31 January 2004

Ethics for the Life Science Company: Old Traditions Meet the Brave New World

Mondaq: Ethics for the Life Science Company: Old Traditions Meet the Brave New World:

Goodwin Procter LLP

In these post-Enron times, ethics – especially corporate ethics – has become a buzzword in the business community. Ethical inquiries into what is "right" for a business and what is "good" are no longer simple academic exercises. Instead, as corporate ethics comes under increasing public scrutiny, doing well in business tends to include both doing what’s right and doing what’s good.

Only if ethical questions are asked, then, can a company decide how it wishes to respond to them. Only if a company thinks through the ethical aspects of its actions can it design policies to prevent or solve ethical problems. Such policies are increasingly important, with ethics assuming such a prominent place in public concern. The mere perception of unethical behavior can damage a company’s reputation and its position in the marketplace. And life science companies are held to a higher ethical standard than other businesses. Because their endeavors affect life itself, society charges these companies with responsible stewardship. To fulfill these responsibilities, companies in the life sciences industry need proactively to incorporate ethics into their institutional structure so that they can anticipate and avoid ethical problems, not just solve them. Traditional methods of bioethical analysis can help even the most innovative company in such tasks.

Companies in the life sciences face the same corporate ethics concerns as other businesses. In addition, though, the very nature of the life sciences industry entails an additional level of ethical reflection. Life sciences companies concern themselves with technologies derived from and relating to life itself, whether on the nano-level or the macro-level. These companies hence have to reckon with matters of bioethics as well as business ethics. Companies in this industry are generally young and fast-growing, fueled by fast-paced scientific discovery. Technological development can thus outpace corporate introspection, so that a company’s ethical principles and policies become implemented only as afterthoughts, when legal or public relations problems crop up.

This article, which may be considered advertising under the ethical rules of certain jurisdictions, is provided with the understanding that it does not constitute the rendering of legal advice or other professional advice by Goodwin Procter LLP or its attorneys. © 2004 Goodwin Procter LLP. All rights reserved.

30 January 2004

Dealing with Dirty Bombs: Plain Facts, Practical Solutions

Dealing with Dirty Bombs: Plain Facts, Practical Solutions:

by James Jay Carafano, Ph.D., and Jack Spencer

Most assessments of America's vulnerabilities include some mention of the nation's susceptibility to attacks by radiological dispersal devices, or 'dirty bombs.' The threat is often portrayed as a homogenous danger, but it in fact covers a spectrum of risks, not all of which are equally serious.

Because the nature of the threat is often misconstrued, there is no shared appreciation of the problem or how best to address it. The reality is that the threat of a dirty bomb attack by terrorists is a credible one, although the psychological and economic consequences would likely far outweigh any casualties or physical destruction. To be better prepared, the United States should:

* Develop national standards for emergency response,

* Create a national system-of-systems emergency response structure,1

* Focus federal resources on developing national surge medical capacity,

* Centralize oversight of federal emergency medical response in the Department of Health and Human Services,

* Enhance federal expertise in emergency medical care, and

* Establish better coordination with the
private sector.

Building an effective national emergency response system could facilitate all these actions. Specifically, the U.S. should:

* Develop national standards for emergency response.

There are no national standards for an emergency response to a dirty bomb attack, or for that matter to any major terrorist incident. This is a subject of some debate. Long before September 11, experts in the field recognized that the lack of measurable objectives would make it difficult to establish policy goals, allocate resources properly, and establish the right balance of local, state, and federal roles in responding to a disaster. On the other hand, many have opposed such an initiative. The National Governors' Association, for example, has argued against mandatory standards. The U.S. Conference of Mayors has called for broad discretion in funding, allowing communities to adapt resources to local needs.

In fact, current assessments of preparedness are based on voluntary surveys and needs assessments. Both have significant shortfalls. They lack objective measures of preparedness and consistent criteria for determining what personnel and equipment are needed for emergency response. Nor do these assessments account for the biases frequently associated with self-reported information. Establishing broad national standards is essential for creating a rationale national response system.

The House Select Committee on Homeland Security has unanimously approved the Faster and Smarter Funding for First Responders Act (H.R. 3266), which includes procedures for establishing standards for responding to radiological attacks and other types of attacks using weapons of mass destruction. This legislation could serve as the foundation for establishing appropriate national preparedness standards.

* Establish better coordination with the private sector.

A significant portion of the cleanup after a radiological disaster will be conducted by the private sector. Potentially, in addition to professional responders and volunteers, there are about 6.5 million skilled construction workers in the United States who could respond in the wake of a disaster.

Thousands of workers, for example, were required at the World Trade Center to help in response and recovery operations. The response also illustrated the challenges of being unprepared to quickly integrate civilian assets into a dangerous emergency response environment. A safety survey of the site found that many of these workers lacked even basic safety equipment, including safety eyewear, dust masks, ear protection, gloves, steel-toed boots, and hard hats. As a result, numerous injuries occurred and long-term health concerns arose during the course of operations.

The DHS, in concert with state and local governments and the private sector, should explore means to pre-train and certify construction workers; establish a registry of qualified contractors, firms, and unions; and link them to emergency management agencies. The DHS also needs to determine how technologies to speed cleanup efforts and protect workers can be rapidly distributed or contracted from the private sector when required.

Conclusion

A clearer understanding of the dirty bomb threat will ensure that policymakers are prepared to coordinate public, private-sector, and governmental responses to a dirty bomb attack. Policymakers and the public need to understand the costs and risks associated with dirty bombs to invest appropriate resources for preparation and prevention efforts as well as for consequence mitigation.

Perhaps most important is ensuring that people do not overreact to the mere presence of radiation without full knowledge of the extent and type of contamination. Implementing a few commonsense policies will not only better prepare the nation for a dirty bomb attack, but also substantially increase America's general preparedness.

James Jay Carafano, Ph.D., is a Senior Research Fellow for National Security and Homeland Security, and Jack Spencer is a Senior Policy Analyst for Defense and National Security, in the Kathryn and Shelby Cullom Davis Institute for International Studies at The Heritage Foundation.

29 January 2004

U.S. Rolls Out Cyberattack Warning System

U.S. Rolls Out Cyberattack Warning System:

By Andy Sullivan

WASHINGTON (Reuters) - The U.S. government on Wednesday rolled out a 'cyber alert' system to warn computer users about viruses, worms and other online threats, two days after the 'MyDoom' worm snarled e-mail traffic worldwide.

Internet users who sign up will receive e-mail warnings about new worms like 'MyDoom,' as well as general tips about how to make their computers more secure, officials with the Homeland Security Department said.

Officials said they hope to slow the spread of cyber attacks by making the online public more aware of the specific weaknesses they exploit.

'The intent is for this information to be made available to the public to receive the widest and most appropriate distribution,' said Amit Yoran, director of Homeland Security's cyber security division.

Online attacks like SoBig and Slammer have shut down automatic teller machines, interfered with emergency-dispatch systems and knocked nearly the entire country of South Korea offline. Security experts say future attacks could disable power plants, hospitals or other 'critical infrastructure.'


Experts say MyDoom accounted for 1 in 9 e-mail messages over the past few days.

Homeland Security's warning system is intended to augment alerts from private security companies like Symantec Corp. (SYMC.O: Quote, Profile, Research) , Yoran said. Unlike the department's terrorism warning system, it will not offer color-coded threat levels.

Computer users can sign up for the alert system at US CERT, Yoran said. Warnings will be sent by e-mail and also posted on the Web site, he said."

Bills Target Computer Crimes and Identity Theft in Maryland

WTOPNEWS.com:

By MARC LIGHTDALE
Capital News Service

ANNAPOLIS, Md. - Two new Maryland bills are targeting computer crimes -- the growing problem of identity theft and hacking into government and public utility computers.

The bills are the work of Delegate Susan Lee, D-Montgomery, an attorney, but at Wednesday's news conference to introduce the legislation she had plenty of support from others, including Montgomery County State's Attorney Douglas Gansler and Prince George's County State's Attorney Glenn F. Ivey.

Although interruptions to computer systems have been brief and have not caused extensive damage, Lee said, 'Computer experts are justifiably worried that the states' computers systems are vulnerable to cyber-terrorism.'

