30 November 2004

People Risk: Whistleblowers are winning...

This article from Charles Baldwin highlights the recent rulings under the Whistleblower provisions under the Sarbanes-Oxley Act of 2002. If this is the trend, then employers need to spend more time educating employees and making sure they are in compliance with the letter of the law.

Of major significance to the employer-employee relationship, the Act requires the newly mandated audit committees of corporate boards of directors to establish procedures for the anonymous, confidential submission of employee concerns relating to improper corporate financial, accounting, or auditing practices and creates new civil and criminal liabilities relating to informants. In addition to requiring internal complaint procedures, Section 806 of the Act created a new federal civil claim under the title "Whistleblower Protection for Employees of Publicly Traded Companies." The nature of the claim is broader and imposes fewer burdens on a claimant than other federal whistleblower laws; thus, employers should expect to encounter more claims and litigation arising from the Act.

Recent rulings by the U.S. Department of Labor include:

Getman v. Southwest Securities Inc, No. 2003- SOX-00008, DOL ALJ
Welch v. Cardinal Bankshares Corp., 2003-SOX-15, DOL ALJ
Morefield v. Exelon Servs. Inc., DOL ALJ, No. 2004-SOX-2

In addition to complying with all of Sarbanes-Oxley’s requirements regarding financial reporting controls and corporate governance, prudent employers—whether public or private—must be proactive in implementing policies and procedures to navigate the post-Sarbanes-Oxley landscape. We recommend that employers first conduct a top-to-bottom review of existing policies and practices, ideally in a manner that will maintain all available legal privileges and protections. A review of insurance coverage, including but not limited to Directors’ and Officers’ liability coverage, must be a part of that review. Following that review and follow-up, employers should be in a position to show, at a minimum:

* A code of conduct that spells out specifically the duties of all employees;
* A code of ethics for senior financial officers;
* Establishment and a clear publication of a hotline and other avenues for confidential, anonymous complaints;
* Personnel policies and procedures that comply with the law’s requirements on handling of complaints, document handling and retention, and non-retaliation;
* A clear designation and publication of those persons within the company who have the authority to investigate, discover, or terminate financial misconduct;
* Personnel policies clearly addressing inappropriate conduct, e.g., prohibited conduct regarding media contact, removal of documents, destruction of documents, refusing to participate in investigations;
* Benefit plans and practices that comply with all requirements and prohibitions;
* Procurement practices and procedures to ensure proper screening of human resources consultants and auditors;
* Hiring practices and procedures to ensure proper screening of executives; and
* Comprehensive and documented training programs for all employees that implement the requirements of Sarbanes-Oxley.

29 November 2004

Organizational Survivability...

Corporate Directors are ultimately responsible for Continuous Continuity (C2) of the Enterprise and Organizational Survivability is a Board Room issue.

The modern enterprise that effectively manages the myriad of potential threats to its people, processes, systems and critical infrastructures stands to be better equipped for sustained continuity. A Business Crisis and Continuity Management (BCCM) program is a dynamic change management initiative that requires dedicated resources, funding and auditing. Corporate Directors must scrutinize organizational survivability on a global basis.

Since effective BCCM analysis is a 24/7 operation, it takes a combination of factors across the organization to provide what one might call C2, or "Continuous Continuity". A one-time threat or risk assessment or even an annual look at what has changed across the enterprise is opening the door for a Board of Directors worst nightmare. These nightmares are "Loss Events" that could have been prevented or mitigated all together.

According to the risk management best practices from sources such as the Turnbull Report1 and specifically Principle 13 of the Basel II Capital Accord, the Board of Directors and corporate management are responsible for the effectiveness of the Business Crisis and Continuity Management of an organization.

Certainly the largest organizations realize that the external threats are taking on new and different forms than the standard fire, flood, earthquake and twister scenarios. These historically large catastrophic external loss events have been insured against and the premiums are substantial. What it is less easy to analyze from a threat perspective are the constantly changing landscapes and continuity postures of the internal facets of the organization having to do with people, processes and systems. Corporate Boards of Director’s are now being consistently subjected to regulatory scrutiny across the globe to ensure the continuity and survivability of the enterprise. It is their duty and responsibility to their shareholders to make sure this occurs on a continuous basis. The world can only hope that our Global 500 companies are well on their way to achieving C2 already.

24 November 2004

Managing Operational Risk in Banking...

