30 June 2004

Saving E-Mail

Saving E-Mail

Thomas Claburn and Steven Marlin, InformationWeek

Evidence that the Internet's killer app is seriously ill can be seen in the frantic efforts to resuscitate it. The past two weeks have witnessed a flurry of activity aimed at restoring trust in e-mail as a business-consumer communication tool that has been eroded by spam and e-mail-related online fraud.

How worrisome have the problems become to businesses? Bad enough that MasterCard International last week said it has created a system for round-the-clock monitoring to inform 25,000 financial-institution members worldwide within four hours of when such a scam starts. Bad enough that fierce rivals in the e-mail business -- America Online, EarthLink, Microsoft and Yahoo -- agreed last week to support each other's e-mail-authentication standards. It's also prompting a consortium of the 100 largest financial institutions to develop a common database to share reports of attacks and responses, and forcing some banks to reconsider how they use e-mail to communicate with customers.

MasterCard is using digital fraud-detection technology from NameProtect as part of a more-proactive approach to online fraud that lets the company detect scams as they unfold and work with police to block them before losses occur. 'We're concerned that somebody step up to the plate because consumer confidence is at stake,' says Sergio Pinon, senior VP of MasterCard's global security and risk services.

Research firm Gartner estimates that 57 million Americans in the past year received phishing e-mails -- messages sent to lure people to phony Web sites asking for financial information. During a two-week period in December, 60 million phishing messages were sent, according to the Anti-Phishing Working Group, of which both MasterCard and NameProtect are members. Identity theft is the endgame for many phishing schemes and has been the No. 1 consumer complaint to the Federal Trade Commission in the past four years. Gartner estimates that phishing-related fraud cost banks and credit-card companies about $1.2 billion in direct losses in the past 12 months."

29 June 2004

More Board Independence, Less Fraud?

More Board Independence, Less Fraud? - - CFO.com:

A new study finds that ''a higher proportion of independent outside directors is associated with less likelihood of corporate wrongdoing.''

Stephen Taub, CFO.com

The more independent directors on a company's board, the less likely it is to be accused of fraud, according to a study published in the June issue of Financial Analysts Journal, a publication of the CFA Institute.

Three professors — Hatice Uzun of Long Island University, Samuel Szewczyk of Drexel University, and Raj Varma of the University of Delaware, Newark — examined 133 companies accused of fraud between 1978 and 2001. The researchers matched them with 133 companies — of similar size and in the same industries — that had not been accused of fraud, then compared the two groups for statistically significant differences in board member independence, board size, frequency of board meetings, and other variables.

Compared with the control group, companies that had been accused of fraud had a lower percentage of independent directors (that is, board members with no business or personal ties to the company) and lower percentage of outside (that is, non-executive) directors.

The boards of companies accused of fraud were also less likely to have an audit committee. In addition, their audit, compensation, and nominating committees also had a lower percentage of independent directors.

28 June 2004

Banks Report Widespread Challenges Remain in Their Basel II Preparations, According to Global Survey

Banks Report Widespread Challenges Remain in Their Basel II Preparations, According to Global Survey

Survey by Accenture, Mercer Oliver Wyman and SAP Shows Areas of Concern and Significant Regional Differences in Preparation for Basel

LONDON, June 28 /PRNewswire-FirstCall/ -- Many of the world's largest banks see significant challenges remaining in their preparations to implement the Basel II Capital Accord, according to a global survey of banks sponsored by Accenture, Mercer Oliver Wyman and SAP.

Substantial numbers of banks surveyed remain uncertain over budgets, a lack of confidence in risk-management frameworks and economic capital systems, and insufficient progress in implementation of the credit-risk measurement tools required to meet the new regulation. Survey results indicate that U.S. and Asia-Pacific banks lag behind their European counterparts in several key areas of preparation for Basel II.

The survey of executives responsible for Basel II compliance at 97 of the world's 200 largest banks in April and May was designed to gauge how major banks worldwide are responding to the challenges of the Basel II Accord just before the announcement of final rules in late June. Basel II updates and expands 1988 capital rules for risk-management practices that align capital more closely with operational, credit and market risks for banks operating internationally.

Other major survey findings include:
-- Uncertainty on the total cost of compliance is broad, with nearly a
third of survey respondents saying they remain unsure of the total cost
of their Basel II program. Of those banks providing estimates, most
banks with assets under US$100 billion expect price tags of euro 50
million or less while nearly two-thirds of larger banks project costs
of more than euro 50 million.
-- The majority of banks said they see significant benefits from Basel II,
especially in improved capital allocation and better risk-based
-- More than 70 percent of banks surveyed are planning to adopt Basel II's
advanced regulatory approaches on both the credit risk and operational
risk sides.
-- Common expectations of increased competition in retail and small-and-
medium-enterprise (SME) lending, consolidation among corporate and
specialized lenders, and more selective approaches to emerging-market

Concerns remain

The survey indicates that many banks have significant work remaining to satisfy the requirements of two of the three major elements of Basel II: setting up a risk-based supervisory structure within the bank and increasing market discipline through expanded disclosure. Nearly two-thirds (63 percent) of banks surveyed described their enterprise-wide risk management framework as poor or average. Just over 60 percent of respondents described their economic capital systems as poor or average.

Basel II will also require banks to make significant changes to their business practices. Nearly 90 percent of survey respondents say change is likely in their operational risk management processes. In addition, almost 8 in 10 bank executives say that their credit risk management processes are likely to change."

25 June 2004

Homeland Security Launches Critical Infrastructure Pilot Program to Bolster Private Sector Security

DHS | Department of Homeland Security | Homeland Security Launches Critical Infrastructure Pilot Program to Bolster Private Sector Security:

Press Releases

Homeland Security Launches Critical Infrastructure Pilot Program to Bolster Private Sector Security - Dallas First of Four Pilot Communities Sharing Targeted Threat Information

For Immediate Release
Office of the Press Secretary
Contact: 202-282-8010
June 23, 2004

Homeland Security Information Network - Critical Infrastructure

The U.S. Department of Homeland Security in partnership with local private sector and the Federal Bureau of Investigation, today launched the first Homeland Security Information Network-Critical Infrastructure (HSIN-CI) Pilot Program in Dallas, Texas with locally operated pilot programs in Seattle, Indianapolis and Atlanta to follow. The pilot program will operate throughout the course of this year to determine the feasibility of using this model for other cities across the country.

The HSIN-CI pilot program, modeled after the FBI Dallas Emergency Response Network expands the reach of the Department’s Homeland Security Information Network (HSIN) initiative--a counterterrorism communications tool that connects 50 states, five territories, Washington, D.C., and 50 major urban areas to strengthen the exchange of threat information--to critical infrastructure owners and operators in a variety of industries and locations, first responders and local officials. As part of the HSIN-CI pilot program, more than 25,000 members of the network will have access to unclassified sector specific information and alert notifications on a 24/7 basis.

“The Homeland is more secure when each hometown is more secure,” said Secretary of Homeland Security Tom Ridge. “HSIN-CI connects our communities – the government community to the private sector community to the law enforcement community -- the better we share information between our partners, the more quickly we are able to implement security measures where necessary.”

The HSIN-CI network allows local and regional areas to receive targeted alerts and notifications in real-time from Department’s Homeland Security Operations Center (HSOC) using standard communication devices including wired and wireless telephones, email, facsimile and text pagers. The network requires no additional hardware or software for federal, state, or local participants. The technical capacity of the network includes the ability to send 10,000 outbound voice calls per minute, 30,000 simultaneous inbound calls through an information “hotline,” 5,000 simultaneous email messages and 3,000 simultaneous facsimile transmissions in the event that information needs to be communicated. In addition, HSIN-CI network, in partnership with the FBI, provides a reporting feature that allows the public to submit information about suspicious activities through the FBI Tips Program that is then shared with the Department’s HSOC."

24 June 2004

Secure, or Just Paranoid?

Secure, or Just Paranoid? | BankInfoSecurity.com:

By John Irving

Today's business is increasingly dependant on information systems in one shape or another. As with most things there's good and bad - easy access (good), and security threats (bad). Lets not get into the political aspects of the information revolution, but let's examine the commercial implications, and some of the inherent risks.

Most companies are making little progress in countering rising information security threats. Many business systems aren't designed with information security in mind, but for efficiency, transparency - but are these two objectives incompatible? It's not just a big company issue. Information security affects SME's as much as multi-nationals. No one is immune; even if you don't run your own IT systems anymore, it's still an issue. It's increasingly common, that outsourcing contracts include information security clauses.