Maryland ranks 11th nationally in identity theft victims per 100,000 people, while D.C. is ranked 12th, according to information from Ivey's office.

Identity theft occurs when someone steals a name, Social Security number, bank account number, credit card number or other personal identifying information and uses the information for illegal purchases or other frauds.

A sense of urgency exists in trying to curb identity theft, Lee said, quoting FTC statistics showing the problem is increasing nationally."

28 January 2004

Banks warned over viruses and offshoring terror risk

silicon.com - Banks warned over viruses and offshoring terror risk:

by Andy McCue

FSA says technology exposing the City to risk and crime...

Terrorist attacks on outsourced operations, computer virus outbreaks and internet-based 'phishing' scams will all pose serious threats to the UK banking industry in 2004, according to industry regulator the Financial Services Authority (FSA).

In its Financial Risk Outlook 2004 report, the FSA warns that the terrorist threat remains high, with London and other major financial centres high-profile targets.

'The attacks in Istanbul in November 2003 highlighted the need for UK financial institutions to consider risks relating to their overseas operations. The trend towards 'offshoring' key business functions mean that this is an issue for an increasing number of UK firms,' the report said.

The FSA said it will continue to 'monitor the preparedness' of financial institutions but does not want to be 'too prescriptive about the nature of back-up systems' that firms use.

The phishing and virus attacks also continue to expose the banking industry and the City to a variety of new and evolving threats, and the report claims that smaller financial institutions are a potential weak link.

'Although larger institutions often have well-developed IT security departments and systems, this may not be the case for smaller firms or independent advisers. Firms also need to consider the risk that such an attack could occur at the same time as a physical disruption. This has been identified as a significant risk by law enforcement agencies in the US,' the report said.

Phishing scams, in which spam emails try to direct unwitting users to fake internet banking sites so as to capture confidential personal details, have also been flagged up by the FSA as a problem that is proving difficult to combat. The likes of Barclays and LloydsTSB have been hit.

'The cross-jurisdictional nature of the technology makes it difficult to trace perpetrators. One particular case involved a fake site with a host in one country, paid for from a second, with a server in a third, an IP address in a fourth and a domain registration in a fifth,' said the FSA.

But the FSA also says that the banking industry needs to make use of technology such as web-monitoring software in order to detect fake sites, in addition to working with law enforcement agencies, internet service providers and regulators.

'The immediate risk is to a firm's reputation if its name is connected with fraud. In the longer-term, consumers could lose confidence in internet-based financial services.'"

27 January 2004

Terrorism not widely addressed in European business continuity plans

Terrorism not widely addressed in European business continuity plans:

A survey by Synstar has found that terrorism features in just 20 percent of European business continuity plans. The survey of 700 European IT directors also revealed that changes to business continuity plans are more likely to be driven by issues that feel closer to home, such as corporate governance and audits (35 percent), and existing and potential customers (30 percent). 29 percent say that business continuity plans cover disruptions caused by severe weather conditions. 14 percent said they have plans in place in case of changes in the economic climate with a further 14 percent stating they have plans to cope with possible strike action.

The survey found that 50 percent of companies have reviewed their business continuity plans in the last 12 months. However, some 20 percent were not aware if any changes to the plan had actually been made as a result. 10 percent admitted their BC plans were last reviewed more than two years ago. Even more surprising is the finding that 16 percent of IT directors don't know what risks their BC plans cover."

COMMENT:
==============================================================
Predicting where, when and how a terrorist will attack our physical and information assets is ever so difficult to say the least. Ask any of our respective intelligence organizations this question and there is always a degree of analysis on the two main intersections of the threat matrix. Threat exposure X Consequences. The 20% who have evaluated terrorism in their respective Business Crisis and Continuity Management have found areas of "Intolerable Threat" with regard to their particular asset targets. The question is, why is it that 80% of the IT directors don't consider their own existing or former employees capable of malicious behavior? For terrorism, the threat is the aggressors (people or groups) that are known to exist and that have the capability and history of hostile acts, or have expressed intentions for using hostile actions against potential targets. Terrorist attacks are typically low probability high consequence events. They require substantial investments in mitigation measures built into operational parameters. The key for the IT Director is to identify the best and most cost-effective mitigation measures for their own unique security needs and risk appetite.

Internet terrorism fears as virus hits

The Australian: Internet terrorism fears as virus hits:

By Chris Jenkins

COMPUTER users worldwide have been caught in the crossfire of an internet attack that experts say could be the precursor to 'cyber terrorism'.

Just days after the relatively harmless 'Bagle' virus, a new internet worm, known as MyDoom, Norvarg or Shimgapi, began appearing yesterday.

The worm has been rated as a high-level security threat.

While Bagle did little more than spread itself, MyDoom packs more malice, being programmed to mount a denial of service attack on US software company SCO's website.

Such an attack aims to bring down a company's systems by flooding them with traffic. While it continues to spread via email, the worm is not scheduled to begin its attack on SCO until February 1.

SCO has made itself unpopular in some computer circles, particularly among users of Linux, an operating system developed on a community basis and shared for free. SCO claimed it had copyright over some parts of Linux, and a legal row developed when the company began demanding licence fees.

A rival to Microsoft's Windows, Linux has gathered a loyal group of supporters.

It is believed the attack on SCO could be the work of an angry Linux supporter.

Australian SCO spokesman Keiran O'Shaugnessy said the company was 'keeping an eye' on the threat, but would not speculate on the motivation for the attack or its source. Large denial of service attacks have previously been attempted against the White House and Microsoft.

MyDoom's strike seemed to be the result of a particular issue, managing director of internet security company Symantec John Donovan said. The attack was perhaps a precursor to more serious politically motivated hacking. Research indicated politically motivated attacks would likely increase, he said.

In a worst-case scenario, an internet attack could be combined with a physical attack, such as a bombing, knocking out communications during an emergency."

Company Leaders Say Ethics Needed, Not Rules

Co. Leaders Say Ethics Needed, Not Rules:

DAVOS, Switzerland, (Associated Press) -- First Enron in the United States. Now Parmalat in Europe. What to do?

That question pursued corporate and government leaders to their annual meeting in the Swiss Alps. With each new example of corporate trickery, the cry goes up for tougher regulations to police business executives.

'We have an environment in which fraud and malfeasance have destroyed jobs and assets while chief executive pay goes up year after year,' William G. Parrett, chief executive of audit firm Deloitte Touche Tohmatsu, told a panel discussion at the World Economic Forum.

With the bankruptcy of Italian dairy giant Parmalat making headlines amid allegations of fraud and faked balance sheets, corporate governance -- the rules enforcing executives' responsibilities to shareholders - was a major recurring topic at the five-day conference that ended Sunday. It competed for attention with speeches by Presidents Mohammad Khatami of Iran and Pervez Musharraf of Pakistan and other leaders on issues including nuclear weapons, the war in Iraq and the world economy.

Last year, the meeting focused heavily on the collapse of energy trader Enron and new rules imposed by Congress.

This year, there were more voices cautioning that regulation alone can't substitute for strong boards of directors and executives willing to stress personal integrity.


Boards need to be independent and make sure they're hiring people of integrity as chief executive officers, said Robert Diamond, chief executive of Barclays Capital, the investment banking arm of Britain's Barclays.

'The quality of the CEO goes to the heart of the board's responsibilities,' said Diamond.

'I do think rules are important, I do think law is important, and I absolutely endorse a strong regulatory framework."

26 January 2004

NASAA Top Ten Fraud, Scams, Schemes and Scandals 2004

NASAA:

"NASAA FRAUD CENTER

State securities regulators have identified the Top 10 scams, schemes and scandals investors are likely to face in 2004. New to the North American Securities Administrators Association’s (NASAA) annual survey of state securities enforcement officials are mutual fund practices, senior investment fraud, and variable annuities.

“Investors are facing increasingly complex and confusing scams. Our fight against fraud never stops because each year con artists discover new ways to fleece the public. Sadly, many of the age-old scams still work to cheat victims of their hard-earned savings as well. It pays to remember that if an investment opportunity sounds too good to be true, it usually is,” said Ralph Lambiase, NASAA's President and Director of the Connecticut Securities Division.

