencies will be able to share threat reports, investigative leads and potential evidence instantaneously under a new counter-terrorism computer system announced yesterday by Homeland Security Secretary Tom Ridge.
Developed since the September 2001 terrorist attacks, the Homeland Security Information Network is part of a sweeping data-sharing policy adapted by federal authorities. The network, created in response to presidential priorities, is designed to prevent acts of terror and to give local police chiefs, mayors and governors greater access to federal intelligence.
Ridge announced the launch of the system in the Joint Operations Command Center at Washington's police headquarters, where he was joined by Mayor Anthony A. Williams (D) and officials from New York City and California, who developed the system with the Defense Intelligence Agency.
'In this new post-9/11 era, a new philosophy is required -- a philosophy of shared responsibility, shared leadership and shared accountability,' Ridge said. 'The federal government cannot micromanage the protection of America."
System Allows Agencies Across Country to Share Data Instantaneously
By Spencer S. Hsu
Washington Post Staff Writer
Wednesday, February 25, 2004; Page B01
Hundreds of federal, state and local intelligence and law enforcement agencies will be able to share threat reports, investigative leads and potential evidence instantaneously under a new counter-terrorism computer system announced yesterday by Homeland Security Secretary Tom Ridge.
Developed since the September 2001 terrorist attacks, the Homeland Security Information Network is part of a sweeping data-sharing policy adapted by federal authorities. The network, created in response to presidential priorities, is designed to prevent acts of terror and to give local police chiefs, mayors and governors greater access to federal intelligence.
Ridge announced the launch of the system in the Joint Operations Command Center at Washington's police headquarters, where he was joined by Mayor Anthony A. Williams (D) and officials from New York City and California, who developed the system with the Defense Intelligence Agency.
'In this new post-9/11 era, a new philosophy is required -- a philosophy of shared responsibility, shared leadership and shared accountability,' Ridge said. 'The federal government cannot micromanage the protection of America."
Cybercrime Costing UK Business Billions
Reuters-Cybercrime Costing UK Business Billions:
(Page 1 of 2)
By Bernhard Warner, European Internet Correspondent
LONDON (Reuters) - Cybercrime cost British companies hundreds of millions, and perhaps billions, of pounds in lost business last year, and the next wave of Internet attacks is likely to be more severe, a conference heard on Tuesday.
In a police survey of 201 of Britain's largest companies, 83 percent said they had experienced some form of cybercrime in 2003, costing more than 195 million pounds in business downtime, lost productivity and perceived damage to their brand or share price.
'Whilst it is too early to put an accurate figure on the total financial impact for UK businesses, all the indicators suggest that we are talking about billions rather than millions,' Len Hynds, head of Britain's National Hi-Tech Crime Unit (NHTCU), said at the e-Crime Congress in London.
The crime wave's biggest target was the financial sector. Three UK financial services firms, which the NHTCU declined to name, reported cybercrime-related damages totaling more than 60 million pounds last year.
A relatively new crime hitting the sector is known as 'phishing' where fraudsters send dubious e-mails or create spoof Web sites hoping to entice users to hand over their credit card or banking details.
Most major UK banks have been hit by the scam, including Barclays, Lloyds TSB and NatWest. Hynds said 50 UK businesses reported they were the victim of phishing attacks last year.
EASTERN EUROPEAN AND ASIAN CRIME GANGS
Police blame organized crime gangs, particularly those in Eastern Europe and Asia, as the biggest culprit for the outbreak."
(Page 1 of 2)
By Bernhard Warner, European Internet Correspondent
LONDON (Reuters) - Cybercrime cost British companies hundreds of millions, and perhaps billions, of pounds in lost business last year, and the next wave of Internet attacks is likely to be more severe, a conference heard on Tuesday.
In a police survey of 201 of Britain's largest companies, 83 percent said they had experienced some form of cybercrime in 2003, costing more than 195 million pounds in business downtime, lost productivity and perceived damage to their brand or share price.
'Whilst it is too early to put an accurate figure on the total financial impact for UK businesses, all the indicators suggest that we are talking about billions rather than millions,' Len Hynds, head of Britain's National Hi-Tech Crime Unit (NHTCU), said at the e-Crime Congress in London.
The crime wave's biggest target was the financial sector. Three UK financial services firms, which the NHTCU declined to name, reported cybercrime-related damages totaling more than 60 million pounds last year.
A relatively new crime hitting the sector is known as 'phishing' where fraudsters send dubious e-mails or create spoof Web sites hoping to entice users to hand over their credit card or banking details.
Most major UK banks have been hit by the scam, including Barclays, Lloyds TSB and NatWest. Hynds said 50 UK businesses reported they were the victim of phishing attacks last year.
EASTERN EUROPEAN AND ASIAN CRIME GANGS
Police blame organized crime gangs, particularly those in Eastern Europe and Asia, as the biggest culprit for the outbreak."
24 February 2004
Extension of Compliance Dates Regarding Internal Control Over Financial Reporting Requirements
Extension of Compliance Dates Regarding Internal Control Over Financial Reporting Requirements:
FOR IMMEDIATE RELEASE
2004-21
Washington, D.C., Feb. 24, 2004 - The Commission has extended the compliance dates for amendments to its rules under the Securities Exchange Act of 1934 that were adopted on June 5, 2003, pursuant to Section 404 of the Sarbanes-Oxley Act. The amendments require a company to include in annual reports a report by management on the company's internal control over financial reporting and the accompanying auditor's report.
Under the new compliance schedule, a company that is an 'accelerated filer' as defined in Exchange Act Rule 12b-2 (generally, a U.S. company that has equity market capitalization over $75 million and has filed at least one annual report with the Commission), must begin to comply with these amendments for its first fiscal year ending on or after Nov. 15, 2004 (originally June 15, 2004). A non-accelerated filer must begin to comply with these requirements for its first fiscal year ending on or after July 15, 2005 (originally April 15, 2005). The Commission similarly has extended the compliance date for related requirements regarding evaluation of internal control over financial reporting and management certification requirements, including certification and related requirements applicable to registered investment companies. Please refer to Release No. 33-8392 for more detailed information."
FOR IMMEDIATE RELEASE
2004-21
Washington, D.C., Feb. 24, 2004 - The Commission has extended the compliance dates for amendments to its rules under the Securities Exchange Act of 1934 that were adopted on June 5, 2003, pursuant to Section 404 of the Sarbanes-Oxley Act. The amendments require a company to include in annual reports a report by management on the company's internal control over financial reporting and the accompanying auditor's report.
Under the new compliance schedule, a company that is an 'accelerated filer' as defined in Exchange Act Rule 12b-2 (generally, a U.S. company that has equity market capitalization over $75 million and has filed at least one annual report with the Commission), must begin to comply with these amendments for its first fiscal year ending on or after Nov. 15, 2004 (originally June 15, 2004). A non-accelerated filer must begin to comply with these requirements for its first fiscal year ending on or after July 15, 2005 (originally April 15, 2005). The Commission similarly has extended the compliance date for related requirements regarding evaluation of internal control over financial reporting and management certification requirements, including certification and related requirements applicable to registered investment companies. Please refer to Release No. 33-8392 for more detailed information."
Greenspan: Curb Fannie, Freddie Growth
Reuters-Greenspan: Curb Fannie, Freddie Growth:
(Page 1 of 2)
Greenspan Calls For GSE Curbs
By Mark Felsenthal
WASHINGTON (Reuters) - Federal Reserve Chairman Alan Greenspan on Tuesday urged Congress to rein in Fannie Mae and Freddie Mac, warning that unchecked growth in the housing finance giants will likely threaten the U.S. financial system.
'Most of the concerns associated with systemic risks flow from the size of the balance sheets that these GSEs (government-sponsored enterprises) maintain,' Greenspan told the Senate Banking Committee.
'GSEs need to be limited in the issuance of GSE debt and in the purchase of assets, both mortgages and non-mortgages, that they hold,' he added, implying the size of their holdings and the need to keep growing made them vulnerable.
He also called for clarity in the government's backing for the companies -- which are shareholder-owned but congressionally chartered -- saying the current ambiguity had the potential to cause a 'very serious' financial problem.
Fannie Mae's (FNM.N: Quote, Profile, Research) and Freddie Mac's (FRE.N: Quote, Profile, Research) debt is not backed by the government. But advantages through their charters, including multibillion-dollar emergency credit lines, foster a perception the government would rescue them if necessary.
Greenspan's testimony comes as Congress works to create a new regulator for the two mortgage finance giants and 12 Federal Home Loan Banks, after problems including an accounting scandal at Freddie Mac.
He noted the two companies 'collectively dominate the financing of residential housing in the United States' and stand behind more than $4 trillion of mortgages.
He said 'the most crucial issue' for lawmakers as they assess how to tighten their regulation is the potential threat they pose for economic stability."
(Page 1 of 2)
Greenspan Calls For GSE Curbs
By Mark Felsenthal
WASHINGTON (Reuters) - Federal Reserve Chairman Alan Greenspan on Tuesday urged Congress to rein in Fannie Mae and Freddie Mac, warning that unchecked growth in the housing finance giants will likely threaten the U.S. financial system.
'Most of the concerns associated with systemic risks flow from the size of the balance sheets that these GSEs (government-sponsored enterprises) maintain,' Greenspan told the Senate Banking Committee.
'GSEs need to be limited in the issuance of GSE debt and in the purchase of assets, both mortgages and non-mortgages, that they hold,' he added, implying the size of their holdings and the need to keep growing made them vulnerable.
He also called for clarity in the government's backing for the companies -- which are shareholder-owned but congressionally chartered -- saying the current ambiguity had the potential to cause a 'very serious' financial problem.
Fannie Mae's (FNM.N: Quote, Profile, Research) and Freddie Mac's (FRE.N: Quote, Profile, Research) debt is not backed by the government. But advantages through their charters, including multibillion-dollar emergency credit lines, foster a perception the government would rescue them if necessary.
Greenspan's testimony comes as Congress works to create a new regulator for the two mortgage finance giants and 12 Federal Home Loan Banks, after problems including an accounting scandal at Freddie Mac.
He noted the two companies 'collectively dominate the financing of residential housing in the United States' and stand behind more than $4 trillion of mortgages.
He said 'the most crucial issue' for lawmakers as they assess how to tighten their regulation is the potential threat they pose for economic stability."
Terrorism Risk Management for Critical Infrastructure Protection - A Series
By Peter L. Higgins
1SecureAudit LLC
Part II
The recognition by insurers that owners will continue to invest in terrorism risk reduction and building safety with the proper incentives is vital to overall risk management of critical infrastructures. The assessment of terrorism vulnerability in key buildings identified as soft targets can be a key component of the rating of risk for a specific structure. In order for owners to benefit from the potential of reduced premiums from direct insurers they must be able to demonstrate a combination of risk mitigation measures and programs to help improve the survivability of the infrastructure or to reduce it’s vulnerability to certain threat scenarios. These need to be exercised on a continuous timetable with extensive documentation, training and reporting.
In order for insurance brokers to accurately represent their buyers mitigation programs and measures to the direct insurers they must have a foundation of knowledge about the buildings physical vulnerabilities. However, even more essential is the understanding of the operational and human attributes of the building that are contributing to the proactive tactics to prevent losses and further exposures to potential terrorism risk. If this step takes place, the insurers can better evaluate these operational and human elements to determine the value and effectiveness of these tactics so that they can be considered for premium reductions. The building itself, two miles from the Whitehouse, has little chance of moving outside the high-risk zone for terrorist events. The only methods for reducing risk exposures are to dramatically impact the operational and human elements of the building to mitigate hazards and increase the survivability of the people and systems that are resident.
More on this series over the next few weeks.
1SecureAudit LLC
Part II
The recognition by insurers that owners will continue to invest in terrorism risk reduction and building safety with the proper incentives is vital to overall risk management of critical infrastructures. The assessment of terrorism vulnerability in key buildings identified as soft targets can be a key component of the rating of risk for a specific structure. In order for owners to benefit from the potential of reduced premiums from direct insurers they must be able to demonstrate a combination of risk mitigation measures and programs to help improve the survivability of the infrastructure or to reduce it’s vulnerability to certain threat scenarios. These need to be exercised on a continuous timetable with extensive documentation, training and reporting.
In order for insurance brokers to accurately represent their buyers mitigation programs and measures to the direct insurers they must have a foundation of knowledge about the buildings physical vulnerabilities. However, even more essential is the understanding of the operational and human attributes of the building that are contributing to the proactive tactics to prevent losses and further exposures to potential terrorism risk. If this step takes place, the insurers can better evaluate these operational and human elements to determine the value and effectiveness of these tactics so that they can be considered for premium reductions. The building itself, two miles from the Whitehouse, has little chance of moving outside the high-risk zone for terrorist events. The only methods for reducing risk exposures are to dramatically impact the operational and human elements of the building to mitigate hazards and increase the survivability of the people and systems that are resident.
More on this series over the next few weeks.
Banks falling behind on Basel II
Banks falling behind on Basel II:
Many banks are falling behind on their projects to implement the Basel II Accord on capital adequacy (the amount of capital required to be held to meet risk), according to a global survey by KPMG of 294 financial institutions in 38 countries. Around half are still only in the pre-study or assessment phase. Implementation is due in 2007, but requires that banks are using Basel compliant systems and data for several years before then.
Amongst UK banks, progress is generally greater - but they have concerns around the cost of implementing Basel, lack of IT flexibility, and uncertainty over how the regulator will be assessing the robustness of the systems they have developed. Many banks are also concerned about the disclosure requirements under Basel. These concerns reflect both the considerable amount of information that will need to be published, and the danger of misinterpretation by the markets.