Threats come from cracking, intrusion, and virus software to name just a few. Counter measures are often hardware based as software based encryption can be cracked quite easily (ask Microsoft) - but it takes time and effort to implement and maintain an effective information security system. We're talking Deep Packet Inspection firewalls, hardware based intrusion prevention, data storage encryption, data integrity, and biometric identity verification devices to name just a few.

Not all cracking activity and viruses are malevolent, some only aim to obtain email directories using addresses to replicate elsewhere, but even this seemingly innocuous activity creates major issues - the resulting increase in network traffic can clog up systems, hindering legitimate communications, with huge cost implications.

Damage to systems, and data isn't the only issue - that's mostly repairable, but the damage to a company's reputation can have huge consequences, and be difficult to put right. Financial Institutions and other organisations trade on trust. If integrity is compromised it can take years to recover, that's why many information security breaches are quietly brushed under the corporate carpet.

There's another aspect to consider. In the US the Sarbanes-Oxley Act is the latest hard-hitting piece of legislation driving IT direction and spending, and may influence UK Subsidiaries.

The UK has at least nine Acts of Parliament and industry specific regulations impacting information security including The Data Protection Act; The Turnbull Report; Basel II; and The Computer Misuse Act. Some of these statutory requirements have real teeth, and shouldn't be dismissed. Directors are increasingly been held personally responsible for corporate actions, including information security. Large fines, or worse, may await those Directors who are found lacking by the Courts seeking to enforce information security laws.

IT Directors now face a simple choice - defensively sit still and react only when something happens, or pro-actively plan to implement new IT security policies and procedures that can deliver demonstrable bottom line benefits. It's the ones that do something that will be appearing on the front pages of IT magazines in a few years time, whilst the 'do nothings' may instead be looking at a P45, or even a court summons"

Web Hosting Industry News | Redbus Earns Security Accreditation

Web Hosting Industry News | Redbus Earns Security Accreditation

(WEB HOST INDUSTRY REVIEW) -- Colocation and managed services provider Redbus Interhouse (interhouse.net) announced on Tuesday that its Amsterdam data center is the first in Europe to be awarded the BS7799 accreditation, a benchmark for information security.

'With security paramount in our customers' businesses, it is imperative that we provide clients with a guarantee that the information they are processing is appropriately protected,' says Adriaan Oosthoek, Netherlands country manager for Redbus Interhouse. 'We're really delighted to have received the BS7799 accreditation, which is only awarded to companies who can prove high levels of competence in information security management.'

The company said it is confident that its data centers in London, Milan, Paris and Frankfurt already meet the standards for BS7799 certification and will receive the accreditation in due course.

'This accreditation further demonstrates to our customers, prospects and staff that we are continuing to take our responsibilities as a colocation and managed services provider very seriously,' says Mike Tobin, CEO of Redbus Interhous. 'It is a strong endorsement of our leading position in the colocation marketplace that we are the only independent colocation organization to have achieved this important accreditation. What customers need to know is that we do not compromise on security. Thanks to this unique accreditation, we can prove exactly that and provide our customers and Redbus Interhouse with a major competitive advantage.'"

23 June 2004

The Best Anti-Terror Force: Us

The Best Anti-Terror Force: Us:

Flight 93's Networked Heroes

By J.B. Schramm

On Sept. 11, 2001, American citizens saved the government, not the other way around.

A first review of the Sept. 11 commission's report indicates that the system failed, but that is wrong. While the U.S. air defense system did fail to halt the attacks, our improvised, high-tech citizen defense 'system' was extraordinarily successful.

Confronted by a cruel and diabolical surprise that day, those with formal responsibility for protecting our country from air attack could not defend us. For example, according to the commission's report, all the terrorist aircraft had crashed before Vice President Cheney issued orders for our military to down the planes seized by terrorists. Not only were those orders irrelevant, they were never even delivered to our fighter pilots. This is not surprising given that the command-and-control structure required so many baton handoffs in the 77-minute response window between the crashes of the first and fourth terrorist aircraft.

What is surprising is that an alternative defense system, one with no formal authority or security funding, did succeed, and probably saved our seat of government. The downing of United Flight 93 in Pennsylvania was a heroic feat executed by the plane's passengers. But it was more: the culmination of a strikingly efficient chain of responses by networked Americans.

Requiring less time than it took the White House to gather intelligence and issue an attack order (which was in fact not acted on), American citizens gathered information from national media and relayed that information to citizens aboard the flight, who organized themselves and effectively carried out a counterattack against the terrorists, foiling their plans. Armed with television and cell phones, quick-thinking, courageous citizens who were fed information by loved ones probably saved the White House or Congress from devastation.

The foremost strategic question we need to ask ourselves is not, 'How did the government/CIA/FAA fail us?' Rather, we should ask: 'How did the networked citizens on the ground and in the sky save us?'

First, we Americans need to see ourselves as our brave fellow citizens on Flight 93 saw themselves, as front-line combatants in this struggle. There is no gated community safe from the threat, and there are no professional, volunteer armed forces that can, alone, fight this enemy. Not only should we aspire to match the great homeland sacrifices of citizens in World War II, we must see ourselves, and prepare ourselves, as the front line in this struggle.

This raises profound questions for all citizens and especially for those vying for leadership in Congress and the presidency. Would universal national service better prepare us for this role? Should citizens be provided with more 'intelligence' about terrorist threats? How do you train 280 million Americans as homeland defenders?

From a military perspective, our only effective weapon against the terrorists on Sept. 11 was a connected, smart-thinking citizenry. Educating and equipping critical-thinking, network-savvy citizens will be key to winning this war of infiltration and surprise. Our front-line citizens in the next attack may not be highly networked 'frequent fliers.'

Second, we need to ensure that the communications infrastructure, including broadcast, Internet and telecommunications, remains robust, modern and accessible.

Finally, we should consider what other social challenges can be addressed by providing an infrastructure for citizens to organize around. The U.S. government's role in enabling a competitive broadcast media and telecommunications industry, not to mention the development of the Internet, made the citizen success on Sept. 11 possible. In commerce, eBay has built an auction block through which individuals have famously self-organized and developed rules to make trading easier. Linux provides a way for people to build and refine computer operating systems. In education, College Summit, the organization I work for, seeks to provide the infrastructure for low-income communities to self-organize, much as middle-class communities do, to get their promising young people into college.

The acts on Sept. 11 not only changed our world, they also provide a lesson for how a free, democratic nation can effectively overcome the forces of fundamentalist terror.

The writer is founder and chief executive of College Summit, a national nonprofit organization that helps low-income students through the process of applying for college admission."

We agree with the points made here about citizen soldiers. For more information on how to make your organization, building or community to become a more prepared Anti-Terror force see:
CERT Webinar - Corporate Emergency Response Team - Briefing

22 June 2004

The 10 Trickiest Legal Challenges for Directors Today

The 10 Trickiest Legal Challenges for Directors Today

Feature Story

by David Sendler

Board members must navigate an ever more dangerous legal minefield, from dealing with stiffer standards of compliance to getting tough with CEOs. Some of the sharpest legal minds in the business rank and analyze the potential pitfalls.

If it comes to a fight, you want the best lawyers you can find. Even better, they should be on hand to keep you out of trouble in the first place. On the following pages, a panel of powerhouse professionals—13 of America’s top corporate attorneys—do just that, identifying the 10 biggest dangers directors face and suggesting ways to handle them. Heed their advice. With thanks. Just think what this would have cost you in billable hours.

Ten of the 13 were picked by peers as tops in their areas of practice in a Corporate Board Member poll three years ago. The rest—Douglas M. Hagerman, Kate H. Murashige, and Robert S. Strauss—have been singled out for distinction in other issues of the magazine.

In ranking legal traps, these superstar attorneys emphasize the importance of protecting shareholders, corporate employees, and your own reputation and personal assets as you serve on a board. And Robert S. Bennett of Skadden Arps Slate Meagher & Flom LLP in Washington, D.C., offered a provocative parting shot.

“Let’s urge Congress to apply to itself the principles and spirit of Sarbanes-Oxley, which emphasizes the importance of integrity, accountability, and independence,” Bennett said. “Imagine if Congress did what it demands of corporate America:
“No perks or pork.
“Financial accountability.
“No ‘I’ll scratch your back if you’ll scratch mine.’
“Imagine how great it would be if Congress treated all citizens as it demands that corporations treat shareholders.”