Lambiase cautioned that investors must remain vigilant in the fight against investment fraud. “All securities regulators, whether local, state, or federal, share the common goal of protecting investors,” he said. “I urge legislators to help us continue to do our jobs by ensuring that regulators have sufficient resources to protect our citizens.”

Investors lose billions of dollars annually to investment fraud, Lambiase said. NASAA offers a wealth of resources to help investors protect their savings. "Education and awareness are an investor's first line of defense against investment fraud," Lambiase said.

E-mail scam taps antiterrorist push, says FDIC

E-mail scam taps antiterrorist push, says FDIC | CNET News.com:

By Robert Lemos
Staff Writer, CNET News.com

The Federal Deposit Insurance Corp., the national insurer of U.S. bank accounts, warned Americans on Friday that a convincing e-mail scam is making the rounds.

The fraudulent e-mail claims to be from the FDIC and informs recipients that their bank account has been denied insurance as a result of an investigation by the U.S. Department of Homeland Security into 'suspected violations of the Patriot Act.' The USA PATRIOT Act, which was passed after the Sept. 11 attacks, gives broad powers to law enforcement to combat terrorism.

'Someone really did their homework,' said David Barr, a spokesman for the FDIC, adding that the letter is mostly free of the grammatical and spelling mistakes that usually act as a sign that the message is not genuine. Moreover, citations of the little-understood antiterrorism law, whose acronym stands for 'Uniting and Strengthening of America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism,' lend the message a dire tone.

'The Patriot Act is an actual act out there. It's done through Homeland Security, and it's used to block the flow of money,' making the fraudulent e-mail seem at least plausible, Barr said.

The FDIC sent out the advisory after being inundated with complaints from consumers, who were worried that their bank accounts wouldn't have the $100,000 protection historically guaranteed by the FDIC.

The scheme is only the latest attempt to get personal and financial information through fraud, a criminal activity known as 'phishing.' Similar messages have targeted customers of Citibank, Wells Fargo, PayPal and other financial companies, but haven't cited the USA PATRIOT Act."

23 January 2004

Bush wants to spend more to fight terrorism

The Miami Herald | 01/23/2004 | Bush wants to spend more to fight terrorism:

President Bush announces he will seek a nearly 10 percent increase in federal spending next year to combat terrorism at home.

BY AMY GOLDSTEIN AND DAN EGGEN
Washington Post Service

ROSWELL, N.M. - President Bush announced Thursday that he will seek a nearly 10 percent increase in federal spending next year on efforts to prevent terrorism within the United States, an expansion that is more than twice as large as the overall rise in discretionary spending in the budget the president is preparing to send Congress in two weeks.

White House officials said that the biggest chunk of the extra funds for homeland security would include a 19 percent increase for Justice Department counterterrorism programs, to $2.6 billion, which would allow the FBI to devote more agents to investigating suspected terrorism and heighten the agency's ability to gather intelligence. Most of rest of the money would go to the Homeland Security Department, according to the officials, who refused to disclose how it would be spent."

The Domino Theory

The Domino Theory:

Ivan Schneider
Bank Systems & Technology

Get ready for turbulence, says J.D. 'Denny' Carreker, chairman and CEO of Carreker Corporation. (Dallas). 'The next two to three years are going to be defining for the banking industry,' he says.

That's because competitive pressures from non-banks have begun to impact the bottom line of traditional banking organizations. 'My brother is the CEO of a retail company and you've got non-banks out there knocking on the door, causing them to make multimillion-dollar decisions to bypass the bank of first deposit,' says Carreker.

Thus, 2004 is shaping up to be a transitional year. 'It'll be a tough year,' he adds. 'The business is still going to grow but it's a year where you have a lot of competition, and by definition, if you're not figuring out how you're dealing with it in '04 to '06, you're going to be in trouble.'

In order to fend off the competition, banks are preparing to trade check images instead of paper checks or the Image Replacement Documents (IRDs) made possible by Check 21. But that's just the beginning. 'We believe that image exchange is the first domino in a series of dominos,' says Carreker. 'If [image exchange] does take off, it then positions the banks to start looking upstream, from the reader/sorters that they use today to capture images, to ATMs, branches, remittance processing centers, customers, wholesale customers, small businesses, large national customers and even to the point of sale.'

Participating banks will have the ability to reshape the economics of check clearing, Carreker says. 'You're cutting out transportation costs, you're cutting out processing costs where you're recapturing the item, balancing and reconciling, and you're positioning to do image returns and handle exceptions, which is an enormous cost to the bank.' "

22 January 2004

Identity Theft, Internet Fraud Reports Up in U.S.

Identity Theft, Internet Fraud Reports Up in U.S.:

(Page 1 of 2)
By Andy Sullivan

WASHINGTON (Reuters) - Americans reported losses of $437 million last year to identity theft and fraud as scam artists made themselves at home on the Internet, according to federal statistics released on Thursday.

The Federal Trade Commission said it received more than half a million consumer complaints in 2003 as scam artists financed their spending sprees with other people's credit cards and hucksters sold nonexistent products through online auction sites like eBay Inc .

But Americans are becoming more aware of the problem and act quickly when they discover they've been victimized, said Howard Beales, head of the FTC's consumer protection division.

Identity theft -- the practice of running up bills or committing crimes in someone else's name -- topped the list with 215,000 complaints, up 33 percent from the previous year."

Security at the Four Corners

Security at the Four Corners - CSO Magazine - January 2004: "

When security is a global undertaking, CSOs are subject to the murky legal requirements of multiple jurisdictions at once.


BY DAVID H. HOLTZMAN

A GOOD ROAD trip always seems to include a stop at one of those places where you can stand in three or four states at the same time. So, it's a wonder that data centers don't sell tickets. After all, every computer on the Internet straddles hundreds of countries. This geographic side effect of networked technology is unappreciated by corporate planners, but security wonks know better. They know that the tangled skein of enterprise cabling foreshadows the legal snarls and ethical hairballs that will be coughed up in a security catfight.

When customers and employees are international, ethical ambiguities are compounded. The current war in Iraq has made it painfully obvious that American interests are not necessarily shared by others, even by those whom we consider 'business-friendly.'

Unlike conventional crime, computer thuggery frequently reaches across territorial lines, often originating from countries where the act is not illegal. Using legal bandages to staunch such a security wound may be too little, too late. Businesses with trade secret sensitivities might want to consider less formal protection strategies such as white hat hackers.

Disjointed expectations of privacy mean more than a mismatch in confidentiality laws. There's often a cultural skew. For instance, the requirement for opt-in in the European Union is more than a statute; it reflects the underlying sense of 'fairness' in countries like France or Germany.

What can a globally conscious CSO do? Education always helps. Start by running cultural awareness seminars for security staff to minimize cultural misunderstandings. When training other employees, be clear when explaining the rules. Don't appeal to patriotism or even laws. If it's against corporate rules, it's wrong"

21 January 2004

"City regulator is ready to crack the whip - UK

FT.com "City regulator is ready to crack the whip:

By Charles Pretzlik

When Callum McCarthy took over as chairman of the Financial Services Authority last year, he was handed the strongest whip in financial regulation.

Six months on, there are signs he intends to crack it.

Buried in the 103 pages of the latest edition of the FSA's annual Financial Risk Outlook are a series of warning shots to the financial markets and strong hints about where the regulator plans to turn its attention.

In the wholesale markets, areas that are singled out include: hedge funds, the commodity markets, investment banks that create special purpose vehicles, credit derivatives and fund managers who have allowed some investors to carry out improper market timing strategies.

In the retail market, the FSA warns that many life assurers are still weak and it threatens to clamp down on malpractice in mortgage self-certification, where borrowers do not need to prove their income levels.

For good measure, there are also warnings about the extent of financial crime, the distractions presented by huge volumes of new regulations, and the increased threat of terrorism.

The tome amounts to a 2004 agenda for the FSA's new leadership, which has already signalled a determination to become more vigorous in pursuing miscreants in the financial markets.