This latest article by McKinsey may have some interesting insight:

Banks are increasing their coverage against operational risk to comply with new international banking rules, but they may be underestimating the extent of the risks they face. The declines in market value of financial institutions that experienced an operational crisis—such as an embezzlement or breach of regulations—were much greater than the actual financial loss caused by the event, our research found.

The take-away

Banks that understand the true scale of the operational risk they face can take a more realistic approach to controlling it.

This article includes the following exhibits:

* Exhibit 1: Impact of operational crises on market returns
* Exhibit 2: The five most harmful kinds of operational crises

23 November 2004

UK: Civil Contingencies Act...

The UK's Civil Contingencies Act is on the door step and David Honor of Continuity Central has the following observations:

No UK organisation can afford to ignore the Civil Contingencies Act. The category one and two organisations which will be directly impacted will receive information, advice and support from the Cabinet Office on how and when to implement measures. Other organisations would be well-advised to do the following:

• Get a copy of the Act and read it
• Assess your current business continuity plan against the Act’s provisions. Does the Act make any difference to the scenarios you have planned for?
• Redevelop the business continuity plan where necessary and re-test it.
• Liaise with your local authority emergency planning department. This is good practice which is listed as one of the BCI’s Ten Key Disciplines of Business Continuity, but now becomes even more important since local authorities will become one of the key sources of local business continuity information and advice.

19 November 2004

OSAC 19th Annual Briefing...

The topics of the annual Overseas Security Advisory Council Briefings and 8th Annual Transnational Crime Seminar indicate what's on the minds of most CSO's across America and the globe. See if you can see the common thread:

"Managing Risks and Threats in Challenging Environments" - Bureau of Diplomatic Security

"From Suppliers to Satellites: Balancing Business and Security" - Delphi Corporation

"Coping with Istanbul" - HSBC Holdings, PLC

"Managing World Security Trends"

"Communicating with Employees under Heightened Threat Conditions"

"What do Employees Expect, What do They Need"

"Perception of Bio-security Dangers and the True Vulnerabilities"

"International Kidnapping and Hostage Taking"

"Emergency Preparedness and Business Continuity"

After two days of hearing presentations by some of the most informed individuals on the topics and issues of global security, one individual made a very interesting point:

On the topic of Practice Preparedness and Training Programs for employees he asked, "What do your people do in the event of [Pick a Diaster Scenario]?" The point is, you won't know what they do unless you exercise, drill and experiment with different scenarios. He went on to say that we need to be Leaders of Safety, Health and Operations and that the likes of SARS and Avian Flu will not be stopped by more guards, gates and guns.

Invisible contagious agents that are autonomous will be something we encounter on a mass scale sooner than we think. As professionals paid to worry, this is the one that we don't ever want to encounter and don't know much about how to mitigate the threat to our organizations.

Another vital topic on Abduction Prevention and Hostage Survival promoted the thinking about training to detect surveillance and to make rational and tactical decisions to prevent from being kidnapped. However, in the event of abduction, there are only four outcomes:

1. Negotiate
2. Rescue
3. Escape
4. Death

The point here is that you must maximize survivability and minimize exploitability. Finally, employees and organizations need to have a Personnel Recovery Architecture that includes a continuum for guideance and a crisis management framework.

Operational Risk and Continuity Management is what this 1.5 day briefing was all about. If there was one thing that stands out from all the presentations and the conversations is that our employees are looking for people they can "TRUST". It's our duty to make sure that we do everything in our power to make this a reality.

Perception drives Attitude that drives Behavior.

18 November 2004

ID Theft: Banks vs. Consumers...

The banks have a different perspective on ID Theft and privacy than consumers. As this Bank Tech article points out.

Late last month, four servers containing names, addresses and Social Security numbers of thousands of Wells Fargo & Co. mortgage and student-loan customers were stolen from an Atlanta company that prints loan statements. There's no indication the information has been misused, the bank says, but it's advising affected customers to monitor their accounts for suspicious activity. It's also offering a free one-year credit-protection program and has established a toll-free hotline.

The incident was the latest reminder of how pervasive the threat of identity theft has become, as well as how much of a risk it is for banks and credit-card issuers and their customers. According to the Federal Trade Commission, 9.9 million Americans were identity-theft victims last year. Of those, 6.6 million reported fraudulent use of existing accounts while more than 3 million reported new accounts opened in their names. That cost businesses $48 billion and consumers $5 billion in economic losses.