1. Mastering the Art of Complaince

Directors are increasingly being taken to task for corporate compliance failures, as we saw in the recent federal appellate decision holding that the directors of Abbott Labs could be held liable for its FDA fines. In addition to setting an ethical tone, boards need to monitor management’s design and implementation of compliance programs. The Justice Department and the U.S. Sentencing Commission have said that the existence of effective compliance programs can lead to more lenient sanctions against companies whose employees commit illegal acts. Implementation is as important as having a program, however, because having policies in place and not following them can make matters worse.

Douglas M. Hagerman, 43
Senior Vice President and General Counsel, Rockwell Automation, Milwaukee

Directors will have to adapt to the aggressive regulatory environment without becoming risk-averse. The idea is to build a profitable company and make money for stockholders while staying out of jail.

Robert S. Bennett, 64
Skadden Arps Slate Meagher & Flom, Washington, D.C.
Criminal Defense And Complex Civil Litigation

4. Handling A Crisis
Boards should require management to have a crisis plan. Without one that can immediately be put into effect, a company can make very large mistakes. There could be an investigation, an explosion, a research report that gets negative press, and if crucial decisions are not made effectively and quickly it could have enormous financial and other implications.

Sheila L. Birnbaum, 64
Skadden Arps Slate Meagher & Flom, New York City
Class-Action Defense

Crisis handbooks and crisis simulations are very important but can only go so far. The board cannot anticipate and prepare for every major issue that will arise, so it must make sure that the top management fosters open communication and the highest standards of compliance.

Robert S. Strauss, 85
Akin Gump Strauss Hauer & Feld, Washington, D.C.
Domestic And International Strategic Relations

It's good to see that the top lawyers in America think that mastering the art of compliance and handling a crisis are tricky legal challenges. Corporate Management and the Board of Directors already know this. The question is, what are they doing about it with their employees and their customers on a consistent and documented basis today. Most organizations we talk to think they are going to be protected by their lawyers or the local first responders by hitting the speed dial or 911. This perception is what puts these same companies into situations where they are quickly paralyzed and unable to recover in a timely manner. Be Proactive. Be Preventive. Be Relevant. Be Supportive. With Sally at the front desk, Harry on the warehouse dock and Joe in Human Resources. They are the ones who will more likely be the people to save your institution from "Red" zone operational risk.

Outsourcing Obstacles

Outsourcing Obstacles

By Cynthia Ramsaran

Because of political pressure and security concerns surrounding offshore outsourcing, U.S. financial institutions have reservations about pursuing the benefits of contracting with an overseas third party, suggest industry observers. But setting up and maintaining safe offshore outsourcing relationships is possible if realistic goals and strict legal guidelines are defined.

Offshore outsourcing is controversial largely because of the social impact of losing jobs to low-wage countries. But the savings theoretically can free up resources for more highly skilled and higher-paying jobs in the U.S., it has been suggested. Most banks have a long list of projects stalled because of a lack of resources. With offshore outsourcing, banks should be able to reallocate budgets and redeploy IT staff to meet unfilled needs, according to Virginia Garcia, senior analyst at TowerGroup (Needham, Mass.). 'Cutting costs and cutting staff is not the case with institutions with a backlog of IT projects,' asserts Garcia. 'Banks may say, 'I'm going to get my people to work on this back log while I outsource and free up capital for IT spending.''

However, according to Garcia, many banks still are looking to offshore providers simply to cut costs. 'Job loss is very painful, and it is contributing to the negativity [about] offshore outsourcing,' she says. But, Garcia adds, redeploying some jobs to current employees, while outsourcing other jobs overseas, can sometimes quiet the negative buzz offshore outsourcing has been generating.

Although job loss in the U.S. is one of the most critical issues of offshoring, data security concerns speak more directly to firms' bottom lines. And though many banks are saving money by outsourcing business processes and call centers overseas, their ROI cannot be calculated without factoring in the cost of keeping data safe.

By being proactive in risk management, banks can be comfortable with their overseas outsourcing arrangements, according to Tom Patterson, former partner emeritus, security services, at Deloitte & Touche Germany, and author of Mapping Security, due out this fall, which covers the security aspects of outsourcing offshore. But not all banks are spending the money to ensure that non-U.S. employees are trustworthy, and that is where the trouble begins, asserts Patterson."

21 June 2004

House Rejects Extra Security Aid to High-Risk Cities

House Rejects Extra Security Aid to High-Risk Cities: "

The New York Times

WASHINGTON, June 18 - In a blow to the New York metropolitan region's antiterrorism efforts, the House rejected a move Friday to provide nearly $500 million to pay for security initiatives in cities believed to be at greatest risk of attack.

By a vote of 237 to 171 that largely split lawmakers along regional lines, the House rejected an amendment that sought to shift $446 million from a nationwide antiterrorism program to one specifically aimed at New York City and other high-risk cities.

The action brought swift condemnation from New York officials, who have long complained that the federal government gives out millions of dollars in security money to every state, regardless of its vulnerability, in pork-barrel fashion.

The harshest criticism came from Mayor Michael R. Bloomberg, a Republican who announced that New York City was canceling its membership in the National Association of Counties to protest the group's opposition to the measure.

'We are not getting our fair share of Homeland Security money,' Mr. Bloomberg said. 'To say it's a disgrace is being too charitable.'

'The fact of the matter is that when you catch a terrorist with a map in their pocket, the map is of New York City,' the mayor said. In Albany, Gov. George E. Pataki, also a Republican, expressed his disappointment with the vote, noting that New York was far more vulnerable to a terrorist attack than other parts of the country.

'To allocate funding across the board to states as opposed to on a threat-based analysis is wrong,' Mr. Pataki told reporters.

The battle over money for high-risk cities now moves to the Senate, where members of both parties have been more evenhanded in determining how aid is distributed.

Senator Hillary Rodham Clinton, Democrat of New York, did not rule out offering an amendment seeking additional money for high-risk cities when the matter comes to the floor in the Senate.

'I'm going to continue to explore every legislative option we have in order to provide an adequate level of funding for New York's security needs,' Mrs. Clinton said.

The measure defeated in the House was advanced by a group of New York lawmakers who spent days trying to round up support. Its two chief sponsors were Representative John E. Sweeney, a Republican from the Albany area, and Representative Carolyn B. Maloney, a Democrat from Manhattan.

If the votes are any indication, the dispute is more complicated than a mere partisan fight. Seventy Republicans - many of them from large urbanized states like California, Florida, Illinois, New Jersey and Pennsylvania- joined with 101 Democrats to support the measure. But 89 Democrats - many of them from heavily rural states - joined 147 Republicans to reject it.

The measure seeking the additional $446 million for high-risk cities was offered as an amendment to a bill that calls for providing $33 billion for the Homeland Security Department next year. The House later on Friday approved the overall $33 billion Homeland Security spending plan by an overwhelming 400 to 5.

The additional $446 million would have been squeezed out of roughly $1.2 billion set aside for emergency workers in communities across the nation, no matter their size or their vulnerability.

In all, the Homeland Security bill the House considered calls for providing slightly over $1 billion for cities believed to be at the greatest risk of an attack. The Senate version of the bill sets aside $1.2 billion for high-risk urban areas.

The issue is crucial to New York City officials. The city spends as much as $1 billion a year on antiterrorism measures, and the Bloomberg administration is seeking $400 million in federal security aid for the budget the mayor proposed for the fiscal year that begins in July.

In his comments on Friday, Mr. Bloomberg seized on the House vote as an opportunity to emphasize his concerns about the way Washington apportions security money.

He said 'the political pressures' in Congress had turned the allocation of security money into a pork-barrel program in which small states received far more dollars per person than those states at greater risk, like New York.

The mayor said that New York, for example, gets about $5.47 a person in antiterrorism financing, while Wyoming receives $38 a person and Vermont receives $31.

In rambling comments that reflected his frustration and dismay, Mr. Bloomberg also criticized officials from largely agricultural states who have argued that they, too, desperately need federal money to protect the nation's food supply.

'Everybody can always say, 'Well, we have security issues,' ' he said. 'You know, one guy said to me that, 'Yeah, the corn and soybean crops are our food supply and therefore this country needs a food supply, we've got to protect it.' You know, I've never seen a terrorist with a map of a cornfield in his pocket. Come on. Let's get serious to what this is about, why this money should be going to places like New York City.'"

18 June 2004

NYU Launches Business Continuity Planning Certificate in Fall 2004; Intensive One-Year Program For Executives

NYU Launches Business Continuity Planning Certificate in Fall 2004; Intensive One-Year Program For Executives:

Training In Homeland Security and Continuation of Operations in Face of Disaster or Attack

New York University's School of Continuing and Professional Studies (www.scps.nyu.edu) will launch this fall a new professional certificate in Business Continuity Planning to educate private-sector executives to develop plans and manage continuation of business operations in the midst of natural disasters, such as flood, fire or earthquake, or man-made calamity, such as terrorist attack.