Financial Crime and terrorism

The trend towards moving operations off-shore could increase financial institutions' vulnerability to terrorism, the FSA says.

It also says: "We continue to see increasing numbers of advance-fee frauds and 'boiler room' schemes. Staff fraud in financial institutions and identity theft have risen in prominence, arising partly from the rapid growth in electronic transfer of personal information." Additional reporting by Lina Saigol, Elizabeth Rigby, Kevin Morrison and Jane Croft"

New FDA Initiative to Combat Counterfeit Drugs

New FDA Initiative to Combat Counterfeit Drugs:

In an effort to protect against the rising occurrence of potentially unsafe counterfeit drugs reaching consumers, FDA is announcing a new initiative to more aggressively protect American consumers from the risks posed by counterfeit drugs. As part of this effort, FDA has created a new internal task force that will develop recommendations for steps FDA, other government agencies, and the private sector can take to minimize the risks to the public from counterfeit drugs getting into the supply chain.

Background on Counterfeit Drugs
Risks of Counterfeit Drugs


Counterfeit drugs pose potentially serious public health and safety concerns. They may contain only inactive ingredients, incorrect ingredients, improper dosages, or even dangerous sub-potent or super-potent ingredients. Drug counterfeiting is a relatively rare event in this country; however, FDA has seen its counterfeit drug investigations increase to over 20 per year since 2000, after averaging only about 5 per year through the late 1990s.

In addition, counterfeiting in recent years has shifted increasingly into “finished” pharmaceuticals (the final product taken by the patient) as opposed to counterfeiting of “bulk” drug ingredients in the past. As drug manufacturing and the distribution system have become more complex, there are increased opportunities to introduce more legitimate appearing products into the drug supply in the U.S., and the challenge of protecting against unsafe counterfeit drugs has become more difficult.

Counterfeit drugs entering the U.S. distribution supply chain can find their way into the system through the secondary wholesale market, where drugs can change hands several times before reaching the end user. Such drugs can also enter the U.S. market via disguised imports from other countries, or through the purchase by American consumers of drugs through the internet.


Engage Private Sector Stakeholders.

The task force will gather private sector information and collaborate with pharmacy and health professionals, drugs manufacturers and distributors, consumer organizations, and other stakeholders on how to best counter these criminal practices.

Engage Other Government Agencies.

The task force will improve coordination with other government agencies, including the U.S. Customs and Border Protection Service, the Treasury Department, the Department of Justice, and States, who have experience with counterfeiting.

Defending the Brand: Aggressive Strategies for Protecting Your Brand in the Online Arena

Amazon.com: Books: Defending the Brand: Aggressive Strategies for Protecting Your Brand in the Online Arena:

About the Author


Brian H. Murray (Arlington, VA) is vice president of client services at Cyveillance, whose clients include nineteen of the Fortune 50. He is one of the world's leading experts on brand and digital asset protection.

Book Description

Leading brands and the intellectual property of successful organizations are increasingly falling victim to hostile tactics from unscrupulous businesses. Unwanted brand associations, product piracy, and other forms of online brand abuse threaten to alienate consumers and undermine the success of companies in every industry.

Defending the Brand introduces strategies being used by companies around the world to fight back and regain control, preserving brand equity and rescuing potentially lost revenue. From marketing and sales initiatives that discourage abuse to how to collect intelligence on possible wrongdoers, this timely book is as valuable as it is fascinating.

Punctuated with eye-opening stories from real companies like Home Depot, Disney, the Red Cross, Nintendo, and the Associated Press, Defending the Brand is a call to action for companies unwilling to compromise the power of their brands and the success of their products."

COMMENT:
=================================================
Brian's book is a must read if you are serious about protecting and managing the risk of your online strategies, digital marketing presence and ensuring the reputation of your enterprise.

20 January 2004

"HealthSouth Probe Finds Up to $4.6 Bln in Past Fraud

"HealthSouth Probe Finds Up to $4.6 Bln in Past Fraud : (Update5)

Jan. 20 (Bloomberg) -- HealthSouth Corp. uncovered as much as $4.6 billion in fraudulent accounting over the past decade, or almost $2 billion more than U.S. prosecutors accused company founder Richard Scrushy of inflating, said interim Chief Financial Officer Guy Sansone.

HealthSouth, the largest U.S. operator of rehabilitation hospitals, uncovered $2.5 billion in fraud and as much as $1.6 billion that the company deemed as aggressive, Sansone said in an interview following an investor meeting in New York. The company also improperly accounted for $500 million in acquisition costs, he said.

Scrushy was indicted Nov. 4 for allegedly inflating earnings by $2.7 billion from 1996 to 2003 and laundering money. Fifteen other executives pleaded guilty and are helping prosecutors. Sansone said the company is sharing information from its review with the government.

``The government is aware of this,'' Sansone said. U.S. Attorney Alice Martin said HealthSouth shared its presentation with prosecutors and she declined to comment further.

HealthSouth is trying to avoid bankruptcy after the U.S. Securities and Exchange Commission sued Scrushy and the company last March for fraud. The company also is trying to avoid indictment and has made a series of changes to corporate governance, internal controls and its board of directors."

Scandals Are a Hot Topic in College Courses

Scandals Are a Hot Topic in College Courses: "

(HeraldNet) -- Recent ethics scandals at the Boeing Co., Enron and other corporations are providing up-to-date case studies for college business schools, professors said.

University of Washington finance professor Jonathon Karpoff said he plans this week to start discussing the issues that led to the resignation of Boeing chief executive Phil Condit with his students who are pursuing their doctorates.

And at Edmonds Community College, accounting instructor Andy Williams said he hands out copies of newspaper stories about finance officers going to jail.

Ethics discussions have 'filled up my accounting classes,' said Williams, who also teaches part-time at Seattle University. 'It gets students interested. It illustrates some of the key points.'

For Williams, the accounting scandals at WorldCom and Enron have been particularly useful. WorldCom's accountants misstated billions of dollars worth of expenses to make the company look more profitable, while Enron's chief financial officer admitted Wednesday that he and other top managers had manipulated public financial statements to mislead investors and boost the company's stock prices and credit ratings.

The lesson for accounting students to learn, Williams said, is that 'standards are more important to them than any one job.' Whistleblowers sometimes pay a high personal cost, but 'the costs of not taking a stand are greater.'

The Boeing ethics issues came to light so recently that Williams said he hasn't had time to incorporate them into his curriculum. In late November, chief financial officer Mike Sears was amid allegations that he had offered a job to the Pentagon weapons buyer who was negotiating the 767 tanker deal. Boeing also fired the former Pentagon official, Darlene Druyan.

'I could see doing something about that when we get to a lesson on conflicts of interest,' Williams said. 'Even if there were no objective conflict of interest, the appearance was there.'

For Karpoff's graduate students, the lessons are more subtle.

In general, corporate scandals are costly, he said. 'Firms pay pretty heavily through their lost reputations.'"

Antiterrorism Taxonomy

By Peter L. Higgins

A common taxonomy was developed years ago for the antiterrorism terms of the computer and network incident domain. Now we need to make sure we all understand what we mean when we say anti-terrorism policy as it pertains to the non-digital world. Or better yet, maybe we could get the two to converge.

As an example, in the context of the digital attacker we have Sandia Labs Taxonomy:

Hacker
Spies
Terrorists
Corporate Raiders
Professional Criminals
Vandals
Voyeurs


Each is unique and has its own domain or category. I'm sure that the same could be used for the context of attackers in the non-digital world, possibly with the execption of Hacker. However, the definition of corporate raider in the off line domains may not be synonymous with the on line domain of cyber incidents.

If we look at the categories that make up the entire "Incident" that Sandia Labs has utilized, we see the following:

Attackers
Tool
Vulnerability
Action
Target
Unauthorized Results
Objectives


Without combining the context under each category, we lose the impact of what we are trying to make contextual with regard to an "Incident". We need to make sure that the antiterrorism taxonomies of the off line and on line domains can be utilized together to describe the attributes of an "Incident". We need to break down the sub-categories as well. For instance, in the Sandia Labs Taxonomy for the Objectives category we have:

Challenge, Status, Thrill
Political Gain
Financial Gain
Damage

When we move to the off line domain and are doing risk mitigation and preparedness exercises for antiterrorism we utilize another set of words to describe and evaluate infrastructure threats and hazards. Five factors here are:

Existence addresses the question of who is hostile to the assets of concern?