Globally, around 10 percent of banks are still establishing their Basel teams - and in the Asia Pacific region this climbs to as high as 22 percent. Only eight percent of banks have reached the testing and validation phase of their project on credit risk (although this rises to 15 percent in the Americas). Yet testing and validation is one of the key phases of the overall project and one that often proves difficult to complete. Banks therefore need to be reaching that stage soon, at least for their main portfolios - but for a large number of banks, this does not look likely.
Although many banks are struggling to keep their Basel project on track, there is a clear consensus amongst them of the benefits of implementing the Basel requirements. The most widely perceived benefit is an improved credit rating system, followed by improved management of operational risk. A reduction in capital requirements was only the fourth most highly rated benefit."
Many banks are falling behind on their projects to implement the Basel II Accord on capital adequacy (the amount of capital required to be held to meet risk), according to a global survey by KPMG of 294 financial institutions in 38 countries. Around half are still only in the pre-study or assessment phase. Implementation is due in 2007, but requires that banks are using Basel compliant systems and data for several years before then.
Amongst UK banks, progress is generally greater - but they have concerns around the cost of implementing Basel, lack of IT flexibility, and uncertainty over how the regulator will be assessing the robustness of the systems they have developed. Many banks are also concerned about the disclosure requirements under Basel. These concerns reflect both the considerable amount of information that will need to be published, and the danger of misinterpretation by the markets.
Globally, around 10 percent of banks are still establishing their Basel teams - and in the Asia Pacific region this climbs to as high as 22 percent. Only eight percent of banks have reached the testing and validation phase of their project on credit risk (although this rises to 15 percent in the Americas). Yet testing and validation is one of the key phases of the overall project and one that often proves difficult to complete. Banks therefore need to be reaching that stage soon, at least for their main portfolios - but for a large number of banks, this does not look likely.
Although many banks are struggling to keep their Basel project on track, there is a clear consensus amongst them of the benefits of implementing the Basel requirements. The most widely perceived benefit is an improved credit rating system, followed by improved management of operational risk. A reduction in capital requirements was only the fourth most highly rated benefit."
23 February 2004
Outsourcing: Danger to Privacy
OSAC - Outsourcing: Danger to Privacy :
from Wired News
Article ID: D140322
Democratic Sen. Dianne Feinstein warned the chief executives of banks and credit companies this week that she would crack down on them if they didn't take steps to protect their customers' private data, such as medical and financial information, which is increasingly being handled by clerks working abroad.
In a letter to the CEOs of Citigroup, Bank of America, Equifax and TransUnion, Feinstein (D-California) said she might introduce federal legislation to protect the personal data of Americans if the companies don't establish safeguards.
'In my view, American companies which are outsourcing consumer data to foreign countries must assume responsibility for the data,' Feinstein wrote.
All of the recipients of Feinstein's letter already have outsourced clerical services, or have stated their intent to do so.
Companies increasingly are outsourcing more than just programming jobs to places like India. They are using foreign accountants to prepare U.S. tax returns, foreign radiologists to examine X-rays and even foreign clerks to transcribe dictation of sensitive medical data from American doctors. In these cases, most Americans have no idea that someone outside the United States handled private information about them. More worrisome, Americans might not be able to sue or collect damages from foreigners who misuse the information."
from Wired News
Article ID: D140322
Democratic Sen. Dianne Feinstein warned the chief executives of banks and credit companies this week that she would crack down on them if they didn't take steps to protect their customers' private data, such as medical and financial information, which is increasingly being handled by clerks working abroad.
In a letter to the CEOs of Citigroup, Bank of America, Equifax and TransUnion, Feinstein (D-California) said she might introduce federal legislation to protect the personal data of Americans if the companies don't establish safeguards.
'In my view, American companies which are outsourcing consumer data to foreign countries must assume responsibility for the data,' Feinstein wrote.
All of the recipients of Feinstein's letter already have outsourced clerical services, or have stated their intent to do so.
Companies increasingly are outsourcing more than just programming jobs to places like India. They are using foreign accountants to prepare U.S. tax returns, foreign radiologists to examine X-rays and even foreign clerks to transcribe dictation of sensitive medical data from American doctors. In these cases, most Americans have no idea that someone outside the United States handled private information about them. More worrisome, Americans might not be able to sue or collect damages from foreigners who misuse the information."
It Takes a Special Person to Be an Auditor
It Takes a Special Person to Be an Auditor:
By Ralph Kolts
February 2004 (SmartPros) -- The job of an internal auditor is to evaluate, analyze, reach conclusions, and provide objective opinions. The job is like that of a doctor, assessing the health of the company, diagnosing illness, and prescribing a course to recovery. To do this, the auditor must possess special qualities:
An auditor is multi-skilled, understanding every part of the business, and closely aligned with business objectives.
An auditor has the ability to sift through minute detail, while keeping the big picture in mind.
The auditor faces difficult problems and often times difficult people, while maintaining the cool calmness that comes with experience and self-confidence.
The auditor is the shining example of commitment, dedication, contribution, and hard work – because everyone is watching to see if the auditor stumbles.
An auditor has thick skin, a controlled temper, natural curiosity, unforgiving tenacity and even a sense of humor.
Auditors maximize the synergy that comes from team effort, sharing their own knowledge and expertise for collective success, while maintaining their unique individualism.
The auditor's customer is . . .Well, everyone.
An auditor is a lifetime student, always learning new technologies and continuously improving.
An auditor is able to build positive working relationships with those who may see them as a distraction – earning, everyday, the trust and respect of wary and suspect minds.
Troubles are part of the job; it just goes with the territory. The auditor sees each problem as an opportunity, deflecting obstacles like a super hero deflects bullets.
An auditor is a quantitative analyst, critic, ethicist, economist, engineer, detective, change agent and above all the consummate professional.
When faced with a dilemma, the auditor resorts to clear thinking and level headed decision-making.
An auditor is an expert project manager, able to plan, organize, and execute complex projects -- on schedule, while juggling several other equally complex projects at the same time.
Auditors are not afraid to tackle unpleasant tasks. They ask the tough questions.
An auditor is an accomplished communicator, and an even better listener.
Waste, poor quality, inefficiency, and unmanaged risk are the enemies of every auditor.
Rewards, recognition, and even a simple “thank-you” can be few and far between. The auditor’s job satisfaction comes from knowing the results of their work adds value and prevents bad things from happening.
The auditor always represents the best interests of the company and leadership, while encouraging excellence from each organization, and nurturing the best talents and effort from every individual.
An auditor does all this while being under appreciated, under informed, isolated and sometimes excluded.
The job of an internal auditor is special and not just anyone can do it. It is a profession filled with excitement and purpose; important work, that demands special people to carry it out. Yes, it takes a special person to be an auditor.
© Copyright Jim Kaplan AuditNet is a registered trademark of Jim Kaplan
COMMENT:
==================================================
You may have heard it before, the auditor, whether internal or external to the organization are the most feared and the most loved person(s) at any moment in time. These professionals work with a sense of mission that propels them to succeed, regardless of the obstacles or set backs. They eat these for every meal to give them the strength they need to outsmart and defeat the adversary. These days, management views names like Donaldson, Spitzer, Greenspan and Ashcroft as the attackers to their enterprise. While this may be their perception, without competent mission oriented internal and external auditors these managers will certainly see agenda items like MyDoom, SoBig, Basel, OBL, OCC, FTC and SOX as "Hot" topics at the next Board Meeting.
By Ralph Kolts
February 2004 (SmartPros) -- The job of an internal auditor is to evaluate, analyze, reach conclusions, and provide objective opinions. The job is like that of a doctor, assessing the health of the company, diagnosing illness, and prescribing a course to recovery. To do this, the auditor must possess special qualities:
An auditor is multi-skilled, understanding every part of the business, and closely aligned with business objectives.
An auditor has the ability to sift through minute detail, while keeping the big picture in mind.
The auditor faces difficult problems and often times difficult people, while maintaining the cool calmness that comes with experience and self-confidence.
The auditor is the shining example of commitment, dedication, contribution, and hard work – because everyone is watching to see if the auditor stumbles.
An auditor has thick skin, a controlled temper, natural curiosity, unforgiving tenacity and even a sense of humor.
Auditors maximize the synergy that comes from team effort, sharing their own knowledge and expertise for collective success, while maintaining their unique individualism.
The auditor's customer is . . .Well, everyone.
An auditor is a lifetime student, always learning new technologies and continuously improving.
An auditor is able to build positive working relationships with those who may see them as a distraction – earning, everyday, the trust and respect of wary and suspect minds.
Troubles are part of the job; it just goes with the territory. The auditor sees each problem as an opportunity, deflecting obstacles like a super hero deflects bullets.
An auditor is a quantitative analyst, critic, ethicist, economist, engineer, detective, change agent and above all the consummate professional.
When faced with a dilemma, the auditor resorts to clear thinking and level headed decision-making.
An auditor is an expert project manager, able to plan, organize, and execute complex projects -- on schedule, while juggling several other equally complex projects at the same time.
Auditors are not afraid to tackle unpleasant tasks. They ask the tough questions.
An auditor is an accomplished communicator, and an even better listener.
Waste, poor quality, inefficiency, and unmanaged risk are the enemies of every auditor.
Rewards, recognition, and even a simple “thank-you” can be few and far between. The auditor’s job satisfaction comes from knowing the results of their work adds value and prevents bad things from happening.
The auditor always represents the best interests of the company and leadership, while encouraging excellence from each organization, and nurturing the best talents and effort from every individual.
An auditor does all this while being under appreciated, under informed, isolated and sometimes excluded.
The job of an internal auditor is special and not just anyone can do it. It is a profession filled with excitement and purpose; important work, that demands special people to carry it out. Yes, it takes a special person to be an auditor.
© Copyright Jim Kaplan AuditNet is a registered trademark of Jim Kaplan
COMMENT:
==================================================
You may have heard it before, the auditor, whether internal or external to the organization are the most feared and the most loved person(s) at any moment in time. These professionals work with a sense of mission that propels them to succeed, regardless of the obstacles or set backs. They eat these for every meal to give them the strength they need to outsmart and defeat the adversary. These days, management views names like Donaldson, Spitzer, Greenspan and Ashcroft as the attackers to their enterprise. While this may be their perception, without competent mission oriented internal and external auditors these managers will certainly see agenda items like MyDoom, SoBig, Basel, OBL, OCC, FTC and SOX as "Hot" topics at the next Board Meeting.
22 February 2004
SEC chief's stock high despite funds, NYSE scandal
"SEC chief's stock high despite funds, NYSE scandals:
(Page 1 of 2)
By Kevin Drawbaugh
WASHINGTON, Feb 22 (Reuters) - When William Donaldson took over to wide acclaim as top U.S. markets cop a year ago, Richard Grasso was still ringing the Big Board bell and mutual funds were still seen as beyond reproach.
Times have changed. Grasso is out at the New York Stock Exchange. The mutual fund industry is mired in scandals.
And Donaldson? After a turbulent year as chairman of the U.S. Securities and Exchange Commission, he is pushing ahead with a range of reforms and getting reviews more measured than his first few months, but still generally favorable.
In an interview, the 72-year-old Wall Street banker cited one first-year frustration. 'Being hit by the mutual fund thing was a disappointment,' but he added, 'I'm very pleased with the way we've gone after these abuses.'
Donaldson headed the SEC at a tough time. It was grappling in February 2003 with the end of Chairman Harvey Pitt's troubled tenure and a crushing workload to implement dozens of post-Enron reforms ordered by Congress.
'There was a feeling of pressure here and morale problems,' said the co-founder of investment bank Donaldson Lufkin & Jenrette and former NYSE chairman. 'We're on an uptick now.'
Outside critiques of his performance are broadly positive.
'I have been delighted by a number of the things he's done ... I don't want to say he's done everything I wanted. But I've been happy,' said Nell Minow, outspoken investor advocate and co-founder of The Corporate Library, a research firm."
(Page 1 of 2)
By Kevin Drawbaugh
WASHINGTON, Feb 22 (Reuters) - When William Donaldson took over to wide acclaim as top U.S. markets cop a year ago, Richard Grasso was still ringing the Big Board bell and mutual funds were still seen as beyond reproach.
Times have changed. Grasso is out at the New York Stock Exchange. The mutual fund industry is mired in scandals.
And Donaldson? After a turbulent year as chairman of the U.S. Securities and Exchange Commission, he is pushing ahead with a range of reforms and getting reviews more measured than his first few months, but still generally favorable.
In an interview, the 72-year-old Wall Street banker cited one first-year frustration. 'Being hit by the mutual fund thing was a disappointment,' but he added, 'I'm very pleased with the way we've gone after these abuses.'
Donaldson headed the SEC at a tough time. It was grappling in February 2003 with the end of Chairman Harvey Pitt's troubled tenure and a crushing workload to implement dozens of post-Enron reforms ordered by Congress.
'There was a feeling of pressure here and morale problems,' said the co-founder of investment bank Donaldson Lufkin & Jenrette and former NYSE chairman. 'We're on an uptick now.'
Outside critiques of his performance are broadly positive.
'I have been delighted by a number of the things he's done ... I don't want to say he's done everything I wanted. But I've been happy,' said Nell Minow, outspoken investor advocate and co-founder of The Corporate Library, a research firm."
20 February 2004
Terrorism Risk Management for Critical Infrastructure Protection - A Series
By Peter L. Higgins
1SecureAudit LLC
The process and systems for managing Terrorism Risk are changing as the commercial real estate finance and building owners or developers strive to establish new standards. Critical Infrastructure Protection is a national priority. The key catalysts for change could further motivate implementing new risk reduction programs and measures.