The certificate is an intensive one-year program designed for mid- to senior-level managers, part of the School's new homeland security curriculum that includes certificates in Emergency Management and Homeland Security. Taught by leading security experts and continuity professionals, these programs will also tap into other University faculty and academic resources, such as the NYU Center for Catastrophe Preparedness and Response (NYU CCPR) and the NYU Medical School.

According to Howard Greenstein, director of the NYU SCPS Center for Management, training in this area is in high demand, as businesses try to respond to a new security-conscious environment. For example, insurers are increasing demands that their policyholders have business continuity systems in place, and business must comply with new government security rules from the SEC and the Sarbanes-Oxley law.

'Security experts make clear that business continuity cannot be separate from a company's finance, budget and control, information technology, information security management, operational risk management and crisis communications departments. NYU's new Business Continuity Planning certificate will educate executives how to manage and coordinate all business protection issues under one umbrella, thus ensuring effective oversight of all critical continuity processes.'"

17 June 2004

Phishing alliance formed as Gartner study unearths big losses

Phishing alliance formed as Gartner study unearths big losses:

Phishing alliance formed as Gartner study unearths big losses
16 June 2004 - Over a dozen multinationals from the financial, telecommunications and computer industries have formed a group to combat phishing crimes, in which scam artists use stolen passwords to hijack Internet bank accounts. The formation of the alliance comes as a new study from Gartner indicates that US banks suffered losses of $2.4 billion in thefts from customer accounts in the past 12 months.

Founding members of the The Trusted Electronic Communications Forum (TECF), include ABN Amro, E*Trade Financial, Fidelity, Fleet Boston, HSBC, National City Bank, Royal Bank of Scotland and Schwab. The consortium says it will research and promote technical standards and best business practice in the fight against phishing, spoofing and identity theft.

Milton Santiago, SVP, ABN Amro Services Company, says: 'We recognise that phishing and spoofing is a serious problem for our customers and, as such, it needs our immediate attention.'

According to Gartner, illegal access to current accounts is the fastest-growing type of US financial consumer fraud, and thieves appear to be proliferating through online channels.

Based on a survey of 5000 online US adults in April 2004, Gartner estimates 1.98 million online adults have experienced this sort of crime in the past 12 months. The cost is approximately $2.4 billion in direct fraud losses, or an average of $1200 per victim."

16 June 2004

Terror groups shifting sights to 'soft targets'

Terror groups shifting sights to 'soft targets:

By Lisa Hoffman
Scripps Howard News Service

The revelation Monday of an alleged terrorist conspiracy to blow up an Ohio shopping mall came not long after the federal government publicized a separate plot to target New York apartment buildings.

Taken together, these reported schemes give added weight to the contention by terrorism experts inside and outside the Bush administration that it is so-called 'soft targets' that are now in terrorists' sights.

As government buildings, airports and power plants have been enveloped in tighter security measures, lesser-protected targets such as malls, schools, hotels and stadiums have grown more attractive to those seeking to attack America at home, experts said Monday.

'If terrorists want to strike at the heart of America, they are more likely to strike next where we're not prepared. It's only logical,' said Kenneth Trump, president of National School Safety and Security Services, a national consulting firm based in Cleveland.

Earlier this year, the FBI and the Department of Homeland Security spread the word that Islamic extremists have shown interest in recruiting women and men who don't look like they are of Middle East descent to carry out attacks at shopping malls, subway stations or bus lines.

On Monday, Attorney General John Ashcroft announced that a native of Somalia living in Ohio had been indicted on suspicion of conspiring to detonate a bomb at an unidentified shopping mall in the Columbus area."

You Bought It, Now Audit

You Bought It, Now Audit

Your technology infrastructure can be audited -- and probably should be.

Bob Violino, CFO IT

These days, audits are rarely a source of solace, but finance executives who find IT daunting may actually be relieved to know that IT audits are suddenly in vogue, and provide exactly the sort of big-picture view that most CFOs need. IT audits are not, as you may have guessed, a matter of pure accounting. The term covers a lot of ground, but in general it can be thought of as the processes by which organizations evaluate virtually any aspect of their technology controls, capabilities, and performance. While IT audits have been conducted by some companies for years, they're moving into the mainstream as regulatory compliance, risk management, and information security become higher corporate priorities.

If done properly, experts say, IT audits not only reveal weaknesses in compliance, security, and other areas but also help companies save money by finding ways to use IT hardware and software more efficiently and get a better handle on technology assets. Organizations can use IT audits to ensure that their technology initiatives are in sync with business goals and practices.

'These audits provide our CIO with an independent and objective review of his areas to ensure data resources are protected, appropriate internal controls are in place, systems are designed and developed to meet our business needs, and internal system resources are used effectively and efficiently
,' says Ken Askelson, IT audit manager at retailer J.C. Penney Co. in Plano, Texas.

There are many types of IT audits that cover a broad range of technologies and processes. One type assesses IT governance, determining how well the IT department is managed and staffed, and how efficiently it supports business operations. Information-security audits examine security policies and such technologies as firewalls, as well as analyze the integrity of networks, databases, operating systems, Web servers, and applications.

Audits can focus on such major IT assets as ERP systems or on individual applications like payroll and accounts payable. Some audits evaluate the effectiveness of business-continuity and disaster-recovery programs, and others make sure that organizations have adequate and up-to-date software licensing in place. Still others are dedicated to ensuring that organizations are in compliance with such regulations as the Sarbanes-Oxley Act of 2002 and the Health Insurance Portability and Accountability Act.

IT audits frequently begin with a risk assessment, in which an organization obtains an overview of the major systems and applications used to support critical business processes."

15 June 2004

Keeping Your Business Clean

Keeping Your Business Clean - CSO Magazine - June 2004

Take this quiz to test the ethical health and well-being of your business.


A COLLEGE PAL OF MINE—a corporate lawyer at a major, publicly traded company—has been watching all of the corporate-integrity meltdowns from his not-so-distant vantage point. Just for fun, he helped me devise a quiz of sorts to check out the "uprightness" of my own situation at my company. I was shocked and disturbed enough with my results to share them here (under the protection of anonymity, of course).

Maybe I'm a good Samaritan, but I care about America's corporations, and I hope our times offer an opportunity to change some thinking. Take this little corporate hygiene quiz with a few of your trusted business pals over a latte or two. And since catharsis is good for the soul, I'll share my answers with you here. I used a scale of one (not so much) to five (absolutely) to get a numerical sense of where I stood.

To start, does your business depend on a complex technical environment with significant uptime reliability?

Aren't we all increasingly reliant on a networked environment with nodes, access points and critical intersections in places that we can't see or control? Uptime reliability is important for everybody these days, but it's an expected cornerstone of businesses that feel they need to hire a CISO. I give myself a four on this one.

Does your company have operations in any country below the equator?

Many U.S. companies have core business processes located in countries below the earth's beltline. Security risks exist there that make knowledgeable security professionals twitch every time their phone rings: kidnappings, corruption, incompetent and criminal law enforcement, Internet crime, organized crime, drugs, money laundering, an overall unsafe environment with too many Foreign Corrupt Practices Act temptations. But what are you going to do? The labor is cheap and we have to be competitive. My company is moving in that direction but not there whole hog yet. So I'll give us a three on this one.

Would you characterize the velocity of your company's business as high-speed?

How about warp speed? How else can we continue to satisfy Wall Street and our fickle shareholders? We're all being pushed to do more with less. And there's so much going on in the back draft of this fast pace, I wonder what the hell else I'm missing. I'll take a five on this one. I'd take a six if it were allowed.

Do you forgo a criticality rating to identify shortcomings in business controls and security measures?

With all the open books and disclosure emphasis these days, the lawyers are really nervous about recording any risk information that could come back to haunt us. As a security professional, I've always lived with criticality ratings—it's all about the likelihood of problems we need to be prepared to address. But I know for a fact that we have no organized process for doing this across the business. In the aftermath of Sarbanes-Oxley, our auditors now rank their findings; but that's ex post facto and, besides, an audit is cyclical and periodic. This is all about what keeps knowledgeable risk managers awake at night and what we are missing. I'd better take a four (and hope for the best).

Does your corporate risk-management model discourage individual managers from seeking out vulnerabilities in the system of controls?

My company doesn't have a risk-management model, per se—and then blame is typically parceled out to the lowest common denominator. I'll take a four on this one, too. (This isn't shaping up well is it?)