Capability
addresses the question of what weapons have been used in carrying out past attacks?

History addresses the question of what has the potential threat element (aggressor) done in the past and how many times?

Intention addresses the question of what does the potential threat element hope to achieve?

Targeting
addresses the question of do we know if an aggressor is performing surveillance on our assets?

We believe that as our cultures, countries, agencies, and professionals work together on antiterrorism and counterterrorism initiatives we are going to have to develop a solid taxonomy. It will provide the foundation for our clear and accurate risk management methodologies and incident managment systems.

To accelerate our focus here, please see: SemioSkyline

19 January 2004

The Australian: Britain's anti-terror plans slammed:

From correspondents in London

BRITAIN’S anti-terrorism policy is “uncoordinated, condescending and outdated” says a confidential report by a team of security analysts, a British newspaper said today.

“The present policy - such as it is - is no longer plausible,” says the report, commissioned by Britain's top anti-terrorist police officer David Veness, according to The Sunday Telegraph.

The 63 page study, which took seven months to compile, aimed to assess what the commercial sector in London could do to assist the police's counter-terrorism effort, the newspaper - which said it had a leaked copy - said.

“The commercial sector appears to be unanimous in its criticism of the present counter-terrorism communications policies prior to a major incident,” the report had said, the paper reported.

“They find it outdated, condescending, generally uncoordinated and at times incoherent,” the report says.

Britain, the United States' main ally in the war against Iraq last March, is widely considered to be high on the list of targets for terrorist organisations such as al-Qaeda, responsible for the September 11 attacks in New York and Washington.

“The government's current counter terrorist policy was founded largely out of the outdated premise of preventing public panic by saying as little as possible,” the study reportedly says.

“The scale of the present threat necessitates a well-coordinated and informative approach,” it says, according to the newspaper.

"Lifting the Lid: Scandals Show Risks at Far-Flung Operations

"Lifting the Lid: Scandals Show Risks at Far-Flung Operations:

(Page 1 of 2)
By Arindam Nag and Siobhan Kennedy

NEW YORK/LONDON (Reuters) - The current crop of accounting scandals highlights how multinational corporations can get hit hard by inadequate controls at foreign units, especially if those businesses are under pressure to meet tough financial targets.

Accounting problems announced recently by Swiss recruitment firm Adecco SA, like those revealed last year by Dutch retailer Ahold NV, center on activities that took place in the United States, thousands of miles from their head offices. Even the multi-billion-euro scandal at Italian dairy group Parmalat may have been partly triggered by its aggressive expansion in North and South America.

Industry experts blame internal supervisory systems that often fail to adequately cover faraway units. This may not only encourage local employees to cut corners and cover up difficulties for fear of upsetting headquarters but also allow executives to hide troubles from investors and regulators at home.

'If a corporation consists of a far-flung empire that can impede the information from flowing, that sometimes creates opportunities for renegade executives to take unfortunate liberties,' said Michael Young, a lawyer with Willkie Farr & Gallagher.

Adecco has not provided many details of its recent problems, saying only they involved internal controls at its North American operations. Ahold is still trying to recover from the fraud at its U.S. food distribution business while the shenanigans at the now insolvent Parmalat include a web of vehicles in offshore tax havens such as the Cayman Islands.

Lack of supervision over three areas usually triggers red flags: poor inventory management, improper control over collecting receivables and using lenient methods to recognize revenue.

The problems can be accentuated when a company, instead of building a business in a foreign land decides to buy one and in some cases bases its international expansion strategy on a series of acquisitions.

While they may gain local brand names, staff, customers and connections, the acquirer can also inherit weak accounting and internal governance systems that could create havoc in the future.

'The seeds (of today's scandals) were planted years ago,' said Young.

Some experts say that while modern businesses have decentralized, putting a lot more power in the hands of local managers, they have also imposed stiffer profit targets on them.

Rather than risk their jobs by admitting they have failed, some managers may find creative, and sometimes eventually fraudulent, ways to cover up gaps in a unit's performance. "

17 January 2004

Anti-Counterfeit Steps by Drugmakers Sought

Anti-Counterfeit Steps By Drugmakers Sought:

Legislators' Goal Is to Halt Illegal Sales

By Mary Pat Flaherty and Gilbert M. Gaul
Washington Post Staff Writers
Saturday, January 17, 2004; Page A11

Congressional lawmakers asked five of the nation's largest drugmakers yesterday to explain what they are doing to stop counterfeit drugs from entering the marketplace. The letters are part of a widening effort in Congress and among federal agencies to crack down on the illegal distribution of prescription drugs.

The House Energy and Commerce Committee said it was acting 'in light of the public health concerns.' The committee contacted Eli Lilly and Co., GlaxoSmithKline, Johnson & Johnson, Pfizer and Serono -- companies whose products have been the target of counterfeiters.

'Despite the best efforts of many companies, the counterfeit drug problem is getting worse every day,' committee spokesman Ken Johnson said. 'If we're going to turn the tide, clearly it will take a greater cooperation between the private sector and the federal government.'

Spokesmen for the five companies said they welcomed the request. The spokesmen for Serono and Johnson & Johnson said their companies already have added tracking devices to expensive product lines that have experienced counterfeiting. Serono, Johnson & Johnson and Lilly said they have also tightened their distribution systems.

In October, reports by The Washington Post identified widespread failures in the distribution system for medications, including sales of counterfeit drugs and the rise in sales of controlled drugs online with little medical supervision.

The letters to drug manufacturers follow earlier requests by Congress to several major credit card companies, shippers and Internet search engines about their role in the sale or delivery of narcotics bought from illicit Internet pharmacies."

16 January 2004

Executive Office for Terrorist Financing and Financial Crime

U.S. Treasury: "

Mission

EOTF/FC develops and implements U.S. government strategies to combat terrorist financing domestically and internationally, develops and implements the National Money Laundering Strategy as well as other policies and programs to fight financial crimes, participates in the Department’s development and implementation of U.S. government policies and regulations in support of the Bank Secrecy Act and the USA Patriot Act, represents the United States at focused international bodies dedicated to fighting terrorist financing and financial crimes; and develops U.S. government policies relating to financial crimes."

Meeting Stringent 21 CFR Part 11 and GxP Standards - US FDA

What Should You Do Now?

The FDA’s guidance will provide assistance to organizations
in the development and implementation of their risk-based
compliance approach. For organizations that have already
initiated Part 11 and risk-based compliance programs, the
guidance can be used to streamline and focus efforts on
areas that are most significant from a quality, safety and
efficacy perspective. The guidance should prompt
organizations to evaluate whether:

1. The organization has a risk-based approach to
determine areas that are the most significant from
a product quality, safety and efficacy perspective;

2. Existing Part 11 efforts are focused on processes and
systems that pose the highest risk to product quality,
safety and efficacy;

3. The organization has a consistent process to document
risk assessment decisions and a method of linking these
decisions to the compliance and validation approach
for a particular process or technology area;

4. Related compliance efforts such as HIPAA, Part 11,
Sarbanes-Oxley and others are aligned to achieve the
most efficient and effective compliance approach;

5. The organization is positioned from a people, process
and technology standpoint to realize the potential
benefits that could be realized by applying the
principles outlined in the guidance documents.

15 January 2004

"Synergistic Security to Protect Life, Property and Data

SecureWorld Expo:

By Paul Byron Pattak
President, The Byron Group, Ltd.

For an organization to fully protect itself, it must focus with equal vigor and the application of resources against threats to life, physical property and information. Protecting any one alone or any two in combination is not enough. It is not just that an attack can come through either physical or information means. IT may be used to cause physical harm, physical means may be used to damage IT resources, and attacking personnel can degrade the capability to protect either physical assets or IT assets. Adversaries will look for any weakness to exploit, and only a full-fledged unified protection and assurance strategy that is synergistic in its scope and effect will truly yield the best results.