Some of the key catalysts for change are:
Insurance – those institutions that are sharing risks that a building owner faces.
Finance – banks, REIT’s (Real Estate Investment Trusts), and others such as pension funds that provide the capital for investments in commercial infrastructure.
Regulation – Federal, State and Local jurisdictions that regulate building design, construction and operations.
Overall Terrorism Risk Reduction begins with these key catalysts in concert with owners of critical infrastructure, whether that is an office building, a hospital or a hotel. These soft targets are where the risk management decision-making is already taking new directions.
In order to introduce new changes in process or design that impacts the physical or operational aspects of buildings (to reduce terrorism risk), it is important to better understand how these change levers can provide the incentives for owners. Being forced is never as appetizing as being induced to do anything. In order for changes to take place, the environment must reward investments in preparedness and safety. First however, we must understand the character of terrorism risk in critical infrastructure and the tools currently available to help manage that risk.
More on this series over the next few weeks.
1SecureAudit LLC
The process and systems for managing Terrorism Risk are changing as the commercial real estate finance and building owners or developers strive to establish new standards. Critical Infrastructure Protection is a national priority. The key catalysts for change could further motivate implementing new risk reduction programs and measures.
Some of the key catalysts for change are:
Insurance – those institutions that are sharing risks that a building owner faces.
Finance – banks, REIT’s (Real Estate Investment Trusts), and others such as pension funds that provide the capital for investments in commercial infrastructure.
Regulation – Federal, State and Local jurisdictions that regulate building design, construction and operations.
Overall Terrorism Risk Reduction begins with these key catalysts in concert with owners of critical infrastructure, whether that is an office building, a hospital or a hotel. These soft targets are where the risk management decision-making is already taking new directions.
In order to introduce new changes in process or design that impacts the physical or operational aspects of buildings (to reduce terrorism risk), it is important to better understand how these change levers can provide the incentives for owners. Being forced is never as appetizing as being induced to do anything. In order for changes to take place, the environment must reward investments in preparedness and safety. First however, we must understand the character of terrorism risk in critical infrastructure and the tools currently available to help manage that risk.
More on this series over the next few weeks.
19 February 2004
DHS Launches Protected Critical Infrastructure Information Program
DHS Launches Protected Critical Infrastructure Information Program to Enhance Homeland Security, Facilitate Information Sharing:
Press Releases
For Immediate Release
Press Office
Contact: 202-282-8010
February 18, 2004
The U.S. Department of Homeland Security announced today the launch of the Protected Critical Infrastructure Information (PCII) Program. The PCII Program enables the private sector to voluntarily submit infrastructure information to the Federal government to assist the Nation in reducing its vulnerability to terrorist attacks.
Critical infrastructure includes the assets and systems that, if disrupted, would threaten our national security, public health and safety, economy, and way of life. Although these industries, services and systems may be found in both the public and private sectors, the Department of Homeland Security estimates that more than 85 percent falls within the private sector.
Under provisions of the Critical Infrastructure Information Act of 2002 (CII Act), information that is voluntarily submitted per those provisions will be protected from public disclosure until and unless a determination is made by the PCII Program Office that the information does not meet the requirements for PCII. If validated as PCII, the information will remain exempt from public disclosure. The rule establishing the procedures for PCII was published this week in the Federal Register. The PCII Program Office is part of Homeland Security's Information Analysis and Infrastructure Protection (IAIP) Directorate and is charged with receiving submissions, determining if the information qualifies for protection and, if validated, sharing it with authorized entities for use as specified in the CII Act.
Initially, the PCII Program Office will limit the sharing of PCII to IAIP analysts. PCII may be used for many purposes, focusing primarily on analyzing and securing critical infrastructure and protected systems, risk and vulnerabilities assessments, and assisting with recovery as appropriate. The IAIP Directorate plays a critical role in securing the homeland by identifying and assessing threats and mapping those threats against vulnerabilities such as critical infrastructure.
Effective immediately, members of the public who wish to submit information may do so through the PCII Program Office.
For more information about the PCII Program, or to access the PCII regulation, please visit the PCII Program Office website on PCII Progam Office.
###
Press Releases
For Immediate Release
Press Office
Contact: 202-282-8010
February 18, 2004
The U.S. Department of Homeland Security announced today the launch of the Protected Critical Infrastructure Information (PCII) Program. The PCII Program enables the private sector to voluntarily submit infrastructure information to the Federal government to assist the Nation in reducing its vulnerability to terrorist attacks.
Critical infrastructure includes the assets and systems that, if disrupted, would threaten our national security, public health and safety, economy, and way of life. Although these industries, services and systems may be found in both the public and private sectors, the Department of Homeland Security estimates that more than 85 percent falls within the private sector.
Under provisions of the Critical Infrastructure Information Act of 2002 (CII Act), information that is voluntarily submitted per those provisions will be protected from public disclosure until and unless a determination is made by the PCII Program Office that the information does not meet the requirements for PCII. If validated as PCII, the information will remain exempt from public disclosure. The rule establishing the procedures for PCII was published this week in the Federal Register. The PCII Program Office is part of Homeland Security's Information Analysis and Infrastructure Protection (IAIP) Directorate and is charged with receiving submissions, determining if the information qualifies for protection and, if validated, sharing it with authorized entities for use as specified in the CII Act.
Initially, the PCII Program Office will limit the sharing of PCII to IAIP analysts. PCII may be used for many purposes, focusing primarily on analyzing and securing critical infrastructure and protected systems, risk and vulnerabilities assessments, and assisting with recovery as appropriate. The IAIP Directorate plays a critical role in securing the homeland by identifying and assessing threats and mapping those threats against vulnerabilities such as critical infrastructure.
Effective immediately, members of the public who wish to submit information may do so through the PCII Program Office.
For more information about the PCII Program, or to access the PCII regulation, please visit the PCII Program Office website on PCII Progam Office.
###
Enron boss surrenders to FBI
Times Online - Enron boss surrenders to FBI:
From Agencies
Jeffrey Skilling, the former Enron chief executive, has surrendered to the FBI following reports that he had been indicted for his part in the collapse of the former energy giant.
Mr Skilling, who resigned from Enron less that four months before the company failed, entered the FBI's Houston headquarters accompanied by a team of lawyers at 6:52am local time.
The surrender follows reports that he had been indicted yesterday by a federal grand jury. Mr Skilling is expected to appear in court later today.
Mr Skilling would be the most high profile Enron executive yet to face criminal charges over the demise of the power trading company, which filed for bankruptcy in December 2001 in one of America's most notorious corporate collapses."
From Agencies
Jeffrey Skilling, the former Enron chief executive, has surrendered to the FBI following reports that he had been indicted for his part in the collapse of the former energy giant.
Mr Skilling, who resigned from Enron less that four months before the company failed, entered the FBI's Houston headquarters accompanied by a team of lawyers at 6:52am local time.
The surrender follows reports that he had been indicted yesterday by a federal grand jury. Mr Skilling is expected to appear in court later today.
Mr Skilling would be the most high profile Enron executive yet to face criminal charges over the demise of the power trading company, which filed for bankruptcy in December 2001 in one of America's most notorious corporate collapses."
18 February 2004
The Willis Commentary on...Real Estate Insurance
The Willis Commentary on...Real Estate Insurance
NEW YORK--(BUSINESS WIRE)--Feb. 17, 2004--If you don't think that insurance is a critical factor in the viability of the real estate industry, think again. Most of the headline issues in the insurance world echo those that real estate concerns must address every day. Environmental exposures such as asbestos, mold and lead. Security issues, including terrorism. Spiraling Healthcare and Workers' Compensation costs. And out-of-control liability verdicts across the spectrum. The availability and pricing of coverage for all of these risk factors can contribute to escalating costs for risk transfer at a time when the vacillating economic climate means reduced revenues for many with real estate interests. The result? Those either owning or managing real estate are being squeezed from two sides.
Now for the good news: For most companies in real estate-related businesses, insurance market prices are going down and capacity is going up in 2004. This doesn't mean everyone. Risks must be well managed, and loss experience good. The insured properties must be outside of areas prone to catastrophic perils - Florida and California, for example. But for good real estate risks, Property rates may fall as much as 20 percent. General liability programs may see reductions up to 10 percent.
Real estate insurance buyers will note that while premium pricing may be easing, underwriters are generally holding firm on terms and conditions. In this respect, no return to a soft market is coming any time soon. Exclusions for mold, of particular interest to property owners, are for the most part a fact of life.
Improvements in market conditions, furthermore, do not apply across all lines of coverage. Directors & Officers and Workers' Compensation lines are posing difficulties to buyers, and savings in these areas aren't forthcoming. In terms of expense management, the biggest challenge facing the real estate industry today is managing the cost of employees, especially Workers' Compensation and Healthcare coverage. In a recent survey, hoteliers reported that Healthcare and Workers' Compensation costs represented the second biggest business problem they face (the first on the list was energy costs).
While the message of the moment is still positive, the improving market is quite precarious. A catastrophic loss - an earthquake, hurricane, terrorist incident - could have immediate and dramatic consequences. The same may apply to the question of whether the government's terrorism backstop, TRIA, is extended past 2005. If it is not - and current indications are that it is unlikely to be extended - repercussions will be felt in the Property markets. Capacity for risks in major US cities could be greatly restricted.
Given these uncertainties, real estate risk managers might want to consider long-term strategic moves - forming a captive, for instance - that are usually reserved for times of market hardening. Good deals may be easier to come by than stability these days, but stability may be the more prudent goal.
Willis Group Holdings Limited (NYSE:WSH) is a leading global insurance broker, developing and delivering professional insurance, reinsurance, risk management, financial and human resource consulting and actuarial services to corporations, public entities and institutions around the world. With over 300 offices in more than 100 countries, its global team of 13,000 associates serves clients in some 180 countries."
NEW YORK--(BUSINESS WIRE)--Feb. 17, 2004--If you don't think that insurance is a critical factor in the viability of the real estate industry, think again. Most of the headline issues in the insurance world echo those that real estate concerns must address every day. Environmental exposures such as asbestos, mold and lead. Security issues, including terrorism. Spiraling Healthcare and Workers' Compensation costs. And out-of-control liability verdicts across the spectrum. The availability and pricing of coverage for all of these risk factors can contribute to escalating costs for risk transfer at a time when the vacillating economic climate means reduced revenues for many with real estate interests. The result? Those either owning or managing real estate are being squeezed from two sides.
Now for the good news: For most companies in real estate-related businesses, insurance market prices are going down and capacity is going up in 2004. This doesn't mean everyone. Risks must be well managed, and loss experience good. The insured properties must be outside of areas prone to catastrophic perils - Florida and California, for example. But for good real estate risks, Property rates may fall as much as 20 percent. General liability programs may see reductions up to 10 percent.
Real estate insurance buyers will note that while premium pricing may be easing, underwriters are generally holding firm on terms and conditions. In this respect, no return to a soft market is coming any time soon. Exclusions for mold, of particular interest to property owners, are for the most part a fact of life.
Improvements in market conditions, furthermore, do not apply across all lines of coverage. Directors & Officers and Workers' Compensation lines are posing difficulties to buyers, and savings in these areas aren't forthcoming. In terms of expense management, the biggest challenge facing the real estate industry today is managing the cost of employees, especially Workers' Compensation and Healthcare coverage. In a recent survey, hoteliers reported that Healthcare and Workers' Compensation costs represented the second biggest business problem they face (the first on the list was energy costs).
While the message of the moment is still positive, the improving market is quite precarious. A catastrophic loss - an earthquake, hurricane, terrorist incident - could have immediate and dramatic consequences. The same may apply to the question of whether the government's terrorism backstop, TRIA, is extended past 2005. If it is not - and current indications are that it is unlikely to be extended - repercussions will be felt in the Property markets. Capacity for risks in major US cities could be greatly restricted.
Given these uncertainties, real estate risk managers might want to consider long-term strategic moves - forming a captive, for instance - that are usually reserved for times of market hardening. Good deals may be easier to come by than stability these days, but stability may be the more prudent goal.
Willis Group Holdings Limited (NYSE:WSH) is a leading global insurance broker, developing and delivering professional insurance, reinsurance, risk management, financial and human resource consulting and actuarial services to corporations, public entities and institutions around the world. With over 300 offices in more than 100 countries, its global team of 13,000 associates serves clients in some 180 countries."
17 February 2004
The SEC Opens the Boardroom to Unhappy Investors
Corporate Board Member March/April 2004
Feature Story
by Rob Norton
Proposed new rules would make it far easier for dissident shareholders to nominate their own directors. Here are four things boards can do now to get ready for this latest reform.
Adding to the array of new rules imposed on corporate boards over the past two years, the Securities and Exchange Commission is marching down a road of regulatory change that could have a further profound impact on the way boards operate. Under proposals put out for comment last October, shareholders unhappy with the composition of a company’s board will be able, in certain circumstances, to choose and nominate new board members, and companies will be required to put those nominees on the proxy for a vote of all the shareholders. The comment period closed in December, and the SEC is considering the input.
The proposed new rules address longstanding complaints by institutional investors that boards have ignored their suggestions on such matters as anti-takeover measures, excessive executive pay, and board composition. The rules continue the drive toward greater board independence fostered by legislation like the Sarbanes-Oxley Act, as well as previous rule changes by the SEC and new regulations of the New York Stock Exchange and the National Association of Securities Dealers. Says SEC chairman William H. Donaldson: “Board unresponsiveness, sometimes tied to corporate governance weaknesses, demonstrates the need for shareholders to have a more meaningful voice in the proxy process.”
