30 August 2004

Corporations can learn ORM from the US Navy

What is it that corporate management and the US Navy have in common? Corporations can learn ORM from the US Navy principles to earn top safety honors and contribute to mission success.

This is just one example of how the US miltary is using the effectiveness of Operational Risk Management to mitigate the risk of hazards on the job and to ensure the safety of fellow team mates on the job.

“It was evident the first time I came on board and saw the crew’s attention to detail and dedication to their work,” said Capt. Mike D. Budney, commanding officer, Emory S. Land. “But it’s remarkable to note that with the tremendous day-to-day operations, no serious safety mishaps occurred.”

“With a crew this size and the never-ending upkeep that takes place, safety is and will always be our number one priority,” Budney added. “Our Sailors know that and are living proof. I am extremely proud of them!”

While safety is paramount on every ship and submarine in the fleet, these submariners know that safety is not about winning awards, it’s about managing risk to avoid injuries and possible loss of life.

27 August 2004

The next very long war....Cyber Terror

"The Internet is the bold new frontier of crime, but we're the new sheriff in town. For cyber criminals who operate out of Los Angeles or any location around the globe, this posse will bring you to justice," said United States Attorney Debra Wang.

The Six Cyber Terrorists arrested by the US DOJ have set the stage for a long and evasive war. The hope is that the private sector will begin to share more information with the feds to get to the big fish, but this will take time, money and lot's of cooperation with our global partners. China, Korea(s) and the Russian states are the sources of many of our DoS attacks and while we know who they are it is difficult to navigate international laws and jurisdictions.

The good news is that the private sector is working more closely with InfraGard and the 12,000+ members who are helping to protect our critical infrastructures. Money is being allocated to specialized enforcement teams to assist the US Attorney's in doing their jobs more effectively.

It's just going to be a very long war that has to be fought every single day.

25 August 2004

Share Price: A Factor of Corporate Governance?

Corporate Governance is good for the bottom line but even Google hasn't found this out...yet. Their recent coporate governance quotient is 0.2 out of 100.

But, as Ric Marshall, chief analyst for the Corporate Library, notes, it's not necessarily a bad thing. "There is this tendency to dumb things down by making all boards look the same,'' Marshall told the San Francisco Chronicle. "By doing something different and unconventional -- in terms of how the IPO has gone, the multiple share classes, the makeup of the board -- Google is creating something that is different and unusual. Good corporate governance is the creative interaction between directors on the board. What concerns me is the ethics of the people involved and their ability to be creative."

24 August 2004

Real Estate: Antiterrorism Laws

Is the commercial real esate industry subject to our latest antiterrorism laws?

Executive Order 13224 and the prohibited parties list of the Office of Foreign Assets Control (OFAC) is in effect now. It has civil and criminal penalties.

The Money Laundering Control Act, a criminal statute, is in effect now.

The USA PATRIOT Act/Bank Secrecy Act, which requires certain anti-money laundering compliance activities, will result in regulations directly affecting the real estate industry within a matter of months.

See the viewpoints of two legal eagles from Holland & Knight in the DC area on this very topic.

18 August 2004

H.R. 1731 Identity Theft Law

The identity theft penalty enhancement act expands the capabilities of the Justice Department to investigate I.D. theft. See the synopsis here at CSO Online. I.D. theft is one way for the terrorists to keep themselves hidden in the US for a long period of time. It will also help in credit card fraud cases.

17 August 2004

Increased Regulatory Scrutiny for Bank INFOSEC

Banks INFOSEC departments have increasing roles in audits. The Information Security departments must have a systematic program for managing risk in their day to day operations as regulatory requirements for business overlap.

Comprehensive risk management programs are being broadened to encompass operational risk in many banking institutions. This is due to the increasing prevalence of legislation such as Gramm-Leach-Bliley (GLBA) and even sections of Sarbanes-Oxley. The convergence of information security and business is finally making it apparent that the two are very much inseparable.

13 August 2004

Survey identifies main stumbling blocks to successful operational risk management

Survey identifies main stumbling blocks to successful operational risk management:

Difficulties in collating clean data and poor awareness among staff are the major obstacles to effective operational risk management, according to a recent survey by Risk Waters Group and SAS.