COMMENT:
=======================================================
I think this about sums up the whole scenario. I met Paul well over a year ago while he was visiting his colleagues at Digital Sandbox. What a refreshing paragraph to read over and over.

"US Probes Online Terror Talk

Overseas Security Advisory Council:

from BBC News
Article ID: D138166

Intelligence agencies are investigating a series of internet warnings, said to be issued by al-Qaeda, about major terrorist attacks on the United States.

The messages - posted on several Islamist websites - include claims that an entire city could be destroyed.

This week, a statement, said to be from al-Qaeda intelligence services, warned the countdown to hit America had begun.

'It will be an even stronger strike than nuclear weapons so be prepared, oh mujahideen holy soldiers,' it said.

The statement concluded that unless America and its allies withdrew from Iraq, Afghanistan and all Islamic countries, the organisation had ordered the elimination of US leaders and their supporters.

Wishful thinking?

Another statement, repeated three times in recent days, was posted on an Islamist internet forum called the Mujahideen Network.

It claimed to be from the Islamic nation to the American people, and boasted that its group now had the ability to destroy an entire US city.

There are a lot of such messages on the internet - some not necessarily new - and their authors are hard to identify.

It makes it almost impossible to determine whether these really are final warnings before an attack, like those of 11 September, or just wishful thinking by al-Qaeda sympathisers.

But US and UK intelligence services are taking the messages, and their content, seriously.

Copyright 2004 BBC News. All rights reserved."

Gaming Company gains first BS 7799-2 Certification in Asia

Macau – Macau Slot (Sociedade de Lotarias e Apostas MĂștuas de Macau) has been awarded the BS 7799-2:2002 Information Security Management certification from BSI Management Systems. According to BSI, a developer of standards and provider of international certification and assessment services, Macau Slot is the first gaming company to gain such a certification in Asia.

One of the key objectives for implementing the BS 7799 system is to provide a secured environment for the customers' as well as the company's data. BS 7799 will effectively protect all customer information as the entire data process from creation, execution to destruction; all such activities are controlled and monitored by the standard. In addition, the system will also enhance internal information management for Macau Slot, whose staff can then carry out their tasks under a unified information management standard.

14 January 2004

Are you impacted by the Gramm-Leech Bliley Act (GLBA)?

If your business performs any of the following business processes, the likelihood is that you are. GLBA requires the organization to take reasonable steps to select and retain service providers who maintain appropriate safeguards for covered data and information. GLBA mandates that this Information Security Program be subject to periodic review and adjustment. The most frequent of these reviews will occur within IT Security & Policy where constantly changing technology and constantly evolving risks indicate the wisdom of regular reviews. Processes in other relevant areas of the organization such as data access procedures and the training program should undergo regular review.

Examples of Activities the FTC is Likely to Consider as a Financial Product or Service includes:

1. Student (or other) loans, including receiving application information, and the making or servicing of such loans

2. Financial or investment advisory services

3. Credit counseling services

4. Tax planning or tax preparation

5. Collection of delinquent loans and accounts

6. Sale of money orders, savings bonds or traveler’s checks

7. Check cashing services

8. Travel agency services provided in connection with financial services

9. Real estate settlement services

10. Money wiring services

11. Issuing credit cards or long term payment plans involving interest charges

12. Personal property and real estate appraisals

13. Career counseling services for those seeking employment in finance, accounting or auditing

14. Services provided by a principal, broker or agent with respect to life, health, liability or disability insurance products

15. Obtaining information from a consumer report

16. Providing or issuing annuities

The plan itself as well as the related data retention policy should be reevaluated annually in order to assure ongoing compliance with existing and future laws and regulations.

Digital Signatures and European Laws

Overseas Security Advisory Council: "

from Security Focus Article ID: D138119

People who do business on the Internet require security and trust. In electronic commerce and communication you can't see the person you are speaking with, you can't see the documents that prove one's identity, and you can't even know if the web site you are connected to belongs to the society it says. You must also ask yourself: is this indeed the contract my business partner has sent to me or has someone unauthorized seen and changed it before it reached my desk? What will happen if I have problems with the contract and I must take it to a court of law?

To answer these juridical necessities the European Union adopted a community framework for electronic signatures some time ago (directive 1999/93/EC of the European Parliament and the council of December 13, 1999, on a community framework for electronic signatures) that has been implemented in various European countries. The European directive is used for business in which European partners (persons or societies) or public administrations are involved. It also means that if an American organization enters into an electronic contract with a European society it has to respect European requirements to ensure the contract is valid. This paper will address these issues and then provide an overview of current trends within various countries in Europe."

13 January 2004

Telecommunications vulnerabilities pose significant threat to banking sector

Continuity Central: "

A US working group of banking experts is recommending that the private sector find ways to develop ‘secure and resilient’ telecommunications essential for critical banking functions. The group, known as the Working Group on Government Securities Clearance and Settlement, issued detailed recommendations to the government last week.

The Working Group’s focus is on two financial institutions, the Bank of New York and JP Morgan Chase, which constitute the US's principal resource for clearing services and include clearing services for government securities. Clearing and settlement services involve a comparison of trade details, such as price and terms, and an exchange of payments.

Industry, the Federal government, and state governments have been considering the resilience of wholesale banking activities since terrorists destroyed key telecommunications infrastructure on 9/11. The attacks revealed serious operational vulnerabilities, including the concentration of risks created by dependence on the two banking institutions.

"Audit committees must pre-approve audit and non-audit services

boardmember.com Resource Center -:

Sarbanes-Oxley Act

The SEC also requires audit committees to pre-approve audit and non-audit services provided by auditors. The SEC rule adopts the following list of prohibited non-audit services as set forth in Section 202 of SOA: (i) bookkeeping services, (ii) financial information systems design and implementation, (iii) appraisal services, (iv) actuarial services, (v) internal audit outsourcing, (vi) management functions, (vii) human resources services, (viii) broker-dealer services, (ix) legal services, and (x) expert opinion services provided as an advocate of management. The SEC rule is generally applicable to services performed on or after May 6, 2003. They do not apply to services provided on or before May 6, 2004, if (a) the services are pursuant to a contract in existence on May 6, 2003, and (b) the services are not otherwise prohibited by SEC rules or by some other authoritative or professional body. The requirements apply fully to foreign private issuers. If there is no audit committee or equivalent body, the full board must perform the pre-approval function.

With respect to the services noted in (ii), (iii), (iv) and (v), the SEC provided an exception for circumstances in which “it is reasonable to conclude” that the results of these services will not be subject to audit procedures during a financial statement audit. Because engaging accounting firms on the basis of these exceptions is not without risk, audit committees should insist that these determinations be conclusive and beyond question, and not based on a borderline assessment. The committee should formulate its own assessment and not rely solely on the judgment of management and the auditor. There is also accountability to investors if the audit committee pre-approves non-audit services. The nature and amount of such fees must be reported in the proxy disclosures in the annual proxy statement to investors for fiscal periods ending on or after December 15, 2003, with the SEC encouraging early compliance.

Because the ultimate objective is to preserve the external auditor's independence, some audit committees have chosen to avoid non-audit services altogether. Our survey notes that nearly 13 percent of audit committees for large companies prohibit all non-audit services. Nearly three out of four audit committees – 72 percent – have adopted formal procedures governing nonaudit services rendered to their companies by external auditors. The SEC staff is of the view that pre-approval policies and procedures must be specific enough that management is not in the position of making judgments about whether a given service meets the committee’s definition of pre-approved services. The use of monetary limits, schedules of services without detailed explanation, or "broad, categorical approvals" is inadequate. Audit committees should evaluate their pre-approval policies and procedures accordingly so they understand precisely what they are approving.

Council on Competitiveness Survey - Security is Considered Good for Business

Council on Competitiveness


Security Is Considered Good for Business


Companies are beginning to see security as an investment rather
than a sunk cost. In last year’s survey, just 24 percent of companies
believed that changes in security could improve their longterm
productivity versus 69 percent that did not. In the
2003 survey, by contrast, opinions have completely flip-flopped;
71 percent of companies now believe that increased security
spending will improve long-term productivity—with security
costs offset by gains in business continuity, productivity or competitiveness—
versus only 26 percent that disagree.