Until now, corporations have controlled access to the proxy-voting process despite periodic efforts to open it up to shareholders. The only way that investors unhappy with a board’s makeup could nominate candidates of their own was to launch a proxy battle—a complicated process that includes mailing out a separate set of proxies and typically costs several million dollars. Since those costs are borne by the dissidents, proxy battles have been rare except in connection with takeovers or buyouts. “The SEC’s proposal is a very significant event,” says Richard Steinberg, principal of Steinberg Governance Advisors in Westport, Connecticut, and formerly corporate governance leader at PricewaterhouseCoopers. “Until now, shareholders needed a large war chest to challenge a board. This takes those big dollar requirements out of the picture and certainly has the potential to make major changes in board composition.”
The SEC isn’t ushering in an era of unfettered shareholder democracy. To ensure that proxy access and nomination authority would be invoked only when a significant proportion of shareholders had shown dissatisfaction with the current board, under the proposed rules one of two “triggering events” would have to occur.
Breach Brigade
Breach Brigade - CSO Magazine - February 2004:
When bad things happen to your enterprise, you'll need a team and a process in place to help you survive the hot glare of media scrutiny.
BY TRACY MAYOR
CSO Online
A COMEDIAN ONCE suggested that an executive's only viable option when cornered by Mike Wallace and his 60 Minutes crew is to fall to the floor and feign death. Let them in the door and you're toast; keep them out and you only incriminate yourself in the eyes of judgmental viewers.
These days, corporate security executives can be forgiven for secretly wanting to roll over and play dead themselves. Boxed in on one side by new public disclosure laws and regulations, and on the other by an evermore savvy and sensationalistic press, CSOs increasingly must find successful strategies for responding as their breaches play out in the public arena.
Thankfully, say experts, there are alternatives to chaos and panic when a physical or digital security incident (or both, as seems to have been the case in last August's power grid failure) becomes a matter of public knowledge.
Connie Emery, chief privacy and security officer at Tenet HealthSystem, is one security executive who's been blindsided by a breach and lived to tell the tale. When an internal user error sent confidential patient information to the wrong person, that individual called a local news station rather than the hospital to report the incident, triggering every CSO's worst nightmare.
Letters of the Law
When security has been compromised, containment is the first responsibility of that crack incident-response team you've put together. Simultaneously, the team will also need to determine what information must be disclosed or should be disclosed—and to whom.
On the "must" side of the equation, laws such as California's much-discussed Information Practices Act (SB 1386) increasingly play a part in determining who gets told what and when. (The law requires that companies doing business in California or having customers in the state promptly notify those customers whenever their personal information may have been compromised.)
At the same time, federal legislation is changing the way specific industries operate. In financial services, for example, the Safeguards Rule of the Gramm-Leach-Bliley Act mandates how financial institutions design, implement and maintain safeguards for customer data. Particular sections of the Sarbanes-Oxley Act require companies to audit the controls and processes underlying financial reporting and to disclose in real-time any material events that might impact a company's financial standing.
In health care, the Health Insurance Portability and Accountability Act (HIPAA) has radically changed nearly every aspect of how patient data is collected and handled by hospitals, health-care providers, insurers, doctors' offices, billing companies and others.
"When you have an unauthorized disclosure of patient health information, HIPAA comes into play, and we have to get our HIPAA experts involved," says Anthony Potter, director of security at the Forsyth Medical Center in Winston-Salem, N.C. "In a situation like that, it's in our absolute best interest to be very forthcoming with information. There are criminal penalties attached for not doing so."
During a breach, the last thing you want is to have any member of your response team rummaging through desk drawers or flipping through compliance manuals. To be prepared, make sure at least one member of the team is current on all of your company's legal disclosure obligations. Make sure your legal or compliance colleagues have clearly posted and explained these confidentiality laws to employees (which should also reduce the number of inadvertent breaches); and make sure your company is gathering physical and digital compliance data on an ongoing basis."
When bad things happen to your enterprise, you'll need a team and a process in place to help you survive the hot glare of media scrutiny.
BY TRACY MAYOR
CSO Online
A COMEDIAN ONCE suggested that an executive's only viable option when cornered by Mike Wallace and his 60 Minutes crew is to fall to the floor and feign death. Let them in the door and you're toast; keep them out and you only incriminate yourself in the eyes of judgmental viewers.
These days, corporate security executives can be forgiven for secretly wanting to roll over and play dead themselves. Boxed in on one side by new public disclosure laws and regulations, and on the other by an evermore savvy and sensationalistic press, CSOs increasingly must find successful strategies for responding as their breaches play out in the public arena.
Thankfully, say experts, there are alternatives to chaos and panic when a physical or digital security incident (or both, as seems to have been the case in last August's power grid failure) becomes a matter of public knowledge.
Connie Emery, chief privacy and security officer at Tenet HealthSystem, is one security executive who's been blindsided by a breach and lived to tell the tale. When an internal user error sent confidential patient information to the wrong person, that individual called a local news station rather than the hospital to report the incident, triggering every CSO's worst nightmare.
Letters of the Law
When security has been compromised, containment is the first responsibility of that crack incident-response team you've put together. Simultaneously, the team will also need to determine what information must be disclosed or should be disclosed—and to whom.
On the "must" side of the equation, laws such as California's much-discussed Information Practices Act (SB 1386) increasingly play a part in determining who gets told what and when. (The law requires that companies doing business in California or having customers in the state promptly notify those customers whenever their personal information may have been compromised.)
At the same time, federal legislation is changing the way specific industries operate. In financial services, for example, the Safeguards Rule of the Gramm-Leach-Bliley Act mandates how financial institutions design, implement and maintain safeguards for customer data. Particular sections of the Sarbanes-Oxley Act require companies to audit the controls and processes underlying financial reporting and to disclose in real-time any material events that might impact a company's financial standing.
In health care, the Health Insurance Portability and Accountability Act (HIPAA) has radically changed nearly every aspect of how patient data is collected and handled by hospitals, health-care providers, insurers, doctors' offices, billing companies and others.
"When you have an unauthorized disclosure of patient health information, HIPAA comes into play, and we have to get our HIPAA experts involved," says Anthony Potter, director of security at the Forsyth Medical Center in Winston-Salem, N.C. "In a situation like that, it's in our absolute best interest to be very forthcoming with information. There are criminal penalties attached for not doing so."
During a breach, the last thing you want is to have any member of your response team rummaging through desk drawers or flipping through compliance manuals. To be prepared, make sure at least one member of the team is current on all of your company's legal disclosure obligations. Make sure your legal or compliance colleagues have clearly posted and explained these confidentiality laws to employees (which should also reduce the number of inadvertent breaches); and make sure your company is gathering physical and digital compliance data on an ongoing basis."
16 February 2004
Commercial Real Estate: U.S. Landlords Face Post-9/11 Standards
Commercial Real Estate: U.S. Landlords Face Post-9/11 Standards:
By TERRY PRISTIN - NYTimes.com
Published: February 11, 2004
"The devastating effects of the terrorist bombing of the Alfred P. Murrah federal building in Oklahoma City in 1995, which claimed 168 lives, prompted new design standards for making government buildings - particularly those housing law enforcement and intelligence agencies - less vulnerable to explosives.
But it was not until a year ago that a subcommittee of the Interagency Security Committee began trying to establish nationwide standards for 150 million square feet that the federal government leases from private landlords. This process has proved challenging because safety measures are costly, whether they involve giving up space so that a building can be set far back from the curb or hiring guards and installing electronic turnstiles to limit access.
Real estate industry representatives have met several times with federal officials during the past year to seek assurance that landlords will not have to foot the additional costs, which they say could make it impractical for them to lease space to government agencies. 'There could be a crisis in the private sector if the numbers don't work,' said Ron Burton, the vice president for advocacy for the Building Owners and Managers Association International, a trade association with 18,900 members in North America. 'Our members are in the business of making a profit.
Some developers say they are incorporating security features into their new buildings as if the standards had already been imposed. Patriots Plaza, a million-square-foot project being developed by Trammell Crow in southwest Washington, is being billed as the first private speculative office complex that was designed specifically to meet post-Sept. 11 security standards. Thomas E. Finan, a Trammell Crow principal based in McLean, Va., said that while the collapse of the twin towers had refocused attention on building security, the engineering principles being applied stem from Oklahoma City because car bombs or other explosives were considered the most likely form of attack.
"Nobody is attempting to create an impenetrable envelope where you can't fly an airplane into a building," he said. In Washington, where building height is limited to 12 stories, an airplane attack on an office building is considered unlikely.
In an effort to protect occupants from chemical or biological attacks, air intake equipment would be on the roof, as it is in most buildings here, Mr. Finan said. But he said much less was known about how to prevent death or injury from this type of attack than from an explosion.
As they wait for the new security standards to be announced, building owners and managers already have more than an inkling of what they are likely to entail.
In November 2002, before the decision was made to adopt nationwide guidelines, the General Services Administration drafted standards for Washington and its surrounding suburbs, where the federal government leases about 47.6 million square feet of space. Based on standards that were developed for the Department of Justice, the guidelines divide leases into four categories, depending on the number of employees in the building and the nature of the work being performed, and are more demanding for new construction than for existing buildings.
The strictest standards pertaining to setbacks, blast-resistant windows, and access control for entrances and parking lots would be applied to buildings with more than 450 employees. Classified as Level 4 buildings, they would generally be more than 150,000 square feet in size and likely to house law enforcement and intelligence agencies deemed to be at high risk of attack.
At the opposite end are Level 1 buildings with 10 or fewer employees who have little contact with the public. But a smaller building could fall into the Level 4 category if, for example, space was occupied by a day care center."
By TERRY PRISTIN - NYTimes.com
Published: February 11, 2004
"The devastating effects of the terrorist bombing of the Alfred P. Murrah federal building in Oklahoma City in 1995, which claimed 168 lives, prompted new design standards for making government buildings - particularly those housing law enforcement and intelligence agencies - less vulnerable to explosives.
But it was not until a year ago that a subcommittee of the Interagency Security Committee began trying to establish nationwide standards for 150 million square feet that the federal government leases from private landlords. This process has proved challenging because safety measures are costly, whether they involve giving up space so that a building can be set far back from the curb or hiring guards and installing electronic turnstiles to limit access.
Real estate industry representatives have met several times with federal officials during the past year to seek assurance that landlords will not have to foot the additional costs, which they say could make it impractical for them to lease space to government agencies. 'There could be a crisis in the private sector if the numbers don't work,' said Ron Burton, the vice president for advocacy for the Building Owners and Managers Association International, a trade association with 18,900 members in North America. 'Our members are in the business of making a profit.
Some developers say they are incorporating security features into their new buildings as if the standards had already been imposed. Patriots Plaza, a million-square-foot project being developed by Trammell Crow in southwest Washington, is being billed as the first private speculative office complex that was designed specifically to meet post-Sept. 11 security standards. Thomas E. Finan, a Trammell Crow principal based in McLean, Va., said that while the collapse of the twin towers had refocused attention on building security, the engineering principles being applied stem from Oklahoma City because car bombs or other explosives were considered the most likely form of attack.
"Nobody is attempting to create an impenetrable envelope where you can't fly an airplane into a building," he said. In Washington, where building height is limited to 12 stories, an airplane attack on an office building is considered unlikely.
In an effort to protect occupants from chemical or biological attacks, air intake equipment would be on the roof, as it is in most buildings here, Mr. Finan said. But he said much less was known about how to prevent death or injury from this type of attack than from an explosion.
As they wait for the new security standards to be announced, building owners and managers already have more than an inkling of what they are likely to entail.
In November 2002, before the decision was made to adopt nationwide guidelines, the General Services Administration drafted standards for Washington and its surrounding suburbs, where the federal government leases about 47.6 million square feet of space. Based on standards that were developed for the Department of Justice, the guidelines divide leases into four categories, depending on the number of employees in the building and the nature of the work being performed, and are more demanding for new construction than for existing buildings.
The strictest standards pertaining to setbacks, blast-resistant windows, and access control for entrances and parking lots would be applied to buildings with more than 450 employees. Classified as Level 4 buildings, they would generally be more than 150,000 square feet in size and likely to house law enforcement and intelligence agencies deemed to be at high risk of attack.
At the opposite end are Level 1 buildings with 10 or fewer employees who have little contact with the public. But a smaller building could fall into the Level 4 category if, for example, space was occupied by a day care center."
Terrorism and Preparedness for Real Estate Finance & Critical Infrastructure
The Real Estate Investment Trust (REIT) industry, building owners and managers including the commercial real estate portfolios of the real estate finance business are responding to the A.M. Best Company requests for the Supplemental Rating Questionnaire (SRQ) from their insurers. Critical Infrastructure Protection is vital to a comprehensive risk management strategy and insurers are being asked to model terrorism attack scenarios to high exposure targets. Managing the risk of property and workers comp losses must be addressed with the mindset that they can be correlated with specific types of terrorist threats.
The real estate finance industry requires proven solutions and tools for the evaluation of building threat/hazard/vulnerability assessments and the evaluation of physical and operational measures for Terrorism Risk.
1SecureAudit Terrorism and Preparedness Solutions include:
* Rapid screening methods for the evaluation of portfolio properties
* Detailed guidelines for mitigation and due diligence on individual infrastructures
* Legally accepted standards for risk reduction measures and management practices related to terrorism risk.
“We solve the problem for real estate owners and financiers who are required to provide terrorism risk models for their insurers and board of directors,” said Peter L. Higgins, Managing Director of 1SecureAudit LLC. “Our proven combination of services, Commercial-Off-The-Shelf (COTS) software and business audit solutions answers the requirements for comprehensive Business Crisis and Continuity Management in the building owners and REIT industry.”