The survey of more than 250 financial institutions and regulators identified managing data quality as the number one issue, with respondents reporting difficulties in collating sufficient volumes of historical data and in ensuring reliable data. The second most pressing issue was the poor overall awareness of operational risk issues by staff, due largely to lack of clear education programs in operational risk, lack of communication and limited knowledge sharing.

Regulations such as Basel II place a growing emphasis on operational risk management within financial institutions. Banks are compelled to gather data that they do not currently collect; they are also required to bring that data together from a host of disparate systems into one pool for analysis.

'The two key barriers to financial institutions achieving success relate to basic issues such as data quality and awareness amongst staff. A basic lack of awareness amongst staff often results in insufficient data being collected,' said Peyman Mestchian, head of the risk management practice, SAS UK.

'Employees may not always report losses and therefore impact the accuracy of data available. They need to be educated to a level where they are providing consistent information therefore improving data accuracy. Organisations can use the most sophisticated analytical tools in the world, however if they are not working with comprehensive, real-world data they will miss the real dangers. Inconsistent and inaccurate data will only provide problems and create disagreements. These issues need to be addressed as a matter of some urgency, particularly with latest draft of the New Basel Accord (Basel II) published in June,' continued Mestchian.

To comply with new regulations, organisations require systems that are both scalable and flexible. Systems need to combine qualitative and quantitative data and be able to link external data with internal data. Yet for many having the correct systems in place is still a major challenge.

Survey respondents ranked IT systems failure as the main source of operational risk. An area of growing importance was identified as customer relationship risk, with regulatory and compliance issues (including taxation) third."

11 August 2004

Summer in the City: Unconventional Insurance and Olympian Security in Age of Terrorism Risk

Summer in the City: Unconventional Insurance and Olympian Security in Age of Terrorism Risk:

By Andrew G. Simpson, Jr.

A little more than a year ago, Britain's Prince William celebrated his 21st birthday with a costume party at Windsor Castle. While William was addressing the partying crowd, a stranger wearing a black beard, white turban and pink dress and looking a lot like Osama bin Laden bounded onto the stage, grabbed the microphone, spoke to the crowd and then planted a kiss on Prince William's cheek.

Despite the fact that the Osama look-alike was a comedian, few thought it a laughing matter. If the intruder had been a suicide bomber he could have killed all the senior members of the royal family who were onstage with William. British security forces were promptly taken to task for allowing the stranger to get so close. Immediate steps were taken to beef up security surrounding the royal family.

Summer Security
This summer, while the world is watching the Democratic National Convention (DNC) in Boston, the Republican National Convention (RNC) in New York City and the 2004 Olympic Games in Athens, security forces will be on full alert to prevent breaches like the one that concerned British security a year ago. In Boston, New York and Athens, officials maintain that every precaution is being taken to protect the participants and properties at these events from a close encounter with terrorism."

10 August 2004

A Radical Leap in Trust...A Security Lesson

The other day I received a package in the mail from Fast Company Magazine. I opened the brown padded envelope with the "Security Radar" that this looked like a questionable package. You know, the kind that they warn you about these days. The label looks like it was created by a 4th grader and the package is about a half inch thick and weighs in at about a pound and a half. Could this be the work of a clever "Social Engineer" who knows my modus operandi?

So I held my breath and opened it with great anticipation and fear at the same time. I had no idea it was coming. It's contents was not surprising. A book. A note. And a business card. The card was that of Heath Row, Fast Company Editorial and Community Director. Former Social Capitalist before the uprising. The Book was entitled The Radical Leap, by Steve Farber. The note from the publisher offering 40% off the retail price with orders of ten or more.

The real radical leap on this day was my faith in the label Fast Company. My vulnerability had been exploited by someone known to me. My trust in FC and the brand prompted me to forget everything I have been taught about suspicious packages like this one. Now I'm practicing LEAP every day. Cultivate Love. Generate Energy. Inspire Audacity, and Provide Proof. The lesson here is simple. A radical leap in trust can sometimes blind us from clear thinking. Be careful out there.

06 August 2004

Dangerous Waters

Dangerous Waters: "

Distributed denial-of-service attacks may reshape the way courts evaluate liability for network security breaches.


Distributed denial-of-service (DDOS) attacks—the creation of a hostile computer network used to remotely shut down another network or website—continue to plague the Internet. In the past two years the Internet has experienced a 2,000 percent increase in worm-driven DDOS attacks. Some e-commerce websites have been completely shut down by the attacks and have reported as much as $250,000 in lost sales per half hour that they were down. But the damage doesn't stop there. The users of a victimized system can also suffer significant reputational loss from being unable to conduct business.