Companies that believe security is a top or high priority
(83 percent and 69 percent, respectively) and companies that
have conducted security assessments in the past 6 months
(78 percent) hold this belief most strongly.

Companies with less awareness of or attention to security are less
likely to believe there is a positive return from security investment.
For instance, just 62 percent of companies that have conducted
security assessments in the last 12 months and 50 percent
that have done so in the last 2 years believe security initiatives
will create positive returns. These findings indicate that companies
that have studied security more closely and recently have
discovered it is a good investment.

12 January 2004

Welcome to Authentix

Welcome to Authentix: "SOLUTIONS: Risk Analysis

Successful anti-counterfeit and anti-diversion programs are under-pinned by a thorough understanding of the commercial or fiscal issues faced by the client. In many instances this is achieved through our structured Risk Analysis workshop in which we determine the principal weaknesses in our clients supply chain and processes. Where prudent, we supplement this with in-market or Internet surveillance to identify the areas of risk and estimate the extent of illicit trading or brand abuse.

A thorough analysis of risk provides three principal benefits for clients, namely:

It provides an independent, objective assessment of the supply chain
weaknesses that counterfeiters and diverters are most likely to exploit.

It provides an actionable list of improvements that clients can implement themselves.

It provides the foundation for a successful and sustainable security program.

COMMENT:
=============================================================
We don't normally advocate endorsement of a particular company. However, if we are going to be serious about the interdiction of sources for terrorist funding then we need to look at the entire supply chain. How can we get more embedded in the risk mitigation of funding sources for terrorism? Talk with Authentix. Tell them 1SecureAudit sent you to find out more about how they might assist your organization. They won't know who we are, but we know who they are.

Citibank Warns on New Internet 'Phishing' Scam

"Citibank Warns on New Internet 'Phishing' Scam:

By Jonathan Stempel

NEW YORK (Reuters) - Citibank on Monday warned customers not to fall for an e-mail fraud that urges them to log into a bogus Web site to verify that their accounts have not been tampered with.

'It's a scam,' said Mark Rodgers, a spokesman for the bank, a unit of Citigroup Inc. (C.N: Quote, Profile, Research) 'Consumers have reported receiving fraudulent e-mails that appear to be from Citibank, but which are in fact sent by impostors.'

It was not immediately clear how many customers received or acted upon the e-mail. The e-mail is similar to one last August when an Internet scammer threatened to close Citibank checking accounts if customers failed to divulge personal information.

Other recent fake e-mails include one from 'Citibank Security Department' seeking account information to help the bank upgrade its computer servers, and one from 'Accounts Management' seeking credit card information so that customers might 'maintain the Citibank experience.'

These are examples of 'phishing' -- the use of spam, or junk e-mail, to lure people to bogus Web sites that look like those of reputable companies, and deceive them into divulging personal data. The term is derived from the act of computer thieves 'fishing' for private data.

Many scam e-mails carry grammatical or typographical errors, or return addresses at sites such as Yahoo.com or Juno.com.

Rodgers said Citibank works 'aggressively' with law enforcement to stop such scams. Customers receiving suspicious e-mails should notify Citibank at (Citibank Web Site), where a list of known fraudulent e-mails is posted, he said.

The new e-mail, purporting to be from Citibank, said that on January 10, the bank blocked some accounts 'connected with money laundering, credit card fraud, terrorism and check fraud activity.' It said the bank sent account data to government authorities, and may have changed some accounts."

GLBA Check up for Administrative Safeguards

GLBA Questions for Compliance:

Administrative Safeguards

1) Do you check references prior to hiring employees who will have access to customer information?

2) Do you ask every new employee to sign an agreement to follow your organization's confidentiality and security standards for handling customer information?

3) Do you train employees to take basic steps to maintain the security, confidentiality and integrity of customer information, such as:

a. locking rooms and file cabinets where paper records are kept;
b. using password-activated screensavers;
c. using strong passwords (at least eight characters long);
d. changing passwords periodically, and not posting passwords near employees' computers;
e. encrypting sensitive or confidential customer information when it is transmitted electronically over networks or stored online;
f. referring calls or other requests for customer information to designated individuals who have had safeguards training; and
g. recognizing any fraudulent attempt to obtain customer information and reporting it to appropriate law enforcement agencies.

4) Do you instruct and regularly remind all employees of your organization's policy - and the legal requirement - to keep customer information secure and confidential. This includes providing employees with a detailed description of the kind of customer information you handle (name, address, account number, and any other relevant information) and posting reminders about their responsibility for security in areas where such information is stored - in file rooms, for example?

5) Do you limit access to customer information to employees who have a business reason for seeing it? For example, grant access to customer information files to employees who respond to customer inquiries, but only to the extent they need it to do their job.

6) Do you impose disciplinary measures for any breaches?

7) Do you use appropriate oversight or audit procedures to detect the improper disclosure or theft of customer information? For example, supplement each of your customer lists with at least one entry (such as an account number or address) that you control, and monitor use of this entry to detect all unauthorized contacts or charges.

8) Do you maintain systems and procedures to ensure that access to nonpublic consumer information is granted only to legitimate and valid users? For example, use tools like passwords combined with personal identifiers to authenticate the identity of customers and others seeking to do business with the financial institution electronically.

9) Do you notify customers promptly if their nonpublic personal information is subject to loss, damage or unauthorized access?

If you were unable to answer yes to all of these questions you may have significant risk exposure to your organization, both legally and reputationally.

11 January 2004

Hedge Funds Lose Millions in Parmalat Debacle

Hedge Funds Lose Millions in Parmalat Debacle: "

By Elif Kaban and Gerard Wynn

LONDON (Reuters) - Hedge funds trading convertible bonds had significant exposure to the troubled Italian food group Parmalat and have lost millions of dollars in the fall-out, industry sources said on Friday.

The losses have hit hedge fund returns both in the United States and Europe, but industry sources said the market was seen weathering the storm because most losses were manageable.

Many were hurt after being caught out by the slump in the value of Parmalat convertible bonds since the start of December.

'We had a good December but that's almost completely been wiped out by Parmalat,' said one London-based fund manager. 'A lot of hedge funds had Parmalat exposure and the smoke hasn't cleared yet. Many people are just keeping quiet.'

Parmalat had 6.8 billion euros of declared publicly and privately traded bonds yet to mature when the crisis broke on Dec. 19 when a 3.95 billion euro account held by a Cayman Islands unit with Bank of America was declared false.

About 40 percent of the bonds were convertibles and some industry sources estimated that 80 percent of these were held by hedge funds.

Such figures are hard to verify in a secretive offshore industry where hedge fund managers have no disclosure requirements and are not regulated by any watchdog."

10 January 2004

Plans fail to prevent 'IT disasters - AU

ZDNet UK - News - Plans fail to prevent 'IT disasters'

Andy McCue
silicon.com

Although nearly all large companies have a business continuity plan, more than half have suffered an 'IT disaster' during the past five years, according to new research.

Some of the UK's leading companies are inadequately protected from IT disasters, according to a survey of FTSE100 firms.

Research by Compass Management Consulting covering 55 companies in the FTSE100 found that while 98 per cent have a business continuity plan (BCP) in place, 58 per cent have still suffered an 'IT disaster' in the past five years.

The most common disasters suffered by respondents included hardware failure (22 per cent) and utilities failure (18 per cent), followed by deliberate or malicious damage (14 per cent).

It is the latter cause that companies are increasingly unprepared for, according to Debbie Rosario, senior consultant at Compass Management Consulting, who said that more than a third of firms did not consider deliberate or malicious damage at all in their continuity planning.

'There's not the degree of correlation between the types of disaster and the BCP. The focus appears to be on the technology but technology is getting more reliable.'

She said that while almost all organisations now have business continuity in plans in place there seem to be wide variations in their effectiveness. Only 38 per cent suffering an IT disaster actually invoked the measure to solve the problem, while of those who did 71 per cent still reported that their business was impacted.

Rosaria said: 'It doesn't necessarily mean those business continuity plans are good or extensive.'