As banks and other financial institutions outsource operations such as printing statements and sending out direct mail they are going to be continually subjected to incidents like this. What is commonly the case, and astonishing to say the least is that these 3rd parties are not always as "buttoned-up" as they should be with their risk detection, prevention and protection programs. If the consumer has anything to fear, it is that their bank is not taking the time to effectively audit and monitor their outsourced service providers.

16 November 2004

NIMS set to be approved...

The National Incident Management System is soon to be approved.

An integrated national plan for response to terrorist attacks and other national emergencies is likely to be approved by Cabinet secretaries by the end of this week, Deputy Homeland Security Secretary James Loy said Tuesday.

By this time next year, the final National Response Plan will have replaced the disparate plans now in effect at federal agencies that work terrorism response, the former Coast Guard commandant said at a maritime-security conference in Washington organized by Defense Today and held at George Washington University.

A February 2003 directive by President Bush required the fledgling Homeland Security Department to design and implement the National Response Plan and the associated National Incident Management System in a bid to "establish a single, comprehensive approach" to managing terrorist attacks, natural disasters and other large-scale emergencies.

The system establishes "standardized incident management processes, protocols and procedures" for incident command organization, communications and preparedness, Homeland Security said in a March fact sheet. The effort is intended to allow first responders from different jurisdictions and disciplines to better coordinate responses to natural and unnatural disasters.

15 November 2004

SOX 404 Deadline today...

The long anticpated compliance date with Sarbanes-Oxley Section 404 arrived today and many organizations are not ready.

Although many companies are reportedly not ready for it, the era of internal-controls compliance begins in earnest today. That's when Section 404 of the Sarbanes-Oxley Act goes into effect for all companies whose fiscal year ends after today.

There will be nothing to file on Tuesday. But by early next year, the vast majority of companies that report on a calendar-year will have to assess the effectiveness of their internal controls over financial reporting and state in their annual reports whether the controls are operating effectively. The companies' outside auditors also must evaluate the in-house assessment and render an independent report on it.

The average cost to a organization to get in compliance is estimated at $5M and rising for a Fortune caliber public company.

12 November 2004

Global Assurance Office...

As the corporate risk management factions realize that they need to converge in their coordination, global assurance management will take hold.

Soon enough the global 500 will realize the requirement for a more consolidated, coordinated and cohesive entity within the organization for risk management, information security, business continuity, crisis management and emergency response.

The combined expertise in finance, compliance, legal, IT, internal audit, operations, security, human resources and purchasing will all be working together to create the organizations single global assurance office.

This will be the team and staff that manages an "All Hazards" approach to mitigating the threats to the organization. They will be responsible for the single task of making sure that the business is running no matter what event or incident may try and bring it down.

A few savvy organizations have already moved this direction and even those that thought they had a single responsible team are now adding new dimensions and capabilities to the team.

11 November 2004

1SecureAudit Prepares WTG Properties Tenants For All Hazards And Catastrophic Incidents

Risk mitigation training solution delivers greater confidence, lower costs, and increased peace of mind for this Washington, D.C. commercial real estate firm

For Immediate Release

MCLEAN, Va./EWORLDWIRE/Nov. 10, 2004 --- 1SecureAudit LLC, an emerging leader in operational risk management solutions, today announced a client success story for WTG Properties in Washington, D.C.

Many companies throughout the Washington, D.C. area are asking the same important question, especially since Sept. 11, Hurricane Isabel and the Northeast blackout. That is: How can businesses be better prepared in the case of serious hazards, incidents and emergencies?

The residents of WTG's N Street property were no exception. "My tenants were asking what we were doing to be better prepared in case of another attack," said John Lane, president of WTG Properties Inc. "Which was logical, given their proximity to the White House.

"But I wanted a proactive and preventative all-hazards program that would cover everything," continued Lane. "I wasn't just worried about terrorists, but also about serious incidents like floods, fires, and hurricanes. That's when I started my conversations with Peter Higgins of 1SecureAudit."

1SecureAudit is a risk management solutions firm that worked with Lane and the residents of the property to teach them how to better cope with emergency situations that may arise.

Higgins explained: "You've heard the term first responders. Well, the fire fighters, police and EMTs are actually the second responders. Employees and tenants are the first responders in a crisis, and they need to be competent, confident and as prepared as possible to handle the situation until the emergency personnel get there - whether it's minutes, hours or days."

Think all hazards. Think convergence of BCCM, ISMS and Corporate Governance. That equals total Global Assurance. The future is here now.