“REITs invest in a variety of commercial property types: shopping centers, apartments, warehouses, office buildings, hotels, and others. Some REITs specialize in one property type only, such as shopping malls, self-storage facilities or factory outlet stores. Health care REITs specialize in health care facilities, including acute care, rehabilitation and psychiatric hospitals, medical office buildings, nursing homes and assisted living centers. Some REITs invest throughout the country or in certain other countries. Others specialize in one region only, or even a single metropolitan area."
1SecureAudit Terrorism Risk Solutions utilize Five Factor Antiterrorism analysis supported by an XML Risk-Based Decision Support System. This system applies a knowledge-based Bayesian network to allow users to combine intelligence from analytic models, simulations, historical data and user judgments. This provides a customizable software system designed to assist both Antiterrorism and Counterterrorism planners to draw inferences about the risk of potential terrorist attack. This enables you to deter, defend and defeat plots against your organization and it's most vital assets. This tool, based on government and commercial best practices augments the expertise of the auditor by providing simulation scenarios and weapon effects, intelligence to predict threat likelihood and the integration with asset management and security planning modules.
In light of current insurance and regulatory scrutiny, 1SecureAudit solutions provide systematic due diligence that results in more effective selection of mitigation measures that insurance companies see as having the greatest cost benefit for reducing risk.
The real estate finance industry requires proven solutions and tools for the evaluation of building threat/hazard/vulnerability assessments and the evaluation of physical and operational measures for Terrorism Risk.
1SecureAudit Terrorism and Preparedness Solutions include:
* Rapid screening methods for the evaluation of portfolio properties
* Detailed guidelines for mitigation and due diligence on individual infrastructures
* Legally accepted standards for risk reduction measures and management practices related to terrorism risk.
“We solve the problem for real estate owners and financiers who are required to provide terrorism risk models for their insurers and board of directors,” said Peter L. Higgins, Managing Director of 1SecureAudit LLC. “Our proven combination of services, Commercial-Off-The-Shelf (COTS) software and business audit solutions answers the requirements for comprehensive Business Crisis and Continuity Management in the building owners and REIT industry.”
“REITs invest in a variety of commercial property types: shopping centers, apartments, warehouses, office buildings, hotels, and others. Some REITs specialize in one property type only, such as shopping malls, self-storage facilities or factory outlet stores. Health care REITs specialize in health care facilities, including acute care, rehabilitation and psychiatric hospitals, medical office buildings, nursing homes and assisted living centers. Some REITs invest throughout the country or in certain other countries. Others specialize in one region only, or even a single metropolitan area."
1SecureAudit Terrorism Risk Solutions utilize Five Factor Antiterrorism analysis supported by an XML Risk-Based Decision Support System. This system applies a knowledge-based Bayesian network to allow users to combine intelligence from analytic models, simulations, historical data and user judgments. This provides a customizable software system designed to assist both Antiterrorism and Counterterrorism planners to draw inferences about the risk of potential terrorist attack. This enables you to deter, defend and defeat plots against your organization and it's most vital assets. This tool, based on government and commercial best practices augments the expertise of the auditor by providing simulation scenarios and weapon effects, intelligence to predict threat likelihood and the integration with asset management and security planning modules.
In light of current insurance and regulatory scrutiny, 1SecureAudit solutions provide systematic due diligence that results in more effective selection of mitigation measures that insurance companies see as having the greatest cost benefit for reducing risk.
New York Preparing for WMD Attacks
New York Preparing for WMD Attacks:
'We're thinking about the unthinkable "
Sunday, Feb. 15, 2004 01:44 p.m. EST
"We're thinking about the unthinkable — what a few years ago was the unthinkable," Police Commissioner Raymond W. Kelly says as the New York Police Department works with city health officials, federal authorities and other agencies preparing for a possible attack with nuclear, biological or chemical weapons.
According to a report in the New York Times, some features of the program that some national security and law enforcement officials describe as unrivaled among American cities are the following:
# Training and drilling special units to board cruise ships from helicopters and piers and begun reviewing floor plans of most large Midtown theaters, conducting exercises inside.
# Working on a pilot program that they hope will ultimately allow testing the air across the city for biological agents.
# Fashioning a citywide plan to get antibiotics or vaccine to every resident after a widespread attack with biological weapons.
# Conducting a drill with the city's medical examiner's office to prepare for a chemical weapons attack that would litter the streets with contaminated bodies.
# Beginning chemical and biological training for entire units, with the goal of having 10,000 officers ready in time for the Republican National Convention,
# Preparing a plan to house and feed thousands of police officers, in some cases in schools, to help keep them working in the aftermath of a catastrophic attack.
# Continuing the use of more than 700 personal radiation detectors for more than a year to identify unusual radioactive materials, checking trucks on the street and cars and garages around the city, among other areas.
# Working on a plan to distribute atropine anti-nerve agent auto-injectors to all city police units to enable them to respond more quickly to a chemical weapons attack.
# Changing the city's health code to allow the city to detain anyone health officials suspect of having being exposed to a deadly infectious pathogen.
"They are trying to do what Washington is supposed to be doing, but isn't," said a former national security official in the Clinton and the second Bush administrations, Richard A. Clarke.
'We're thinking about the unthinkable "
Sunday, Feb. 15, 2004 01:44 p.m. EST
"We're thinking about the unthinkable — what a few years ago was the unthinkable," Police Commissioner Raymond W. Kelly says as the New York Police Department works with city health officials, federal authorities and other agencies preparing for a possible attack with nuclear, biological or chemical weapons.
According to a report in the New York Times, some features of the program that some national security and law enforcement officials describe as unrivaled among American cities are the following:
# Training and drilling special units to board cruise ships from helicopters and piers and begun reviewing floor plans of most large Midtown theaters, conducting exercises inside.
# Working on a pilot program that they hope will ultimately allow testing the air across the city for biological agents.
# Fashioning a citywide plan to get antibiotics or vaccine to every resident after a widespread attack with biological weapons.
# Conducting a drill with the city's medical examiner's office to prepare for a chemical weapons attack that would litter the streets with contaminated bodies.
# Beginning chemical and biological training for entire units, with the goal of having 10,000 officers ready in time for the Republican National Convention,
# Preparing a plan to house and feed thousands of police officers, in some cases in schools, to help keep them working in the aftermath of a catastrophic attack.
# Continuing the use of more than 700 personal radiation detectors for more than a year to identify unusual radioactive materials, checking trucks on the street and cars and garages around the city, among other areas.
# Working on a plan to distribute atropine anti-nerve agent auto-injectors to all city police units to enable them to respond more quickly to a chemical weapons attack.
# Changing the city's health code to allow the city to detain anyone health officials suspect of having being exposed to a deadly infectious pathogen.
"They are trying to do what Washington is supposed to be doing, but isn't," said a former national security official in the Clinton and the second Bush administrations, Richard A. Clarke.
14 February 2004
Meeting the challenge of uncertain times
Meeting the challenge of uncertain times:
Many organisations have still to translate their business continuity plans from hard-copy format into a technology-driven total business continuity process, says Monica Visconti.
Never has it been brought home more forcefully than now that, in times of great threat and danger, processes need to be firmly in place to ensure full business continuity in the wake of a disaster or emergency.
With the possibility of a future terrorist attack ever present in people’s minds, the ability for businesses to be swiftly back up and running, should an incident occur, is now seen as critical.
Across businesses everywhere, this imperative has of late been at the heart of their strategic thinking. Yet many organisations have still to translate their business continuity plans, however well developed and considered they may be, from hard-copy format into a technology-driven total business continuity process.
Implementing such processes grows increasingly urgent, for the need to have an automated business continuity plan in place is driven by many factors other than the more high-profile concerns now commanding public attention.
Few business strategists would dispute the fact that today’s organisations depend on all manner of technologies for business agility. Indeed, in 2001 Thomas Ridge, director of US Homeland Security revealed how far information technology has wormed its way into our lives when he pointed out the Americans rely on a complex network of critical infrastructure and information systems. Shut down the infrastructure, he warned, and you shut down America.
Apart from acts of terrorism, there are a multitude of scenarios that can have a devastating impact on the day-to-day operations and future viability of any organisation. All operations are vulnerable to industrial accidents, human error, power and network outages, flooding and storm damage, as well as the increasingly sophisticated activities of cyber-terrorists.
Moreover, these are not future threats – they are the constant reality that every business organisation lives with and that can happen at any time.
Monica Visconti is strategic marketing manager, Remedy UK. Remedy UK are exhibiting at the Helpdesk & IT Support Show 2004. This features over 70 exhibitors and a free education programme of 50 independent and vendor led seminars. Now in its 8th year The Helpdesk & IT Support Show 2004 runs from 27th to 29th April 2004, at the National Hall, Olympia, London.
Many organisations have still to translate their business continuity plans from hard-copy format into a technology-driven total business continuity process, says Monica Visconti.
Never has it been brought home more forcefully than now that, in times of great threat and danger, processes need to be firmly in place to ensure full business continuity in the wake of a disaster or emergency.
With the possibility of a future terrorist attack ever present in people’s minds, the ability for businesses to be swiftly back up and running, should an incident occur, is now seen as critical.
Across businesses everywhere, this imperative has of late been at the heart of their strategic thinking. Yet many organisations have still to translate their business continuity plans, however well developed and considered they may be, from hard-copy format into a technology-driven total business continuity process.
Implementing such processes grows increasingly urgent, for the need to have an automated business continuity plan in place is driven by many factors other than the more high-profile concerns now commanding public attention.
Few business strategists would dispute the fact that today’s organisations depend on all manner of technologies for business agility. Indeed, in 2001 Thomas Ridge, director of US Homeland Security revealed how far information technology has wormed its way into our lives when he pointed out the Americans rely on a complex network of critical infrastructure and information systems. Shut down the infrastructure, he warned, and you shut down America.
Apart from acts of terrorism, there are a multitude of scenarios that can have a devastating impact on the day-to-day operations and future viability of any organisation. All operations are vulnerable to industrial accidents, human error, power and network outages, flooding and storm damage, as well as the increasingly sophisticated activities of cyber-terrorists.
Moreover, these are not future threats – they are the constant reality that every business organisation lives with and that can happen at any time.
Monica Visconti is strategic marketing manager, Remedy UK. Remedy UK are exhibiting at the Helpdesk & IT Support Show 2004. This features over 70 exhibitors and a free education programme of 50 independent and vendor led seminars. Now in its 8th year The Helpdesk & IT Support Show 2004 runs from 27th to 29th April 2004, at the National Hall, Olympia, London.
13 February 2004
A Bigger Picture
Risk Management - Treasury and Risk Management- CFO.com:
But companies should be careful not to let risk and compliance become synonymous—or, more to the point, to allow IT products and services companies to co-opt the term for a narrow set of applications. Next year the Enterprise Risk Management Framework being developed by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission, which is a private-sector initiative to improve financial reporting, will be released, having completed a public-comments phase last month. The framework is an ambitious attempt to clarify a process by which a company's board, senior executives, and other stakeholders can identify and manage all types of risks in the context of a company's risk appetite and overall business objectives.
While COSO stresses that in this regard ERM is much broader than regulatory compliance, it does acknowledge the critical role that effective internal controls will play. That will no doubt inspire IT companies to emphasize the efficacy of their products in assessing risks beyond noncompliance. Watch for ERM, therefore, to generate even more buzz—and confusion.
Enterprise Risk Management: Toward a Definition
* Makes each area manager responsible for documenting and evaluating financial controls in his or her own area. People closest to each business unit manage the data, which improves accuracy and completeness.
* Identifies areas with inadequate control measures so action plans can be initiated to resolve problems.
* Tracks the progress of outstanding action plans, describes who is responsible for those actions, and sets the expected time for resolution.
* Protects against fraud with systematic data management that ensures multiple reviews and verification.
* Raises the level and precision of reporting to management.
* Puts 'localized knowledge' to work. Area managers become empowered to understand the impact of their roles on corporate results.
But companies should be careful not to let risk and compliance become synonymous—or, more to the point, to allow IT products and services companies to co-opt the term for a narrow set of applications. Next year the Enterprise Risk Management Framework being developed by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission, which is a private-sector initiative to improve financial reporting, will be released, having completed a public-comments phase last month. The framework is an ambitious attempt to clarify a process by which a company's board, senior executives, and other stakeholders can identify and manage all types of risks in the context of a company's risk appetite and overall business objectives.
While COSO stresses that in this regard ERM is much broader than regulatory compliance, it does acknowledge the critical role that effective internal controls will play. That will no doubt inspire IT companies to emphasize the efficacy of their products in assessing risks beyond noncompliance. Watch for ERM, therefore, to generate even more buzz—and confusion.
Enterprise Risk Management: Toward a Definition
* Makes each area manager responsible for documenting and evaluating financial controls in his or her own area. People closest to each business unit manage the data, which improves accuracy and completeness.
* Identifies areas with inadequate control measures so action plans can be initiated to resolve problems.
* Tracks the progress of outstanding action plans, describes who is responsible for those actions, and sets the expected time for resolution.
* Protects against fraud with systematic data management that ensures multiple reviews and verification.
* Raises the level and precision of reporting to management.
* Puts 'localized knowledge' to work. Area managers become empowered to understand the impact of their roles on corporate results.
Got you by the Googles
Got you by the Googles - World - www.smh.com.au:
By Yuki Noguchi
Internet search engines are increasingly being used to dig up supposedly private information, writes Yuki Noguchi.
Sitting at his laptop, Chris O'Ferrell types a few words into the Google search engine and up pops a link to what appears to be a military document listing suspected Taliban and al-Qaeda members, along with their dates and places of birth, passport numbers and national identification numbers. Another search yields a spreadsheet of names and credit card numbers.