Are managers ill-informed about what to look for on control deficiencies or cues on risky behavior?

There's not a lot of sharing here, especially concerning errors or incidents. After all, who wants to shoot themselves in the foot? We have an active infosecurity awareness program, but it hasn't been integrated into any of the training and employee development programs we run on a continuous basis. HR owns management training, but it doesn't recognize that the manager's job has a core risk-management component. And what's the first question out of the CEO's mouth when it hits the fan? "Who's the manager of this disaster?" I can't vouch for manager awareness across the board. So let's score a three here.

Are there unaddressed vulnerabilities in your company's safeguards or other such exposures that could be exploited?

The fact that this question has to be included speaks volumes about the maturity of risk management. Of course there are known gaps! And it's the people who work here who know where to find the holes. The guy who is empowered to do you the most damage already works for you. The developers leave open doors in our applications, and our LAN administrators have the keys to the kingdom. There's no one place where all the data comes together to enable those of us on the firing line to see where the interconnections and interdependencies may exist. Besides, I get paid to think about "what if," so scoring anything less than a five would be dishonest.

14 June 2004

The Business of Security

CIO Asia - Issue - The Business of Security:

How two financial services giants tied business continuity planning to the business--not to security.

By Ann Toh

* Discover how two financial services giants institute business continuity and disaster recovery plans to get back to normal as soon as possible when disaster strikes

* Glean strategies to sell the expense of business continuity to senior management

FEAR, UNCERTAINTY AND DOUBT--for years that was how CIOs sold security. Today, as two best-practice financial services organisations show, there are more effective ways to get that security spend and keep people's eyelids from drooping than by painting disaster scenarios.


Global financial services provider Deutsche Bank AG was a survivor of the Sept 11 terrorist attacks in New York on Sept 11, 2001. The Singapore branch of the bank, its Asia Pacific headquarters, has since been facing the challenging task of getting the bank and its employees interested in business continuity planning, and high on disaster recovery readiness.

An employee who knows a disaster when he sees one is Kenny Seow, head of Business Continuity Management (Asia Pacific), who has been facing the quiet challenge of getting his colleagues excited about business continuity planning at the bank for the last five years. The 14-year business continuity planning (BCP) veteran heads the bank's BCP function, which liases with and brings together various internal units and experts dealing with risk--be it information risk, physical risk or business risk--to coordinate plans and strategies that address the loss of facilities, personnel or critical systems, and get them implemented.

'The work of business continuity planning requires a diverse set of skills,' says Seow. That is why the bank harnesses individual teams of experts--from people who are responsible for the business lines and operations to those dealing with IT and physical security--to formulate a total protection programme.

Seow is lucky to work for an organisation that has always cared about business continuity planning, even before the horrific events of Sept 11 and Severe Acute Respiratory Syndrome (SARS). The Bank takes an integrated, risk-centric approach to information security, physical security and business continuity. It has created a structure to manage and govern business continuity management (BCM). BCM is a board-level concern at Deutsche Bank. It has full-time teams in Singapore, the bank's Asia Pacific headquarters, and in its bigger locations, Hong Kong, Japan, Australia and India, to manage BCM. The role of these units is to ensure that processes and resources are in place so that when an incident occurs, the bank can respond effectively, says Seow. He adds: 'In Deutsche Bank, because BCM is recognised as such an important function, it has a direct line of reporting to the regional Chief Operating Officer. Business continuity risk is considered one aspect of the various risks we manage, such as operational risk, market risk or credit risk."

Can Innovation and Compliance Be Balanced?

Can Innovation and Compliance Be Balanced?

The SIA Technology Management Conference and Exhibit this year is themed 'Balancing Innovation With Compliance.' But can innovation and compliance co-exist? Can we really think, develop and perform within the bounds of regulatory compliance in a period of rapid growth? Will we learn from the challenges of the late '90s and early '00s, pay penance, make amends and move forward on the straight and narrow?

Alternatively, are compliance and innovation mutually exclusive? They may well be, as the mid-80's boom gave us Milken and Boeskey and the late-90's boom gave us ... well, too many to count.

Traditionally, scandal fallout has been limited -- we throw folks in jail and change a few laws, but when market composure is regained, we seem to forget about previous transgressions and transgress anew. So, are we predetermined to repeat the past?

This time things look different. The settlement cost, the industry governance structure, the problem's magnitude -- and the focus on enforcement, litigation and legislation -- demand it.

The cost of problems and penalties this time has been huge. While the Milken settlement was $1 billion, today's legal challenges are costing firms far more. The research scandal alone cost $1.4 billion, while the Citigroup/WorldCom settlement last month drew $2.6 billion -- and these are only two of the numerous recent settlements."

11 June 2004

Oliver North: The Ronald Reagan I knew

Oliver North: The Ronald Reagan I knew:

WASHINGTON, D.C. -- The pageantry of the moment was awe inspiring. The response of the American people was unforgettable. On Constitution Avenue, just south of the home he occupied for eight years, tens of thousands of Americans watched in reverent silence as the flag-draped casket bearing the former president was placed on the horse-drawn caisson. Hundreds of thousands more waited patiently, first in California, then in Washington and again at the Reagan Presidential Library, just for a chance to spend a moment near him. It was a farewell tribute worthy of a great leader. And it stunned most of the media.

As I watched the long procession up to the Capitol and the ceremonies thereafter, I was struck by the overwhelming outpouring of genuine respect that the citizens of this country demonstrated toward a man who left office more than 15 years ago. And I was dismayed that many of those in the media who sought to explain this admiration still don't get it. But then, they never really understood Ronald Reagan while he was alive.

Some have said and written that it was his "infectious, incurable optimism," his "amiable personality" and his "self-confidence" that brought him success. But that ignores Ronald Reagan's humility and faith as the foundations of his assurance. It also discounts his resolve and steadfastness in the face of adversity and disappointment.

Others tell us that he owes his acclaim to "winning the Cold War without firing a shot." But Ronald Reagan knew that the long struggle against communism was anything but "cold" to those who fought and died in Korea, Vietnam, Lebanon and dozens of other bloody battlefields.

Several have attempted to attribute his triumphs to rhetorical skills perfected as an actor while simultaneously "informing" us that he wasn't a very good actor.

All their explanations fall short because they don't want to -- or can't -- acknowledge the full measure of the giant who now has passed from our midst. The Ronald Reagan I knew was much more than just a "Great Communicator."

He was a man who knew himself -- his own gifts and liabilities -- and who we are as a people. He believed that Americans are innately decent -- not perfect -- but good, and that we could be inspired to do better. While he delivered memorable, passionate speeches, some of his most magnificent moments weren't "performances" delivered before crowds or cameras, but in the hushed confines of the Oval Office, in the Situation Room, in private dialogue and in heartwarming letters he drafted himself.

Though few in the media ever acknowledged it while he was in office, Ronald Reagan was a remarkably compassionate man. In the aftermath of the October 23, 1983, terrorist bombing in Beirut, Lebanon, which killed 241 Marines, sailors and soldiers, the president attended the memorial service at Camp Lejeune, N.C. Following the ceremony, after the cameras had been turned off, and while the president and Mrs. Reagan were greeting the families of those who had been killed or wounded, a little boy, about 4 or 5 years old, looked up and said, "Mr. President, can you bring my daddy home?"

Lesser men might have continued walking and ignored the youngster -- but not Ronald Reagan. He reached down, picked up and hugged the child whose father would never come home. With tears flowing down his cheeks, the president said, "I wish I could." That was no act -- it was the raw emotion of a president who felt great compassion for that little boy and the sacrifice his father made on behalf of this nation.

One of my most cherished possessions is a letter Ronald Reagan wrote that explains Harry Truman's adage which sat behind his desk: "It is amazing what you can accomplish if you do not care who gets the credit." He quoted Thomas Merton, "We must be content to live without watching ourselves live, work without expecting immediate reward, love without instantaneous satisfaction, exist without special recognition."

The president then wrote, "In today's modern world many would challenge Merton's statement and ask why we must be content to live this way." He answered that question with some of the best advice I've ever received: "because our nation was built by men who dedicated their lives to building our country for the sake of their children and countrymen, without taking the time to worry about receiving recognition for their efforts."

He could also rise in righteous anger -- and show it. On Oct. 7, 1985, when terrorists hijacked the cruise ship Achille Lauro and murdered Leon Klinghoffer, an American Jew, he convened his National Security Planning Group to recommend some courses of action. After listening to more than an hour of wrangling among his closest advisors, he stopped the debate and said: "Just go get them." A few hours later, when I carried the necessary documents into him for his signature authorizing the use of U.S. military force, he read through the paperwork, signed the appropriate space and said, "It doesn't say, 'Get them!'"