09 November 2004

Business Process Outsourcing: A Real Threat to Security or IP Theft?

Business Process Outsourcing is a hot issue and as this article by The Heritage Foundation so clearly states:

Defending the nation against terrorists, promoting economic growth, and protecting constitutional lib­erties are all prerequisites for a sound homeland security strategy. At one time or another, outsourc­ing[1] has been labeled a threat to all three. These crit­icisms are simply overblown. In fact, if the U.S. partners with nations that share a commitment to the rule of law, transparency, and open competition, it can use sensible outsourcing to enhance the protec­tion of the privacy of American citizens, promote better security practices, and contribute to economic prosperity. Effective outsourcing can provide both cost-effective services and appropriate protections for government and commercial activities supported by overseas vendors.

Now if you talk with the major U.S. technology companies who have outsourced operations in India and China they will tell you their nightmares. Intellectual Property theft is running rampant and the laws and trade representative sanctions will be hard pressed to make major changes in the near term. The security of the nation is not going to be compromised by these organizations and the real loss events will occur when their source code is posted on the Internet.


The goal of increasing domestic security and protecting the privacy of U.S. citizens should not be an obstacle to strengthening economic ties with the developing world. Rather, market forces and sensible outsourcing can be used both to promote better global security practices and to encourage economic growth.

08 November 2004

Judgment Calls...

Regulations such as Sarbanes-Oxley are sending auditors to the pencil sharpener. CSOs must learn to cooperate and share expertise, without getting too close to these empowered examiners.

Malcolm Wheatley is a freelance writer in England. And this "Judgment Calls" article was dead on with good advice especially number four:

Strategy No. 4: Teach Them Security Heim’s mention of a back-and-forth negotiation between auditors and security executives carries with it an important conclusion: Security-savvy auditors are a must.

Communicating with auditors as part of a cooperative process is one way of educating them about the security function. Another solution, according to Radianz’s Hession, is to obtain the requisite combination of skills and separation by turning security folks into auditors.

How can you have an effective Information Security Management System without auditors who know “Risk Management” from an IT perspective? The answer is, you can’t. And you can’t have an effective audit for legal compliance issues without IT security professionals who understand the intent of the law. To do this you must have a cooperative team who thinks like a criminal and that is not easy to create.”

“The reciprocity between CSO, CIO, CRO, CFO and General Counsel is imperative if any sizeable company is going to mitigate the threats from internal and external attackers. And as this article clearly points out, a healthy set of objectivity and anxiety is imperative if you are going to have professionals on the front lines do their jobs within the intent of the law.

03 November 2004

Bush defeats Kerry for US Presidency...

George W. Bush won his Second Term as President of the United States today.

"To make this nation stronger and better, I will need your support and I will work to earn it," Bush, referring to Democratic supporters who bitterly oppose his presidency and re-election, said in a speech at the Reagan Center to a cheering partisan crowd.

"I will do all I can do to earn your trust ... we have one country, one constitution and one future that binds us."

The risks have not changed and the way we detect, deter and defend our precious assets will continue to gain momentum for the next four years.

02 November 2004

Advanced Citizenship in Critical Infrastructure Protection...

The dialogue from a recent CSO Conference that focused on information sharing keeps coming back to why it is so hard to accomplish.

Only Bill Boni from Motorola was bold enough to tell the real reason why the cyber world is still not getting the attention it deserves.

Boni: I think the real driving issue here, if you go back and look at [how sprinkler systems came to be in factories], such safeguards come out of the experience of factories burning down and people dying. And until we see mass-casualty events that are critical to information security failures, I don't think you're going to have that same sense of urgency. And, probably, as a society we shouldn't. But, the challenge is to make sure that organizations are doing their reasonable best to not be the cause of part of that event. But my belief is that until we see mass casualty situations that arise from information security, we won't make that transition, and we shouldn't. Unfortunately, I think that it is going to happen at some point. Whether that's before or after I retire from my current employment is a very important deliverable.

It's amazing to find out that even as we speak there are people who are still unprepared to handle the zero day exploit or the next catastrophic incident. Even when they are considered a "soft target" they still have not exercised and tested to the degree necessary to improve their defense and to plan for the various outcomes possible. Boni is right, if it doesn't happen to me then why should I spend the time and resources to prepare? For the same reason you pray at your place of worship. You know it's inevitable and yet you don't know when it is going to happen to you.