However, the legal response to DDOS attacks has been mixed. In the U.S. legal system, civil liability can arise from contract law, tort law or regulation. If one party breaches its contractual obligations, the law provides a remedy to the aggrieved party. Contract law, however, often fails to cover damage to third parties. Suppose a hacker breaks into Company A's inadequately secured network and then uses that network to attack Company B. The attack against Company B disables its networks, causing it to fail to deliver promised services to its customers. Although Company B has no contractual relationship with Company A, can B sue A for losses?

From a tort standpoint, many legal scholars, major law firms and a National Research Council Committee assert that the downstream victim can bring civil action for negligence against the upstream systems that were used as part of the DDOS attack. Reasoning that civil law intends to deter undesirable or wrongful conduct and to compensate those harmed by such conduct, legal theory posits that victims should be allowed to recover losses from third parties that were negligent if that negligence was the direct cause of the loss. In the Internet environment, negligent third parties may be the only source of loss recovery, since criminal law offers no compensation to the victim if the computer criminal cannot be identified. Furthermore, establishing the legal precedent to impose civil damages on a third party, such as a service provider that is proven to be negligent, could motivate companies to invest the necessary resources in improving security.

04 August 2004

IT Spending for Compliance: From SOX 404 to Comprehensive Compliance

IT Spending for Compliance: From SOX 404 to Comprehensive Compliance:

Financial Insights estimates that North American financial institutions spent over $100 million on enterprise performance management solutions in the U.S. and Canada in 2003. This number will grow to $174 million in 2004 and will reach $450 million 2008.

Beyond Sarbanes-Oxley, Comprehensive Compliance

Given the similarities in the applications and infrastructure components required to comply with new regulations impacting financial services firms, including the PATRIOT Act and Basel II, we estimate that a key long-term trend in the market for compliance solutions will be application and infrastructure integration.

On the infrastructure side, we foresee that the data infrastructure supporting compliance activities will become more and more integrated through data warehouses or through applications that can connect to disparate sources. On the application side, we are already seeing firms invest in solutions that meet both anti-money laundering requirements prescribed by the PATRIOT Act as well as SEC and Sarbanes-Oxley-related requirements to monitor for internal fraud and for compliance breaches with securities laws. Investments in such AML/Surveillance solutions have been particularly strong among securities firms.

Specific to Sarbanes-Oxley compliance, we estimate that SOX 404 solutions will become more and more integrated with enterprise performance management applications to facilitate the regulatory reporting process.

Integration will take time. Technologically, it is already here today and IT vendors have been ready with partnerships and attractive solutions. Culturally and organizationally, it is not. Financial services firms have much internal work to do before they can begin to combine disparate compliance processes. Until this time, investments in IT for compliance will continue to remain focused on specific regulations. "

03 August 2004

Recovery Point provides comprehensive, availability end-user hotsite recovery services

Recovery Point

Recovery Point Systems provides comprehensive, availability end-user hotsite recovery services for mission critical, business continuity conscious clients to implement disaster recovery plans including server mirroring, serverhosting, electronic vaulting, workgroup recovery, off-site storage and co-location.

"The replacement facilities on which you stake your organization's ability to survive during a crisis must function smoothly and reliably. We've built redundancy and durability into every critical component of the site so you can rely on our high availability services every day.

* Secure facility with CCTV, access control and 365-day staffing 100 acoustical workspaces with locking storage, expandable to 200
* Owner-occupied site with private parking
* Convenient to major highway, rail and air transportation
* All weather, voice/data 'hitching post' for connectivity to mobile technologies
* Dual diverse fiber feeds via SONET self-healing ring to redundant central offices
* Full UPS support for entire recovery center
* Secure server and telecommunications facilities
* Redundant generator power, ATS and seven-day fuel supply
* Redundant HVAC services
* Full truck loading facilities to support client re-supply during occupancy
* Conference room with satellite TV feed and video-conferencing
* kitchenette, strategy room and six semi-private offices
* UL master building label for lightning protection

Recovery Point Systems is an affiliate of First Federal Corporation, the Baltimore-Washington DC region's leading provider of secure, off-site data storage services for over 20 years. We have the experience, the staff and the resources to meet your recovery requirements in today's complex environment."