Several days later, we did "get them." Daring Navy pilots forced an Egyptian aircraft transporting the terrorists down in Sicily, and Gen. Carl Steiner, then the commander of our Special Operations Forces, took them into custody. Pat Buchanan and I were tasked to prepare a statement for President Reagan to deliver on television. By then, the commander in chief's anger had cooled, but he still wanted to deliver a message to other would-be terrorists, and he did -- by concluding his remarks with a deadly serious line: "You can run, but you can't hide." Afterward, without fanfare or publicity, he personally called and thanked everyone involved in the capture.

When my children's children ask me about Ronald Reagan, I will tell them that I was blessed to serve -- as they are to live -- in a country that can produce such a great leader at precisely the time when he is most needed. And then I will tell them of a conversation I had with one of his closest friends and one of mine, Judge William P. Clark. After reminiscing for a while in the midst of all the pomp and circumstance of our president's final visit to Washington, we concluded that for those of us who know where we are going and why we are going there, no doubt, Ronald Reagan is now in that "shining city on a hill." I'm looking forward to seeing him there.

Oliver North is a nationally syndicated columnist, host of the Fox News Channel's War Stories and founder and honorary chairman of Freedom Alliance.

A risk-management upgrade for US bank regulators

McKinsey Quarterly: A risk-management upgrade for US bank regulators:

The Federal Deposit Insurance Corporation protects the stability of US banks—and thus confidence in them—by guaranteeing their deposits. But a high rate of bank failures in 2003 diminished the FDIC's reserves, raising the possibility that it would need to increase the insurance premiums banks pay it. Taking a cue from the private sector, the agency decided to overhaul its financial-risk-management practices. After improving the accuracy of the way it calculates its reserve funds, it set out to develop a better understanding of its total risk exposure.

The take-away
The FDIC's enhanced risk management will give banks more confidence in the agency and should improve its stewardship of the banking industry's resources.
In addition, more accurate and timely information can generate a better understanding of financial-public-policy decisions that affect not just depositors but also all consumers of financial services—as well as taxpayers."

10 June 2004

Privacy Is Your Business

Privacy Is Your Business:

What's the payoff for CIOs becoming privacy champions? Better business, more secure IT and a higher corporate profile.


Increasingly, Americans are chafing at attempts by government and private sectors to sift through their personal data. In the past year, opposition from privacy advocates and politicians forced the Pentagon to temporarily drop its plans to track the movement of American citizens with its Total Information Awareness project. (Instead of completely shuttering TIA, however, the Pentagon merely renamed the initiative and classified aspects of it, essentially removing it from public view.) More recently, a growing number of states including New York and Wisconsin have pulled out of an anticrime database program known as the Multi-State Anti-Terrorism Information Exchange, or Matrix—initiated after 9/11 to track terrorists—citing cost and privacy concerns. Civil libertarians argue that Matrix, which combines criminal records data with private information such as property and business filings, endangers citizens' privacy rights.

The private sector is also taking hits on the privacy front. U.K. grocery retailer Tesco got caught conducting an unannounced smart-shelf trial with radio frequency identification tags on Gillette razor blades and canceled the pilot project after negative publicity. Retailers Wal-Mart and Benetton announced last year that (at least for now) they would keep RFID tags out of their stores.

But many businesses don't seem to understand the extent to which consumers value the privacy of their personal data. According to a recent Accenture survey, 60 percent of the 223 business executives surveyed said that privacy policies are the least important of five factors that influence consumer trust. Yet 51 percent of the 347 consumers surveyed said that they have declined to do business with a company because they were uncomfortable with its privacy protection.

The stakes are huge for companies, especially those who ignore privacy concerns. Privacy & American Business, a nonprofit group led by privacy expert Alan Westin, is currently tracking 141 lawsuits against companies for alleged violations of consumer privacy. Already these lawsuits have netted plaintiffs more than $130 million in penalties or settlements. "A privacy breach is now much more than a mere annoyance," says Rich Honen, a lawyer who specializes in technology and privacy at the Albany, N.Y., law firm Honen & Wood. "It can create a serious security risk and become a market issue for a company."

The benefits of outsourcing the Security Assessment

eBCVG - The benefits of outsourcing:

By Jane Frankland

Whether a company wants to outsource all or part of its security assessment, the financial benefits of doing so are immediate. As security assessments and penetration tests are conducted periodically, organisations can choose whether to carry the staff overheads all year round, make staff cuts or simply allocate the resource elsewhere in the department. Organisations that make staff cuts don’t have to maintain specialist, emerging assessment and testing skills, instead they are just bought in. Providing a security assessment supplier is chosen astutely, a company can receive a better return on its IT security investment (ROSI) by being able to identify and resolve vulnerabilities and weaknesses in any of its systems and applications more quickly. For example, in software development, if security assessment is included earlier in the software development lifecycle an organisation can achieve faster delivery times and produce software that is less prone to vulnerabilities. IBM actually reported that the cost to fix an error found after product release was 4 to 5 times as much as one uncovered during design, and up to 100 times more than one identified in the design phase. And, irrespective of whether a company is development driven, further costs can be realised as damages to reputation from either compromise or negative publicity can be reduced.

Security policy involves formulating a well-rounded set of policies and procedures to enable an organisation to gain protection of its vital resources and support of its business needs at all levels of its organisation. Through documentation, education and review, an organisation can determine whether the rules governing its procedures, standards and guidelines on its information assets are adequate and being met.

In the case of security policy management, organisations are being encouraged to build security policy and processes into their business models. With guidelines such as BS7799/ISO17799 in place, the external consultant is increasingly relied upon as an independent source for the assurance of an organisation’s compliance. The benefits associated with outsourcing in this area of the business include better allocation of resource and greater assurance that risk thresholds are being identified, existing policies are in line with changes to systems, methods of business and IT strategies and also that operational documentation for compliance against appropriate standards (BS7799/ISO17799, DPA, ISO 2001 HIPAA, FSA etc). This in turn ensures greater confidence in terms of business and investment, and can help lower high insurance policies.

09 June 2004

Survey: Lack of Terror Coverage Would Hurt Commercial Mortgage Market

Survey: Lack of Terror Coverage Would Hurt Commercial Mortgage Market:


A new survey indicates that only 20 percent of commercial real estate portfolios would retain terrorism coverage if the requirement that insurers make it available is lifted, down from 83.5 percent.

The survey by mortgage bankers suggests that if the 'make-availavble' provision is removed, current terror endorsements will be cancelled by insurers and more than $400 billion in commercial loans could be exposed as a result.

The Mortgage Bankers Association (MBA) conducted its survey to determine the prevalence of terrorism risk insurance coverage and the impact the removal of the 'make-available' provision of the Terrorism Risk Insurance Act (TRIA) would have on commercial/multifamily real estate finance. Congress is currently considering renewal of TRIA.

Of the $656 billion commercial/multifamily debt reviewed in the MBA study, $616 billion, or 93.9 percent, is required to have terrorism insurance by the mortgage investor and/or servicer. A full $548 billion, or 83.5 percent of the outstanding balance of the commercial/multifamily debt reviewed, had terrorism insurance in place, according to the survey.

Insurance specialists at every loan servicer involved in the study said they expect that if the 'make-available' provision of TRIA is not extended, terrorism endorsements that are currently in place will be cancelled or excluded. Without the 'make-available' extension, they estimate by the spring of 2005 only 20 percent, or $132 billion, of their collective portfolios would have terrorism risk insurance coverage in place. This represents a reduction of 76 percent-- or $416 billion-- in the balance of loans that would be covered for losses due to terrorism.

The implications of such reductions would increase costs and reduce availability of credit, a reduction on the yield of existing loans and reductions in market liquidity, according to MBA officials."

Antiphishing.org - Stop Phishing and Email Scams

Antiphishing.org - Stop Phishing and Email Scams:

I received an email from an attorney acquaintance of mine today, requesting that I click on the link in the email to join something named "Linkedin". My Phishing alarms went off immediately! Has this individual shared my email address with a "Social Networking" site? Or has this persons Outlook address book been harvested by some unknown entity?

What is Phishing?

Phishing attacks use 'spoofed' e-mails and fraudulent websites designed to fool recipients into divulging personal financial data such as credit card numbers, account usernames and passwords, social security numbers, etc. By hijacking the trusted brands of well-known banks, online retailers and credit card companies, phishers are able to convince up to 5% of recipients to respond to them.