'All search engines will get you this,' O'Ferrell says, pointing to files of spoils he has found on the internet: medical records, bank account numbers, students' grades and the docking locations of 804 US Navy ships, submarines and destroyers.
And it is all legal, using the world's most powerful internet search engine.
Cyber security experts say an increasing number of private or putatively secret documents are online in computers all over the globe, leaving governments, individuals and companies vulnerable. At some websites and message groups, techno-hobbyists are even offering instructions on how to find sensitive documents using a relatively simple search. Though it does not technically trespass, the practice is sometimes called 'Google-hacking'. "
By Yuki Noguchi
Internet search engines are increasingly being used to dig up supposedly private information, writes Yuki Noguchi.
Sitting at his laptop, Chris O'Ferrell types a few words into the Google search engine and up pops a link to what appears to be a military document listing suspected Taliban and al-Qaeda members, along with their dates and places of birth, passport numbers and national identification numbers. Another search yields a spreadsheet of names and credit card numbers.
'All search engines will get you this,' O'Ferrell says, pointing to files of spoils he has found on the internet: medical records, bank account numbers, students' grades and the docking locations of 804 US Navy ships, submarines and destroyers.
And it is all legal, using the world's most powerful internet search engine.
Cyber security experts say an increasing number of private or putatively secret documents are online in computers all over the globe, leaving governments, individuals and companies vulnerable. At some websites and message groups, techno-hobbyists are even offering instructions on how to find sensitive documents using a relatively simple search. Though it does not technically trespass, the practice is sometimes called 'Google-hacking'. "
Was 9/11 attack one or two?
baltimoresun.com - Was 9/11 attack one or two?:
Numbers: A trial is to decide if insurers should treat the twin-tower attacks as one or two.
Associated Press
Originally published February 7, 2004
NEW YORK - More than two years after terrorists brought down the World Trade Center, a federal jury will begin deciding a $3.5 billion question: Is the leaseholder entitled to collect insurance for one attack or for two?
Opening statements start Monday in the three-stage trial, which pits developer Larry Silverstein against 13 insurers.
The outcome will determine whether Silverstein gets $3.5 billion or $7 billion to rebuild at Ground Zero.
Silverstein contends that the destruction of the World Trade Center constituted two attacks, because the twin towers were hit by hijacked airliners a little over 15 minutes apart.
He and downtown development officials have been counting on the larger figure to build the 1,776-foot Freedom Tower, other skyscrapers and cultural buildings on the site within the next decade.
The smaller amount could mean years of construction delays at the site, according to the agency in charge of downtown redevelopment.
"Anyone who's in New York knows that how much we recover from this lawsuit will have an impact on the rebuilding of this site," said Kevin M. Rampe, president of the Lower Manhattan Development Corp. The rebuilding costs have been estimated at between $7.45 billion and $7.86 billion, he said.
The proceedings could last months. A mediator's intervention, settlement talks and efforts by New York Gov. George E. Pataki and others failed to keep the case from going to trial.
For the insurance industry, the high dollar amounts make the case "precedent-setting and very notorious," said Don Griffin, assistant vice president of the industry group Property and Casualty Insurers Association of America.
Numbers: A trial is to decide if insurers should treat the twin-tower attacks as one or two.
Associated Press
Originally published February 7, 2004
NEW YORK - More than two years after terrorists brought down the World Trade Center, a federal jury will begin deciding a $3.5 billion question: Is the leaseholder entitled to collect insurance for one attack or for two?
Opening statements start Monday in the three-stage trial, which pits developer Larry Silverstein against 13 insurers.
The outcome will determine whether Silverstein gets $3.5 billion or $7 billion to rebuild at Ground Zero.
Silverstein contends that the destruction of the World Trade Center constituted two attacks, because the twin towers were hit by hijacked airliners a little over 15 minutes apart.
He and downtown development officials have been counting on the larger figure to build the 1,776-foot Freedom Tower, other skyscrapers and cultural buildings on the site within the next decade.
The smaller amount could mean years of construction delays at the site, according to the agency in charge of downtown redevelopment.
"Anyone who's in New York knows that how much we recover from this lawsuit will have an impact on the rebuilding of this site," said Kevin M. Rampe, president of the Lower Manhattan Development Corp. The rebuilding costs have been estimated at between $7.45 billion and $7.86 billion, he said.
The proceedings could last months. A mediator's intervention, settlement talks and efforts by New York Gov. George E. Pataki and others failed to keep the case from going to trial.
For the insurance industry, the high dollar amounts make the case "precedent-setting and very notorious," said Don Griffin, assistant vice president of the industry group Property and Casualty Insurers Association of America.
12 February 2004
Precise Biometrics
Precise Biometrics:
"Precise Biometrics develops and supplies world-leading and user-friendly biometric security solutions for authentication using fingerprints. The solutions replace keys, PINs and passwords in three areas: IT security, physical access and embedded solutions.
Our customers represent various sectors – all requiring high levels of security. The following are a few of them:
* US Department of Defense
* Federal agencies in the US
* EU government department
* Bank & Finance
* Health care
Our core technology, Precise BioMatchTM, is the foundation for all our fingerprint authentication solutions, and our cutting-edge Precise Match-on-CardTM technology is expected to become a global standard for fingerprint solutions on smart cards.
Precise Biometrics’ strategic partners are well-known players in the security industry, giving Precise Biometrics a strong global presence.
"Precise Biometrics develops and supplies world-leading and user-friendly biometric security solutions for authentication using fingerprints. The solutions replace keys, PINs and passwords in three areas: IT security, physical access and embedded solutions.
Our customers represent various sectors – all requiring high levels of security. The following are a few of them:
* US Department of Defense
* Federal agencies in the US
* EU government department
* Bank & Finance
* Health care
Our core technology, Precise BioMatchTM, is the foundation for all our fingerprint authentication solutions, and our cutting-edge Precise Match-on-CardTM technology is expected to become a global standard for fingerprint solutions on smart cards.
Precise Biometrics’ strategic partners are well-known players in the security industry, giving Precise Biometrics a strong global presence.
SOX Section 404 Could Cost Big Companies $4.6 Million Each
SOX Section 404 Could Cost Big Companies $4.6 Million Each:
By: SmartPros Editorial Staff
Feb. 12, 2004 (SmartPros) -- Total costs of first-year compliance with Section 404 of the Sarbanes-Oxley Act could exceed $4.6 million for each of the largest U.S. companies, according to a survey of 321 companies by Financial Executives International (FEI).
The added costs are driven by a projected investment of 35,000 hours of internal manpower, $1.3 million in spending on external consulting and software, and additional audit fees of $1.5 million (a jump of 35 percent). FEI is the leading professional organization serving chief financial officers (CFOs) and other senior financial executives.
The average cost-of-compliance estimate for all companies in the survey -- where 20 percent of the respondents were from companies with more than $5 billion in annual revenue, compared to 3.3 percent in the under $25 million category -- was just under $2 million for roughly 12,000 hours of internal work and 3,000 hours of external work, plus additional auditor fees of $590,000, or a rise of 38 percent. The compliance effort is significantly larger than estimated in an earlier FEI survey. A smaller survey of 83 companies conducted in May 2003 suggested the average company expected the effort to consume 6,000 hours in total for internal, external and attestation time, and projected a rise in audit fees of 35 percent.
The average respondent expected to spend the most on external costs, which may be good news for software vendors and consultants.
'It stands to reason that larger, more complex companies will incur higher costs for implementing the internal control-related provisions of Section 404, but even for small companies the estimates are almost equally significant in proportion to revenue,' said Colleen Sayther, President and CEO of FEI. 'Only time will tell how this first-year cost will compare to the benefit for shareholders.'
On the sharp rise in audit fees, Sayther cautions, 'Until final rules are adopted for Section 404 by the PCAOB and the SEC, companies and auditors can only estimate what the jump in audit fees will be. Ultimately the fees could amount to be much higher.'
On average, companies expect to document processes at 80 percent of their locations. Across the board, companies expect the documentation to cover roughly 92 percent of their total revenues. Companies on average expect their auditor to test 57 percent of their documented processes, with the exception of the smallest companies, which expect the percentage of processes tested to be 42 percent.
According to the survey, 25 percent of respondents have already deployed their permanent solution for Section 404 compliance, while another 52 percent expect to do so in 2004. Ten percent plan deployment after 2004, while 14 percent have no specific plans to implement a solution tool at this time."
By: SmartPros Editorial Staff
Feb. 12, 2004 (SmartPros) -- Total costs of first-year compliance with Section 404 of the Sarbanes-Oxley Act could exceed $4.6 million for each of the largest U.S. companies, according to a survey of 321 companies by Financial Executives International (FEI).
The added costs are driven by a projected investment of 35,000 hours of internal manpower, $1.3 million in spending on external consulting and software, and additional audit fees of $1.5 million (a jump of 35 percent). FEI is the leading professional organization serving chief financial officers (CFOs) and other senior financial executives.
The average cost-of-compliance estimate for all companies in the survey -- where 20 percent of the respondents were from companies with more than $5 billion in annual revenue, compared to 3.3 percent in the under $25 million category -- was just under $2 million for roughly 12,000 hours of internal work and 3,000 hours of external work, plus additional auditor fees of $590,000, or a rise of 38 percent. The compliance effort is significantly larger than estimated in an earlier FEI survey. A smaller survey of 83 companies conducted in May 2003 suggested the average company expected the effort to consume 6,000 hours in total for internal, external and attestation time, and projected a rise in audit fees of 35 percent.
The average respondent expected to spend the most on external costs, which may be good news for software vendors and consultants.
'It stands to reason that larger, more complex companies will incur higher costs for implementing the internal control-related provisions of Section 404, but even for small companies the estimates are almost equally significant in proportion to revenue,' said Colleen Sayther, President and CEO of FEI. 'Only time will tell how this first-year cost will compare to the benefit for shareholders.'
On the sharp rise in audit fees, Sayther cautions, 'Until final rules are adopted for Section 404 by the PCAOB and the SEC, companies and auditors can only estimate what the jump in audit fees will be. Ultimately the fees could amount to be much higher.'
On average, companies expect to document processes at 80 percent of their locations. Across the board, companies expect the documentation to cover roughly 92 percent of their total revenues. Companies on average expect their auditor to test 57 percent of their documented processes, with the exception of the smallest companies, which expect the percentage of processes tested to be 42 percent.
According to the survey, 25 percent of respondents have already deployed their permanent solution for Section 404 compliance, while another 52 percent expect to do so in 2004. Ten percent plan deployment after 2004, while 14 percent have no specific plans to implement a solution tool at this time."
11 February 2004
CFOs Feel Their Companies are Most Susceptible to Disasters, Says Survey
CFOs Feel Their Companies are Most Susceptible to Disasters, Says Survey:
By: SmartPros Editorial Staff
MENLO PARK, Calif., Feb. 11, 2004 (SmartPros) -- In a sign of the times, many executives are concerned about their companies' ability to protect and sustain business operations in the event of a significant disruption.
According to a new survey by Robert Half Management Resources, 37 percent of chief financial officers (CFOs) said they perceive their firms to be most vulnerable in the area of disaster recovery, followed by security of information systems, at 24 percent. When the same executives were asked where they plan to invest the most dollars in 2004 to ensure future business growth, 28 percent said technology enhancement.
CFOs were asked, 'In which one of the following areas do you feel your company is most vulnerable?' Their responses:
Disaster preparedness/recovery 37%
Security of information systems 24%
Protection of intellectual capital 11%
Detection of accounting fraud 10%
Theft by company employees 2%
Other 3%
None/not vulnerable 11%
CFOs were also asked, 'In which of the following areas will your company invest most heavily in 2004 to ensure its future growth?' Their responses:
Technology enhancement
28%
Marketing
17%
Training
17%
Additional personnel
9%
Acquisitions
3%
Other
2%
None/don't know
4%
'Potential business disruptions, such as operational failures, network intrusions and e-mail viruses, are top of mind for many executives,' said Paul McDonald, executive director of Robert Half Management Resources. 'As a result, CFOs are allocating more funds to technology in 2004, in areas such as systems upgrades and implementations, and business continuity planning. In addition, firms are increasing investment in security within operating systems, across applications and throughout networks.'
McDonald added, 'CFOs and chief information officers are collaborating on technology decisions to gain the maximum return on their investment. They are addressing opportunities to enhance their systems' reliability and efficiency, increase employee productivity and boost profitability.'
2004 SmartPros Ltd. All rights reserved."
By: SmartPros Editorial Staff
MENLO PARK, Calif., Feb. 11, 2004 (SmartPros) -- In a sign of the times, many executives are concerned about their companies' ability to protect and sustain business operations in the event of a significant disruption.
According to a new survey by Robert Half Management Resources, 37 percent of chief financial officers (CFOs) said they perceive their firms to be most vulnerable in the area of disaster recovery, followed by security of information systems, at 24 percent. When the same executives were asked where they plan to invest the most dollars in 2004 to ensure future business growth, 28 percent said technology enhancement.
CFOs were asked, 'In which one of the following areas do you feel your company is most vulnerable?' Their responses:
Disaster preparedness/recovery 37%
Security of information systems 24%
Protection of intellectual capital 11%
Detection of accounting fraud 10%
Theft by company employees 2%
Other 3%
None/not vulnerable 11%
CFOs were also asked, 'In which of the following areas will your company invest most heavily in 2004 to ensure its future growth?' Their responses:
Technology enhancement
28%
Marketing
17%
Training
17%
Additional personnel
9%
Acquisitions
3%
Other
2%
None/don't know
4%
'Potential business disruptions, such as operational failures, network intrusions and e-mail viruses, are top of mind for many executives,' said Paul McDonald, executive director of Robert Half Management Resources. 'As a result, CFOs are allocating more funds to technology in 2004, in areas such as systems upgrades and implementations, and business continuity planning. In addition, firms are increasing investment in security within operating systems, across applications and throughout networks.'