02 August 2004

Bush Backs Creating U.S. Antiterrorism Chief

Bush Backs Creating U.S. Antiterrorism Chief

By Frank Csongos

The United States is planning to undertake new measures to fight the Al-Qaeda network and its allies.

Washington, 2 August 2004 (RFE/RL) -- U.S. President George W. Bush has endorsed creating the position of a national intelligence director to oversea the United States' domestic- and foreign-intelligence operations in combating terrorism.

Bush, speaking at the White House today, said the new intelligence chief would be appointed by the president and subject to confirmation by the U.S. Senate.

'The national intelligence director will serve as the president's principal intelligence adviser and will oversee and coordinate the foreign and domestic activities of the intelligence community,' Bush said.

The president said the reorganization of U.S. intelligence services is aimed at creating a better integrated, thoroughly united, and more efficient antiterrorism operation.

The new post was among the recommendations of the official commission that investigated lapses in intelligence that left the United States vulnerable to the 11 September 2001 terrorist attacks.
'The best way to protect the American homeland is to stay on the offense.' -- Bush

'Oversight of intelligence and of...homeland security must be restructured and made more effective,' Bush said. 'There are too many committees with overlapping jurisdiction, which wastes time and makes it difficult for meaningful oversight and reform.'

Bush also adopted another key recommendation of the 9-11 commission -- that of creating a National Counterterrorism Center.

'This new center will build on the analytical work -- the really good analytical work -- of the Terrorist Threat Integration Center and will become our government's knowledge bank for information about known and suspected terrorists,' Bush said. 'The new center will coordinate and monitor counterterrorism plans and activities of all government agencies and departments.'

Leaders of the bipartisan 9-11 commission have insisted that the center and the position of national-intelligence director be placed in the executive office of the president. But Bush said he wants them to be set up outside the White House.

The president said the director and the center should be a 'stand- alone group' to better coordinate.

Bush also dismissed critics who said the war on Iraq has detracted U.S. efforts to fight terrorism.

'The best way to protect the American homeland is to stay on the offense. It is a ridiculous notion to assert that because the United States is on the offense, more people want to hurt us,' Bush said.

Under the reorganization, the Central Intelligence Agency would be managed by a separate director. The national-intelligence director would assume greater responsibility for leading and coordinating intelligence operations both inside and outside the United States.

The president's endorsement for the new post came after U.S. law enforcement authorities strengthened security at financial institutions in New York City; Washington, D.C.; and Newark, New Jersey, following what the U.S. government called extraordinary specific terror threats."

01 August 2004

Secretary Ridge Announces Threat Level Code Orange for Financial Sector in New York City, Northern New Jersey and Washington, D.C.

DHS | Department of Homeland Security | DHS Home Page:

August 1, 2004 - Good afternoon.  President Bush has told you, and I have told you, when we have specific credible information, we will share it.  

This afternoon, we do have new and unusually specific information about where al Qaida would like to attack.  As a result, today, the United States Government is raising the threat level to Code Orange for the financial services sector in New York City, Northern New Jersey and Washington, D.C.  

Since September 11th, 2001, leaders of our commercial financial institutions have demonstrated exceptional leadership in improving its security. However, in light of new intelligence information, we have made the decision to raise the threat level for this sector, in these communities, to bring protective resources to their highest capacity.  This will allow us to increase protection in and around those buildings that require it and also raise awareness for employees, residents, customers and visitors.  We know from experience that increased physical protection and added vigilance from citizens can thwart a terrorist attack. And that is our goal.

This is the first time we have chosen to use the Homeland Security Advisory System in such a targeted way. Compared to previous threat reporting, these intelligence reports have provided a level of detail that is very specific. The quality of this intelligence, based on multiple reporting streams in multiple locations, is rarely seen and is alarming in both the amount and specificity of the information.

While we are providing you with this immediate information, we will continue to update you as the situation unfolds.  As of now, this is what we know:  reports indicate that al Qaida is targeting several specific buildings, including the International Monetary Fund and World Bank in D.C.; Prudential Financial in Northern New Jersey; and Citigroup buildings and the New York Stock Exchange in New York.  Let me assure you, actions to further strengthen security around these buildings are already underway.  Additionally, we’re concerned about targets beyond these and are working to get more information."