Check out this one regarding Fleet Bank: Fleet Phish

The next thing that we are going to see is the "Social Engineering" of the social networking sites such as Linkedin .

Corporations should be including security policy regarding these services, just as they are with Kazaa and other Peer-to-Peer (P2P) media sharing sites. Not only is there the possibility of personal information being compromised on individuals within the organization, there are recent reports that these individuals have been receiving a tremendous amount of SPAM.

For more information, check some of the following sources:

For more information about how to protect yourself, see our Fact Sheet 17a Identity Theft: What to do if It Happens to You at www.privacyrights.org/fs/fs17a.htm.

Read the information and tips put out by the Federal Trade Commission about phishing at www.ftc.gov/bcp/conline/pubs/alerts/phishingalrt.htm.

Read the Department of Justice's recent whitepaper "Special Report on Phishing" at http://www.antiphishing.org/DOJ_Special_Report_On_Phishing_Mar04.pdf

08 June 2004

Mitigating risk in outsourcing

Mitigating risk in outsourcing:

By Mark Brunelli, News Writer

CHICAGO -- The process of outsourcing data center functions to a third-party provider is fraught with commercial and legal peril, especially when it comes to negotiating and executing service contracts. But there are several steps that companies wishing to outsource can take to minimize risk and liability.

Brad L. Peterson, a partner with the Chicago law firm Mayer, Brown, Rowe & Maw LLP, said the disputes that pop up in the course of an outsourcing relationship usually stem from the fact that data center functions are notoriously hard to write up in contract-ease. The reason is because those functions are always changing and tough to predict for the long term.

There is a tremendous amount of industry-specific regulation around outsourcing.

'It's critical that the services be properly described, but unfortunately it's also extremely difficult,' Peterson told attendees of TechTarget's Data Center Decisions 2004 conference. 'It's impossible to say what technologies will be out there in five years, and whether your business will be larger or smaller.'

To minimize the problems associated with outsourcing, it's important to first identify the risks. While each outsourcing deal presents unique issues, the risks generally fall into four main areas:

Operational Risks:
These include the financial and legal risks that arise when transitioning into an outsourcing relationship and allowing a service provider to transform services to reduce their cost. They also include the legal ramifications of exiting a contract when services are no longer needed.

Commercial Risks:
Companies usually enter into outsourcing contracts to save money. This can create problems because when companies lock themselves into a service contract, they generally lock in a price. As time goes on, market levels change and the customer company could end up paying too much for the services they receive.

Business/Strategic Risks: Businesses are constantly identifying new strategic initiatives. If a third-party IT provider can't accommodate new goals, the customer company might want out of the contract.

Legal Risks:
These include privacy issues, regulatory factors, outsourcing laws and legal liability. 'There is a tremendous amount of industry-specific regulation around outsourcing,' Peterson said.

Peterson told the crowd that the key to mitigating contract risks from the outset of an outsourcing relationship is due diligence in the pre-contracting model. He said companies need to properly assess how such an outsourcing contract can change the risk levels of their organization. This can be done by thoroughly researching possible suppliers and the services they provide, and then creating a risk model.

The risk model should take into account certain factors such as industry regulations. Interestingly, he said, companies that create such models sometimes find that it's not worth it to enter into outsourcing because the risk levels go up too high."

Company Size and 404 Compliance

Company Size and 404 Compliance:

There are ''pronounced differences'' between larger and smaller companies regarding Section 404 of Sarbox, especially in defining the scope of the program and incorporating software applications, a survey finds.

Stephen Taub

How companies approach compliance with Section 404 of the Sarbanes-Oxley Act varies widely, depending upon the size of the company, a survey has found.

According to Parson Consulting, which surveyed 96 finance directors and financial controllers of U.S. public companies, there are 'pronounced differences' between larger and smaller companies, especially in defining the scope of the program and incorporating software applications. (Parson defines larger companies as those with a market capitalization of $1 billion or more, while smaller companies have a market cap ranging from $75 million to $1 billion.)

Take the issue of scope. Parsons found that 47.2 percent of larger companies reported taking a narrower approach to compliance — one that is focused primarily on financial reporting processes — compared with 27.3 percent of smaller companies. This is presumably due to the amount of time and resources required to address controls across the organization, according to Parsons. On the other hand, 41 percent of smaller companies are taking the broader approach of addressing operational as well as financial controls, compared with less than 28 percent of larger companies.

When asked what traditionally "nonfinancial" policies and procedures they believe will significantly impact financial reporting controls, survey respondents cited information systems (92.9 percent), risk management (73.8 percent), human resources (50 percent), supply-chain management (31 percent), and facility management (14.3 percent). "

07 June 2004

G8 summit will test the data-sharing capabilities

G8 summit will test the data-sharing capabilities:

By Larry Greenemeier  
Information Week

This week's Group of Eight Summit at a small resort island off the Georgia coast is the biggest test to date of the federal government's ability to coordinate secure communications among law-enforcement and other public officials at all levels of government. The Homeland Security Information Network is at the center of that effort, letting local, state, and federal officials collect and share sensitive-but-unclassified information. HSIN this summer will reach 100 law-enforcement and other security agencies, Holcomb says.

HSIN, which the Department of Homeland Security rolled out four months ago, is a collection of collaborative tools, including Groove Networks Inc.'s Workspace and Microsoft's SharePoint portal and workflow software, that works in real time over existing networks and the Internet. It's a 'fairly ubiquitous way to send out alerts throughout the country,' says Lee Holcomb, chief technology officer for the Department of Homeland Security. 'HSIN provides the ability for federal partners to reach out and touch local and state agencies.'

The technology is in place in and around Sea Island, Ga., where President Bush is hosting leaders from seven of the most powerful nations in the world. It lets the 20,000 police and federal agents deployed to the area access information from federal, state, and local law-enforcement groups, as well as federal security agencies, governors' offices, and other emergency-management groups. Local law enforcement, including the Georgia Bureau of Investigation and the Georgia Emergency Management Agency, can send information on local situations back to the Homeland Security Department and other federal agencies monitoring the event."

04 June 2004

NASD publishes notice to members on business continuity planning regulations

NASD publishes notice to members on business continuity planning regulations:

NASD has published ‘Notice to Members 04-37’ which gives timescales for when member firms must establish business continuity plans and details what these must cover.

Under federal law, virtually every securities firm doing business with the US public is a member of NASD. Roughly 5,200 brokerage firms with over 95,000 branch offices come under its jurisdiction. All these companies will now be required to develop, test and manage business continuity plans and provide documentary evidence of this.

The full text of the notice can be read at http://www.nasdr.com/2610_2004.asp#04-37

The effective dates rules are:

* Rule 3510
Clearing Firms: August 11, 2004
Introducing Firms: September 10, 2004
NASD Rule 3510 requires each member to create and maintain a business continuity plan. Each member's plan must identify procedures relating to an emergency or significant business disruption that are 'reasonably designed to enable the member to meet its existing obligations to customers.' In addition, such procedures must address the member's existing relationships with other broker-dealers and counter-parties. The business continuity plan must be made available promptly upon request to NASD staff.

* Rule 3520
All Firms: June 14, 2004
Rule 3520 requires members to provide NASD with emergency contact information and to update any information upon the occurrence of a material change. The Rule requires members to designate two emergency contact persons that NASD may contact in the event of a significant business disruption.

Sarbox Compliance and Technology

Sarbox Compliance and Technology:

Technology is playing a much bigger role at companies faced with Sarbanes-Oxley requirements.

Stephen Taub, CFO.com

According to a Forrester Research survey of 878 technology decision-makers at North American enterprises, 77 percent indicate that their technology spending will grow this year in response to the Sarbanes-Oxley Act.

That's a vast increase compared with last year's survey, in which 85 percent of executives indicated that Sarbox would have either a neutral or only slightly upward pressure on their technology spending plans, according to an account of the Forrester survey published by CIO-Today.com.

The survey also indicated a big difference in how companies plan to spend additional money.

In this year's report, a little more than 60 percent of respondents said they will spend more on security as a result of the law; 52 percent said they will be buying more storage products; 40 percent said they will increase spending on specialized process control technologies; 39 percent said they will buy additional records management applications; 36 percent will spend more on business intelligence applications; and nearly one-third of respondents said they will increase spending on ERP applications.

Most of those surveyed last year said that any increased spending would go toward consulting services, not applications, reported CIO-Today.com."

03 June 2004

How Much Should You Invest in IT Security?