McDonald added, 'CFOs and chief information officers are collaborating on technology decisions to gain the maximum return on their investment. They are addressing opportunities to enhance their systems' reliability and efficiency, increase employee productivity and boost profitability.'
2004 SmartPros Ltd. All rights reserved."
10 February 2004
SEC Wants Rogue States Ties Disclosed
SEC Wants Rogue States Ties Disclosed: "
Associated Press
WASHINGTON - The Securities and Exchange Commission may be enlisted in the U.S. fight against terrorism, whether it likes it or not.
In the latest federal funding bill, Congress directed the SEC to identify U.S.-listed companies with ties to states that sponsor terrorism and to require more disclosure to investors about corporate operations in high-risk areas.
Rep. Frank Wolf, R-Va., chairman of the House Appropriations subcommittee that oversees the SEC's budget, insisted on the provisions, which were included in a report accompanying the fiscal 2004 funding bill.
President Bush signed the bill two weeks ago but noted that accompanying reports 'do not have the force of law' and 'are not legally binding.'
Wolf thinks the SEC has no choice, though.
'It's now the law and he expects them to abide by it,' said Jeff Walton, a spokesman for Wolf.
Wolf, a longtime human-rights advocate, worries that Americans may unwittingly invest in companies that do business in countries that sponsor terrorism or violate human rights. At his prodding, the U.S. budget for fiscal 2004, which ends Sept. 30, directs the SEC to establish an Office of Global Security Risk to give investors and other federal agencies a better window on business operations in states with terrorism ties."
Associated Press
WASHINGTON - The Securities and Exchange Commission may be enlisted in the U.S. fight against terrorism, whether it likes it or not.
In the latest federal funding bill, Congress directed the SEC to identify U.S.-listed companies with ties to states that sponsor terrorism and to require more disclosure to investors about corporate operations in high-risk areas.
Rep. Frank Wolf, R-Va., chairman of the House Appropriations subcommittee that oversees the SEC's budget, insisted on the provisions, which were included in a report accompanying the fiscal 2004 funding bill.
President Bush signed the bill two weeks ago but noted that accompanying reports 'do not have the force of law' and 'are not legally binding.'
Wolf thinks the SEC has no choice, though.
'It's now the law and he expects them to abide by it,' said Jeff Walton, a spokesman for Wolf.
Wolf, a longtime human-rights advocate, worries that Americans may unwittingly invest in companies that do business in countries that sponsor terrorism or violate human rights. At his prodding, the U.S. budget for fiscal 2004, which ends Sept. 30, directs the SEC to establish an Office of Global Security Risk to give investors and other federal agencies a better window on business operations in states with terrorism ties."
The Business Roundtable teams up with U.VA to form Ethics Centre
The Business Roundtable teams up with U.VA to form Ethics Centre:
The Business Roundtable announced the creation of a first-of-its-kind business ethics center designed to renew and enhance the link between ethical behavior and business practices. The Center will be housed at the University of Virginia.
“This Institute is a bold investment that will bring together the best educators in the field of ethics, active business leaders and business school students to forge a new and lasting link between ethical behavior and business practices,” said Franklin D. Raines, Co-Chairman of the Business Roundtable and Chairman and CEO of Fannie Mae. “By bringing together the teaching and practice of business ethics under one roof, the CEOs of the Business Roundtable are aiming to make a lasting contribution to business ethics and the way our companies are run.”
The Business Roundtable Institute for Corporate Ethics, to be housed at the Darden Graduate School of Business Administration at the University of Virginia, is unique in its mission, its structure and its support from leading active CEOs. The Institute will conduct research, create a cutting-edge business ethics curriculum, lead executive seminars on business ethics and develop best practices in the area of corporate and business ethics. All Institute programs and resources will be open to business leaders.
The Institute will offer a series of executive-level training sessions for CEOs and any member of a corporate senior leadership team. Two sessions will take place in 2004, with the number of sessions expanding in 2005 and 2006. Institute training sessions will be open to any and all interested corporate executives and information about registration will be available through the Institute office and its official Web site, The Business Roundtable Institute for Corporate Ethics.
The Business Roundtable announced the creation of a first-of-its-kind business ethics center designed to renew and enhance the link between ethical behavior and business practices. The Center will be housed at the University of Virginia.
“This Institute is a bold investment that will bring together the best educators in the field of ethics, active business leaders and business school students to forge a new and lasting link between ethical behavior and business practices,” said Franklin D. Raines, Co-Chairman of the Business Roundtable and Chairman and CEO of Fannie Mae. “By bringing together the teaching and practice of business ethics under one roof, the CEOs of the Business Roundtable are aiming to make a lasting contribution to business ethics and the way our companies are run.”
The Business Roundtable Institute for Corporate Ethics, to be housed at the Darden Graduate School of Business Administration at the University of Virginia, is unique in its mission, its structure and its support from leading active CEOs. The Institute will conduct research, create a cutting-edge business ethics curriculum, lead executive seminars on business ethics and develop best practices in the area of corporate and business ethics. All Institute programs and resources will be open to business leaders.
The Institute will offer a series of executive-level training sessions for CEOs and any member of a corporate senior leadership team. Two sessions will take place in 2004, with the number of sessions expanding in 2005 and 2006. Institute training sessions will be open to any and all interested corporate executives and information about registration will be available through the Institute office and its official Web site, The Business Roundtable Institute for Corporate Ethics.
09 February 2004
Fears Over US Hawala Crackdown
Fears Over US Hawala Crackdown:
from British Broadcasting Corporation
Article ID: D139471
Fears have been raised that tighter regulation of the ancient hawala system of informal money transfers is harming the world's poorest economies.
The secret, ancient and complex trade in goods and money is widespread in the Middle East and Asia.
The US has been seeking to regulate hawala traders, fearing it could be used by terrorist groups to move money around the world.
But some are now fearing that this could jeopardize billions of dollars carried across borders to support trade in developing countries.
There is no direct movement of funds. Instead, a system of complex swaps is employed, using food, fuel, electronics or gold as a way of balancing the books between operators - hawaladas - in different countries.
However, because it operated underground and with no proper records, American authorities were keen to introduce regulation into the system.
"Hawala is one of the important things that everybody needs to be focusing on," stressed Danny Glazer, Director of the US Treasury's Executive Office Of Terrorist Financing.
"We have to make sure that all methods for transferring money - particularly for transferring funds across borders - is covered by effective anti-money laundering and counter-terrorist financing regimes.
"What we're trying to do is make things harder for the terrorist financiers - to close down as many mechanisms for moving money as we can, to make it as expensive as possible, to make it as much of a paper trail as possible, to close down as many of the bad operators as possible, to make life as difficult for them as possible, and to disrupt their activities as much as possible."
Treasury Deputy Assistant Secretary Juan Zerati - the man behind the attempt to tackle the financing of terrorism - told Assignment that it was important to track "all potential mediums" through which money could flow.
"Certainly, in terms of hawala, we are concerned that any time you have a lack of transparency, a lack of accountability with respect to the movement of money, there is potential that medium can be used by terrorists and criminals," he said.
And he stressed there was evidence that al-Barakat had been "used by al-Qaeda to funnel money to some of its allies and to support its operations.
"We've seen case studies... that provides greater incentive for us to make sure the hawala system worldwide is regulated as well as being monitored."
from British Broadcasting Corporation
Article ID: D139471
Fears have been raised that tighter regulation of the ancient hawala system of informal money transfers is harming the world's poorest economies.
The secret, ancient and complex trade in goods and money is widespread in the Middle East and Asia.
The US has been seeking to regulate hawala traders, fearing it could be used by terrorist groups to move money around the world.
But some are now fearing that this could jeopardize billions of dollars carried across borders to support trade in developing countries.
There is no direct movement of funds. Instead, a system of complex swaps is employed, using food, fuel, electronics or gold as a way of balancing the books between operators - hawaladas - in different countries.
However, because it operated underground and with no proper records, American authorities were keen to introduce regulation into the system.
"Hawala is one of the important things that everybody needs to be focusing on," stressed Danny Glazer, Director of the US Treasury's Executive Office Of Terrorist Financing.
"We have to make sure that all methods for transferring money - particularly for transferring funds across borders - is covered by effective anti-money laundering and counter-terrorist financing regimes.
"What we're trying to do is make things harder for the terrorist financiers - to close down as many mechanisms for moving money as we can, to make it as expensive as possible, to make it as much of a paper trail as possible, to close down as many of the bad operators as possible, to make life as difficult for them as possible, and to disrupt their activities as much as possible."
Treasury Deputy Assistant Secretary Juan Zerati - the man behind the attempt to tackle the financing of terrorism - told Assignment that it was important to track "all potential mediums" through which money could flow.
"Certainly, in terms of hawala, we are concerned that any time you have a lack of transparency, a lack of accountability with respect to the movement of money, there is potential that medium can be used by terrorists and criminals," he said.
And he stressed there was evidence that al-Barakat had been "used by al-Qaeda to funnel money to some of its allies and to support its operations.
"We've seen case studies... that provides greater incentive for us to make sure the hawala system worldwide is regulated as well as being monitored."
06 February 2004
USFA: Counter-Terrorism: Critical Infrastructure Protection
USFA: Counter-Terrorism: Critical Infrastructure Protection:
What are Critical Infrastructures?
Critical infrastructures of the emergency management and response sector of the United States (i.e., emergency managers, fire, and EMS) are the personnel, physical assets, and communication systems that must be intact and operational 24/7/365 in order to ensure survivability, continuity of operations, and mission success. In other words, they are the people and things absolutely essential to deter or mitigate the catastrophic results of all man-made or natural disasters.
What is Critical Infrastructure Protection?
Generally, critical infrastructure protection (CIP) consists of the proactive activities to protect indispensable people, physical assets, and communication systems from all hazards. More formally, it is an analytical process to guide the systematic protection of critical infrastructures by the application of a reliable decision sequence that assists leaders in ultimately determining exactly what really needs protection as well as when. As a time-efficient and resource-restrained practice, the process ensures the protection of only those infrastructures upon which survivability and mission success actually depend.
The process involves the following steps: identifying the organization's critical infrastructures, determining the threats against those infrastructures, analyzing the vulnerabilities of threatened infrastructures, assessing the risks of degradation or loss of a critical infrastructure, and applying countermeasures where risk is unacceptable."
What are Critical Infrastructures?
Critical infrastructures of the emergency management and response sector of the United States (i.e., emergency managers, fire, and EMS) are the personnel, physical assets, and communication systems that must be intact and operational 24/7/365 in order to ensure survivability, continuity of operations, and mission success. In other words, they are the people and things absolutely essential to deter or mitigate the catastrophic results of all man-made or natural disasters.
What is Critical Infrastructure Protection?
Generally, critical infrastructure protection (CIP) consists of the proactive activities to protect indispensable people, physical assets, and communication systems from all hazards. More formally, it is an analytical process to guide the systematic protection of critical infrastructures by the application of a reliable decision sequence that assists leaders in ultimately determining exactly what really needs protection as well as when. As a time-efficient and resource-restrained practice, the process ensures the protection of only those infrastructures upon which survivability and mission success actually depend.
The process involves the following steps: identifying the organization's critical infrastructures, determining the threats against those infrastructures, analyzing the vulnerabilities of threatened infrastructures, assessing the risks of degradation or loss of a critical infrastructure, and applying countermeasures where risk is unacceptable."
03 February 2004
Is Floodgate Right for You?
Welcome to Floodgate: A Global Notification Solution:
A Leader in Notification Delivery
Now that threats to governmental and business operations are becoming more prevalent, organizations must plan for every type of business disruption from hardware and communication failures, to natural disasters, to internal or external acts of terrorism. During these times of emergency, where every second counts, Floodgate can play a key role to an organization's communication system, and their crisis management and business continuity plans. These types of unpredictable emergency disruptions can wreak havoc on any organization, its clients and the public. As a result, business continuity planning has become a high priority as organizations recognize the importance of responding to an unplanned event, so that employees and personnel remain safe, critical business functions continue, and relevant people are fully informed.
A crucial aspect of an effective communication system or a business continuity plan is the strategy for communicating critical information to the right people at the right time. Organizations are continuously seeking solutions that will enable them to engage in coordinated, consistent, and accurate internal and external communications for a wide range of natural and man-made events. Some examples are:
* Military call to active duty and troop mobilization orders
* Unannounced school closing or announced school lockdown due to threat
* Bio-terror and health alerts, and emergency response mobilization
* Hurricane, tornado, and flood warnings
* Power outages and utility service problems
* Virus alerts, network downtime, and service interruptions for employees and/or clients
To successfully communicate with relevant parties during emergency and non-emergency events, organizations need technology solutions, like Floodgate, to enhance their preparedness and contribute to their overall security. This means that a technology solution must provide:
* High-volume communications. Floodgate provides the ability to communicate time-sensitive information quickly and reliably to potentially thousands of affected individuals within minutes.
* Immediate, multi-channeled communications. Floodgate is able to deliver instantaneous and continuous messages without delay to the appropriate audience over multiple communication channels.
* Flexible, cost-effective communications management. Message management and generation must be flexible so that an organization can respond to various types of unplanned and/or planned events. At the same time, the costs of deploying and maintaining the emergency and non-emergency communications must fit into an organization's budget.