How Much Should You Invest in IT Security?:

from Help Net Security
Article ID: D146979

One of the main concerns of the organizers of the Olympic Games to be held in Athens this summer is security, but not only physical security, computer security as well. The emphasis placed on avoiding problems with the computers that will manage huge amounts of data during the games will be proportional to the magnitude of this global event.

The information that must be protected at any Olympic Games is so valuable that it justifies all efforts to guard it. However, in companies, where the scale of the IT structure is not usually on the level of the Olympic Games, financial investment in security is not always enough to protect information. On the one hand, it is possible that security investment is insufficient, and therefore inefficient. On the other hand, it is just as absurd to leave a system unprotected, as it is to overprotect it, as, in this case, money invested becomes money wasted.

When you evaluate the expenditure to be made on an IT security structure, there are three aspects that must be taken into account. First, you must know the value of the data or systems to be protected. This is probably some of the information most difficult to obtain in a company. How much is a company's know how? Or even more difficult, what is the current value of the project of a new product that is still at the development stage? The number of variables to be considered is endless, and in many cases, impossible to quantify objectively. The best way to obtain this data is through indirect calculation, that is, by measuring not total losses, but financial loss caused by loss of information.

Just imagine, for example, the cost of having your company's network halted for an hour. If you divide your annual turnover by the number of working hours, you will see the cost of having your servers at a standstill for an hour.

The second aspect to be considered is the investment to be made on security systems. Under no circumstance should you have a budget that exceeds the value of the information to be protected. This would be like keeping an old stained rag in a safe, as the cost of the safe is greater than the cloth. A security system like this would be redundant. (Unless of course the rag was stained by Leonardo da Vinci, and called the Mona Lisa, then maybe some additional expenditure on extra security measures might be in order).

Finally, you have to calculate how much it would cost for an attacker to breach security measures and access protected information. This should be very high, that is, to obtain certain information must be far more costly than the information itself. In this way, you are setting up an intangible barrier that is very difficult to get over, since, if it is not worth breaking into a system, almost nobody will try to do it. At least, most attackers will be dissuaded from doing it.

As usually happens when you try to assess a security risk, establishing the right measuring standards is rather complicated, as there is no perfect metric and, even if there was, it needs to be capable of adapting to every business alternative. In fact, a parameter which is valid for a certain business vision is completely different for another, irrespective of how similar businesses might be.

Luckily enough, you can be helped by computer security experts with the necessary experience and knowledge to draw up a close approximation of your IT security needs and the investments to be made. On the contrary, to establish an investment policy based on the opinions of unknowledgeable people can lead to highly undesirable effects.

To sum up, leave computer security to experts that are up-to-date with this area and know the issues involved. This is the best way to ensure that you are investing just what you need in security systems, no more, no less."

Intrusion Prevention - TippingPoint - Enterprise Solutions

Intrusion Prevention - TippingPoint - Enterprise Solutions:

"As corporate networks grow in size and complexity, organizations must rapidly adapt to provide and share information across multiple systems and facilities, monitor and evaluate the security of their information and maximize the value of their information technology resources. In addition, they must comply with recent legislation that requires the safeguarding of their networks and data. For example:

*Financial institutions must comply with the Gramm-Leach-Bliley Act of 1999, which requires them to ensure the security and confidentiality of their customers' valuable personal information.

*As national standards for electronic health care transactions and national identifiers for providers, health plans and employers are implemented, healthcare organizations must also address the security and privacy of health data as required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

*California’s Senate Bill 1386 presents significant implications for any organization that conducts business with California residents. SB1386 seeks to reduce identity theft and protect California residents’ right to privacy by requiring disclosure of any breach to the security of a computing system.

TippingPoint offers award-winning intrusion prevention solutions expressly designed to address network security requirements for service providers, academic institutions, healthcare organizations, financial institutions, government agencies and corporate enterprises. The UnityOne Intrusion Prevention System (IPS) is an in-line hardware platform that proactively ensures organizations are protected against internal and external cyber attacks that may threaten their critical infrastructures.

02 June 2004

IRS Warns of New Fraud Scam

IRS Warns of New Fraud Scam:

The U.S. Internal Revenue Service warned Tuesday of a new scheme to steal identity and financial data from some foreigners that get income from a U.S. source.

The scammers send out fake IRS letters and forms to trick foreigners into disclosing their personal and financial data. The information is then used to steal the person's identity and financial assets.

So far, the scheme has surfaced in South America, Europe and the Caribbean.

Identity thieves can use the data to steal financial accounts, run up charges on the victim's credit cards, apply for new credit cards in the victim's name, and other purposes.

In this particular scam, an altered IRS Form W-8BEN, 'Certificate of Foreign Status of Beneficial Owner for United States Tax Withholding,' is supposedly sent from the IRS to non-resident aliens who receive income from U.S. property such as securities or bonds.

There is a real IRS Form W-8BEN, but it doesn't ask for extensive personal information like the altered form does. Also, only financial institutions such as banks would send out the form, not the IRS.

There are about 2.5 million non-resident aliens who receive U.S.-sourced income, based on IRS data."

01 June 2004

Operational Risk - Technology Quandary for Sarbanes-Oxley Compliance

Operational Risk - Technology Quandary for Sarbanes-Oxley Compliance:

Author: Ellen J. Silverman

The Sarbanes-Oxley Act of 2002, designed for identifying and mitigating corporate governance-related risk, is being implemented in corporations over the next several years.  Companies scrambling to upgrade their financial processes and find appropriate software.  Boston-based AMR Research estimates that Fortune 1000 companies will spend a total of $5.5 billion in 2004 on Sarbanes-Oxley compliance initiatives.

Similar to Year 2000 remediation, companies are being bombarded by software vendors offering specialized Sarbanes-Oxley software.  It is recommended that only 20% of a company's Sarbanes-Oxley budget go to software since compliance won't always require software upgrades.

And while technology can help with certain tasks, the first step to Sarbanes-Oxley compliance is getting business processes standardized.  Many companies have diverse or geographically dispersed units that handle financial reporting differently.  Because the process isn't done in a uniform way, auditors and officers must gather financial data from various sources.

The wave of Sarbanes-Oxley software vendors can be a red herring for corporate executives striving for compliance.  However, the right software can bring long-term value when it's used to standardize and automate business tasks.  The average cost for Sarbanes-Oxley compliance, including software, manpower and consulting, has been estimated at $1 million per $1 billion of a company's revenue.  "

1SecureAudit Produces Terrorism Risk And Emergency Preparedness Solutions Road Show For Real Estate Investment Trusts

1SecureAudit Produces Terrorism Risk And Emergency Preparedness Solutions Road Show For Real Estate Investment Trusts: "

Real Estate Portfolio's are subject to a new A.M Best Supplemental Rating Questionnaire (SRQ) and Must Quantify Their Risk Exposures to Potential Terrorism Incidents

For Immediate Release

MCLEAN, Va./EWORLDWIRE/June 1, 2004 --- 1SecureAudit LLC, an emerging leader in Operational Risk Management Solutions for the Financial and Healthcare Services Sectors, today announced the launch of its Terrorism Risk and Emergency Preparedness Solutions Road Show for the critical infrastructure assets of the Real Estate Investment Trust (REIT) industry.

Building owners and managers including the commercial real estate portfolios of the real estate finance business are responding to the A.M. Best Company requests for the Supplemental Rating Questionnaire (SRQ) from their insurers.

Critical Infrastructure Protection is vital to a comprehensive risk management strategy and insurers are being asked to model terrorism attack scenarios for high exposure targets. Managing the risk of property and workers comp losses must be addressed with the mindset that they can be correlated with specific types of terrorist threats.

A Real Estate Investment Trust, or REIT, is a financial company that owns, and in most cases, operates income producing real estate. Some REITs finance real estate. REITs invest in a variety of commercial property types: shopping centers, warehouses, office buildings, hotels, and healthcare facilities. Some REITs specialize in one property type only, such as commercial office buildings, industrial or retail.

'Our Real Estate Investment Trust Road Show 2004 will educate Real Estate Investment Trust executives on crucial topics such as Emergency Preparedness, Crisis Communications, Terrorism Risk Management and Critical Success Factors in Infrastructure Protection to address new insurance and government compliance regulations,' said Peter L. Higgins, Managing Director of 1SecureAudit.

'Our proven combination of services, Commercial-Off-The-Shelf (COTS) software and business audit solutions answers the requirements for the A.M. Best SRQ as well as comprehensive Business Crisis and Continuity Management mandates by insurers and government regulators.'

The Road Show is scheduled monthly in New York City, Chicago, Washington DC, Dallas, Denver, Los Angeles and San Francisco. "