* Secure, reliable infrastructure. Floodgate's infrastructure is guaranteed to work when the unexpected events occur, providing security, capacity and auditing required for high-volume, emergency or routine communications."
A Leader in Notification Delivery
Now that threats to governmental and business operations are becoming more prevalent, organizations must plan for every type of business disruption from hardware and communication failures, to natural disasters, to internal or external acts of terrorism. During these times of emergency, where every second counts, Floodgate can play a key role to an organization's communication system, and their crisis management and business continuity plans. These types of unpredictable emergency disruptions can wreak havoc on any organization, its clients and the public. As a result, business continuity planning has become a high priority as organizations recognize the importance of responding to an unplanned event, so that employees and personnel remain safe, critical business functions continue, and relevant people are fully informed.
A crucial aspect of an effective communication system or a business continuity plan is the strategy for communicating critical information to the right people at the right time. Organizations are continuously seeking solutions that will enable them to engage in coordinated, consistent, and accurate internal and external communications for a wide range of natural and man-made events. Some examples are:
* Military call to active duty and troop mobilization orders
* Unannounced school closing or announced school lockdown due to threat
* Bio-terror and health alerts, and emergency response mobilization
* Hurricane, tornado, and flood warnings
* Power outages and utility service problems
* Virus alerts, network downtime, and service interruptions for employees and/or clients
To successfully communicate with relevant parties during emergency and non-emergency events, organizations need technology solutions, like Floodgate, to enhance their preparedness and contribute to their overall security. This means that a technology solution must provide:
* High-volume communications. Floodgate provides the ability to communicate time-sensitive information quickly and reliably to potentially thousands of affected individuals within minutes.
* Immediate, multi-channeled communications. Floodgate is able to deliver instantaneous and continuous messages without delay to the appropriate audience over multiple communication channels.
* Flexible, cost-effective communications management. Message management and generation must be flexible so that an organization can respond to various types of unplanned and/or planned events. At the same time, the costs of deploying and maintaining the emergency and non-emergency communications must fit into an organization's budget.
* Secure, reliable infrastructure. Floodgate's infrastructure is guaranteed to work when the unexpected events occur, providing security, capacity and auditing required for high-volume, emergency or routine communications."
U.S. Senate Offices Closed Because of Toxic Substance
U.S. Senate Offices Closed Because of Toxic Substance: " (Update1)
(Bloomberg) -- U.S. Senate office buildings will remain closed today after a powder found in one of them tested positive for ricin, a poisonous substance.
The Hart, Dirksen and Russell office buildings will be closed, according to the Senate's Web site and a phone operator at the Capitol. Committee hearings have also been canceled. The Capitol itself will be open to essential personnel only.
Administration officials, including Treasury Secretary John Snow and Defense Secretary Donald Rumsfeld were scheduled to testify before the Senate today on the president's $2.4 trillion budget proposal for the fiscal year that begins Oct. 1. The budget seeks a 9.7 increase in spending on homeland security.
Ricin, a poison derived from castor beans, was found in the mailroom of Senator Bill Frist in the Dirksen building yesterday. Frist, a Republican from Tennessee, said at a press conference last night the discovery is being investigated as a criminal act.
Ricin can cause death and has no known antidote. Authorities are concerned the powder may have been inhaled by people who came in contact with it, said Frist, who is also a medical doctor. Symptoms including shortness of breath or chest tightness may appear four to eight hours after exposure, he said.
The U.S. Federal Bureau of Investigation issued an alert about ricin in January last year after authorities in the U.K. found traces in a raid on a London apartment and arrested seven men associated with an Algerian extremist group. Ricin was also one of the toxic substances the Central Intelligence Agency suspected was being made in Iraq."
(Bloomberg) -- U.S. Senate office buildings will remain closed today after a powder found in one of them tested positive for ricin, a poisonous substance.
The Hart, Dirksen and Russell office buildings will be closed, according to the Senate's Web site and a phone operator at the Capitol. Committee hearings have also been canceled. The Capitol itself will be open to essential personnel only.
Administration officials, including Treasury Secretary John Snow and Defense Secretary Donald Rumsfeld were scheduled to testify before the Senate today on the president's $2.4 trillion budget proposal for the fiscal year that begins Oct. 1. The budget seeks a 9.7 increase in spending on homeland security.
Ricin, a poison derived from castor beans, was found in the mailroom of Senator Bill Frist in the Dirksen building yesterday. Frist, a Republican from Tennessee, said at a press conference last night the discovery is being investigated as a criminal act.
Ricin can cause death and has no known antidote. Authorities are concerned the powder may have been inhaled by people who came in contact with it, said Frist, who is also a medical doctor. Symptoms including shortness of breath or chest tightness may appear four to eight hours after exposure, he said.
The U.S. Federal Bureau of Investigation issued an alert about ricin in January last year after authorities in the U.K. found traces in a raid on a London apartment and arrested seven men associated with an Algerian extremist group. Ricin was also one of the toxic substances the Central Intelligence Agency suspected was being made in Iraq."
Corporate Governance Study Links Bad Boards to Higher Risk and Increased Volatility
Corporate Governance Study Links Bad Boards to Higher Risk and Increased Volatility
Academic Research Demonstrates Financial Impact of Poor Governance
Rockville, Maryland; February 3, 2004: A study jointly released today by Georgia State University and Institutional Shareholder Services (ISS), the world’s leading provider of proxy voting and corporate governance data services, directly correlates corporate governance and company performance. The research, undertaken by Lawrence Brown, Ph.D. and Marcus Caylor of Georgia State University is the first independent academic study to clearly demonstrate the impact board composition and practices can have on company performance. The study examined the relationship between corporate governance and four important fundamental areas including: Total Return, Profitability, Risk and Dividend Payout. “Our findings reveal that companies with weaker corporate governance perform more poorly, are less profitable and have higher volatility than do firms with stronger corporate governance,” said Georgia State’s Dr. Lawrence Brown. “The average difference in annualized returns between bottom decile and top decile companies was 11.9% over the preceding five-year period. Board composition proved to be the most important factor.”
Academic Research Demonstrates Financial Impact of Poor Governance
Rockville, Maryland; February 3, 2004: A study jointly released today by Georgia State University and Institutional Shareholder Services (ISS), the world’s leading provider of proxy voting and corporate governance data services, directly correlates corporate governance and company performance. The research, undertaken by Lawrence Brown, Ph.D. and Marcus Caylor of Georgia State University is the first independent academic study to clearly demonstrate the impact board composition and practices can have on company performance. The study examined the relationship between corporate governance and four important fundamental areas including: Total Return, Profitability, Risk and Dividend Payout. “Our findings reveal that companies with weaker corporate governance perform more poorly, are less profitable and have higher volatility than do firms with stronger corporate governance,” said Georgia State’s Dr. Lawrence Brown. “The average difference in annualized returns between bottom decile and top decile companies was 11.9% over the preceding five-year period. Board composition proved to be the most important factor.”
02 February 2004
Mydoom software worm knocks out SCO website
Boston.com / Business / Technology / Mydoom software worm knocks out SCO website:
By Hiawatha Bray, Globe Staff
Computer users and security experts had nearly a week's warning to prepare for the impact of the Mydoom software worm. It wasn't enough.
The worm, which swept across the Internet last week, delivered its payoff yesterday. Infected machines launched an attack that shut down the website of SCO Group Inc., a Utah software company that has drawn the ire of Linux advocates for its dispute with IBM Corp. over the free operating system.
An official of US-CERT, the federal Computer Emergency Readiness Team, said the Mydoom attack was little more than a minor nuisance for the Internet as a whole, and a SCO spokesman said it would have little effect on the company's ability to do business.
But the incident nonetheless demonstrated that the world's top Internet security experts still don't know how to prevent such attacks.
'In future designs of the network, we need to take account of these kinds of attacks and put things in place to help deal with the effects,' said US-CERT analyst Richard Pethia."
By Hiawatha Bray, Globe Staff
Computer users and security experts had nearly a week's warning to prepare for the impact of the Mydoom software worm. It wasn't enough.
The worm, which swept across the Internet last week, delivered its payoff yesterday. Infected machines launched an attack that shut down the website of SCO Group Inc., a Utah software company that has drawn the ire of Linux advocates for its dispute with IBM Corp. over the free operating system.
An official of US-CERT, the federal Computer Emergency Readiness Team, said the Mydoom attack was little more than a minor nuisance for the Internet as a whole, and a SCO spokesman said it would have little effect on the company's ability to do business.
But the incident nonetheless demonstrated that the world's top Internet security experts still don't know how to prevent such attacks.
'In future designs of the network, we need to take account of these kinds of attacks and put things in place to help deal with the effects,' said US-CERT analyst Richard Pethia."
Plot, Shield and Stay alive ... contingency planning
IT-Analysis.com- Plot, Shield and Stay alive ... contingency planning:
Aneet Shah
Bloor Research
There is a need for business units and their line managers to work with risk professionals within the financial institutions to make contingency plans to address the risks their company faces. Contingency planning is not just a key issue for risk managers in a business; it is the issue that brings the risk professionals together with line managers to deliver practical ways to tackle their organisations' risks.
Why is contingency planning important? Sound contingency planning is a must because it protects the organisation's balance sheet, infrastructure and business. It is an essential component of short-term plans covering emergency response and crisis management and medium term business continuity planning. It has become an important factor in getting insurance cover for the business as well as reducing the premiums!
Insurance is not the only factor to be considering in addressing contingency planning. It is also about protecting the company's assets, reputation and shareholder value. As part of contingency planning, having the plan and sufficient funds is not enough, there is a need for broader comprehensive business continuity strategy encompassing not just the business operations and infrastructure. For example what impact would badly managed communications in the event of an interruption have on reputation?
Thus from a business perspective, lack of contingency planning has three major pain points - external image, insurance and internally - business assets, balance sheet and resources. So what should be done to develop a good contingency plan?"
Aneet Shah
Bloor Research
There is a need for business units and their line managers to work with risk professionals within the financial institutions to make contingency plans to address the risks their company faces. Contingency planning is not just a key issue for risk managers in a business; it is the issue that brings the risk professionals together with line managers to deliver practical ways to tackle their organisations' risks.
Why is contingency planning important? Sound contingency planning is a must because it protects the organisation's balance sheet, infrastructure and business. It is an essential component of short-term plans covering emergency response and crisis management and medium term business continuity planning. It has become an important factor in getting insurance cover for the business as well as reducing the premiums!
Insurance is not the only factor to be considering in addressing contingency planning. It is also about protecting the company's assets, reputation and shareholder value. As part of contingency planning, having the plan and sufficient funds is not enough, there is a need for broader comprehensive business continuity strategy encompassing not just the business operations and infrastructure. For example what impact would badly managed communications in the event of an interruption have on reputation?
Thus from a business perspective, lack of contingency planning has three major pain points - external image, insurance and internally - business assets, balance sheet and resources. So what should be done to develop a good contingency plan?"
01 February 2004
Flights Canceled Over Al Qaeda Attack Fears
Flights Canceled Over Al Qaeda Attack Fears:
(Page 1 of 2)
By Claudia Parsons
LONDON (Reuters) - Western airlines grounded several flights to and from the United States Sunday amid reports U.S. officials had intelligence suggesting al Qaeda may be planning a chemical or biological attack on an aircraft.
Three intelligence officials told The Washington Post that the possible threats included releasing a biological agent like smallpox or anthrax on a plane so those aboard would spread the infection without knowing it.
British Airways, Air France and Continental Airlines canceled several transatlantic flights scheduled for Sunday and Monday citing security concerns.
A grounded BA London-Washington flight was the same service canceled several times in January because of security worries.
'There are a handful of flights we are concerned about, and British Airways has canceled about half of them,' a U.S. official said, on condition of anonymity.
'We have received threat reporting that indicates al Qaeda's desire to target these particular flights.'
The Al Qaeda network is held responsible for the Sept. 11, 2001, attacks on the United States involving four hijacked commercial planes. About 3,000 people were killed in those attacks.
U.S. Homeland Security Secretary Tom Ridge has said the U.S. government consistently receives intelligence that al Qaeda is still interested in using aircraft for attacks.
INTELLIGENCE VAGUE
The Washington Post cited intelligence officials as saying attackers could try to hijack a plane by releasing a chemical agent to incapacitate the crew and passengers or smuggle a radiological device in luggage."
(Page 1 of 2)
By Claudia Parsons
LONDON (Reuters) - Western airlines grounded several flights to and from the United States Sunday amid reports U.S. officials had intelligence suggesting al Qaeda may be planning a chemical or biological attack on an aircraft.
Three intelligence officials told The Washington Post that the possible threats included releasing a biological agent like smallpox or anthrax on a plane so those aboard would spread the infection without knowing it.
British Airways, Air France and Continental Airlines canceled several transatlantic flights scheduled for Sunday and Monday citing security concerns.
A grounded BA London-Washington flight was the same service canceled several times in January because of security worries.
'There are a handful of flights we are concerned about, and British Airways has canceled about half of them,' a U.S. official said, on condition of anonymity.
'We have received threat reporting that indicates al Qaeda's desire to target these particular flights.'
The Al Qaeda network is held responsible for the Sept. 11, 2001, attacks on the United States involving four hijacked commercial planes. About 3,000 people were killed in those attacks.
U.S. Homeland Security Secretary Tom Ridge has said the U.S. government consistently receives intelligence that al Qaeda is still interested in using aircraft for attacks.
INTELLIGENCE VAGUE
The Washington Post cited intelligence officials as saying attackers could try to hijack a plane by releasing a chemical agent to incapacitate the crew and passengers or smuggle a radiological device in luggage."
Subscribe to:
Posts (Atom)