And while terrorism remains way down the list of actual incidents and priorities for IT departments, Rosario warned that firms are still leaving themselves exposed, with almost half not including security breaches in their continuity plans."

COMMENT:
==================================================
Audited Software Quality Assurance controls should handle the rogue programmer who installs a back door for later use but what about the exploited vulnerabilities once the code is already in production. This goes back to effective risk management systems to prevent and mitigate attacks on assets in production by hardening them in a test environment first. Correct Business Crisis and Continuity Management does not skip over this type of attacker because it uses a systematic approach through a secure enterprise architecture. The key focus here is to be able to anticipate threats through more effective combinations of training and testing in the lab. Then, providing proactive change management tools and systems to identify vulnerable assets and rapidly make the most likely targets the first priority for risk treatments.

FBI: Man demanded jet fly to Australia

CNN.com - FBI: Man demanded jet fly to Australia:

WASHINGTON (CNN) -- An American Eagle commuter flight from New York to Washington was diverted Saturday because a threat was made by a passenger 'against the aircraft,' an airline spokeswoman said.

An FBI spokesperson said the threat involved a note given to someone on the plane. The spokesperson also said a man made demands to be flown to Australia.

A Transportation Security Administration official told CNN that the man's note stated he had a bomb on the plane. One man is in FBI custody.

American Eagle Flight 4959, carrying 19 passengers, was headed from LaGuardia Airport in New York to Reagan National Airport in Washington.

Federal authorities said there were five crew members, but Lisa Bailey, a spokeswoman for the airline, said there were three crew members.

The flight was diverted to Dulles International in Washington and landed at noon.

It was moved to an isolated area and was being searched by a K-9 unit, according to a spokeswoman from the Metropolitan Washington Airports Authority.

The federal government owns Reagan National Airport, but it is operated by Airports Authority under a 50-year lease agreement. Planes landing at Reagan follow a flight path which brings them closer to the Capitol and White House.

Passengers were interviewed by law officers after landing.

The plane, an Embraer Regional Jet, model 135, usually seats 37 passengers, the airline said. The jet has a range just under 2,000 miles when fully fueled. The air distance between New York and Sydney, Australia is 9,933 miles."

09 January 2004

New net banking scam

New net banking scam:

Jennifer Sexton
The Australian

CUSTOMERS of the nation's five leading banks are unwittingly being siphoned of their savings online, after logging on to official internet banking websites.

Federal police are investigating the latest international banking scam involving the use of online 'trojans' to steal personal account details via computers, which don't have anti-virus protection.

The perpetrators, believed to be working out of Russia and Latvia, recruit other local account holders to accept and transfer the funds in exchange for a cut of the proceeds.

Customers of the National, Commonwealth, ANZ, Westpac and St George have all fallen prey to the scam when using computers without updated anti-virus firewalls.

These computers have been located at home, in libraries and internet cafes.

Tim Ireland, National savings account holder and an employee of The Australian, was robbed of $9000 just before Christmas. The fraudster's first attempt on December 2 last year at a $10,000 withdrawal was knocked back due to insufficient funds. One minute later $5000 was withdrawn.

The following morning a $5000 withdrawal was rejected but immediately after the remaining $4000 was depleted.

'Rather than selling people on the convenience of internet banking, the banks should be making clear the high risk of exposure to hackers should you access your account from a computer you can't vouch for,' said Mr Ireland, whose funds were reimbursed after a 14-day investigation by the bank.

The Australian Bankers Association was yet to officially warn of this particular scam, but the National's customer resolutions representative, Glenn Leyden, admitted in a letter to Mr Ireland on Christmas Eve that none of the major banks had escaped it."

Regulators to Expand Fund Probe

Regulators to Expand Fund Probe:

Spitzer Says Targets to Include Institutions Bankrolling Illegal Trades

By Brooke A. Masters
Washington Post Staff Writer
Friday, January 9, 2004; Page E01

The sprawling mutual fund investigation will soon target financial institutions that helped bankroll illegal trading by hedge funds and other big investors, New York Attorney General Eliot L. Spitzer and federal regulators said yesterday.

Since September, Spitzer and the Securities and Exchange Commission have brought legal actions against half a dozen fund companies and brokerage firms for improperly allowing big clients or insiders to engage in 'market timing,' a predatory practice that allows short-term traders to profit at the expense of long-term mutual fund investors.

Now regulators are training their sights on 'the financing of these trading patterns,' Spitzer told a gathering of Washington Post editors and reporters.

He would not discuss specific targets, but sources familiar with the investigation said the SEC and Spitzer are examining Bank of America and a handful of other major financial institutions in Canada and the United States. The first cases are likely to be brought in the next two months, the sources said.

SEC enforcement chief Stephen M. Cutler also would not name targets, but he likened this phase of the investigation to cases brought against several major banks for allegedly helping Enron Corp. make earnings look better by disguising the true nature of financial transactions."

08 January 2004

New threats, regulatory woes to cause '04 security headaches

SearchSecurity.com | New threats, regulatory woes to cause '04 security headaches:

By Edward Hurley

Experts predict many of next year's security issues will grow from seeds sown in 2003.

Regulatory compliance will likely be the main driver for infosecurity spending and implementation. While most companies have a pretty good handle on the Health Insurance Portability and Accountability Act (HIPAA), a couple of new regulations entered the fray that companies will address this year. California passed the Security Breach Notification Act (SB 1386), which requires that companies disclose security breaches that may have compromised specific personal information on California residents.

But many observers say that the Sarbanes-Oxley Act will be the law that really drives infosecurity. Passed in response to the corporate governance scandals of 2002, the law doesn't directly address security. However, it mandates that the CEO and CFO sign off on the integrity of a company's financials (including internal controls), forcing upper-level management to take a personal interest in security.

Michael Rasmussen, director of information security at Forrester Research, predicts a similar law will be passed this year mandating upper-level management sign off on their company's information security plans."

European banks to spend $4bn on Basel II compliance

finextra news: European banks to spend $4bn on Basel II compliance:

08 January 2004 - Europe's banks will spend almost $4bn on credit risk management software and services over the next two years in order to comply with Basel II regulations, according to forecasts by Datamonitor.

Spending will reach $1.93bn in 2004 and peak at $2bn in 2005 as firms scramble to meet the 2006 deadline for compliance.

Datamonitor says preliminary activities such as regulation interpretation and business impact planning in banks are now giving way to IT implementation.

According to the research, Switzerland and Germany currently stand out ahead in Basel II efforts in Europe. Datamonitor says this is due to strong regulatory pressures at a local level associated with capital adequacy requirements.

The UK, Spain, Benelux and the Nordic countries are midway in terms of Basel II implementation but banks in France and Italy are lagging in preparation.

Datamonitor says any banks that lag behind in implementing Basel II compliance systems will provide technology vendors with 'rich pickings'.

Despite having progressed with Basel II, Datamonitor says the UK is still one of the countries - along with France and Italy - that will lead growth rates in credit risk/Basel II spending. According to the research, these countries have either a larger proportion of financial firms that are late in preparing for Basel II or the disparity in preparation levels between the leaders and laggards is wider.

Corporate Fraud off to a great start in 2004...What's new?

By Peter L. Higgins

We did a quick analysis today on what's in the news, or better said, how much corporate fraud is off to a great start for 2004! What's new? It's all new.

Your search for fraud / today returned:

27 articles - New York Times

8 articles - Wall Street Journal

Topics of Interest include:

New President Ireland to Press For Immigration Policy Action
Italy Gets Set To Re-Examine How It Regulates
Prosecutors Charge Executive and Lawyer With Fraud Over IPO
Scandal Reaches Far and High
Stricter Rules on Bonds Are Sought
Tyco Former Director Testifies
U.S. Government Removes Its Ban on Bids by MCI
What Mutual-Fund Scandal?

Searching other sites such as the BBC and LA Times produced similar results. Why is it that fraud is such a news worthy item? Or at least this word is used so frequently as an adjective. Definition of Fraud:

Fraud
n 1: DECEIT, TRICKERY 2: TRICK 3: IMPOSTER, CHEAT

Fraudulent adj : characterized by, based on, or done by fraud: DECEITFUL

Is it that people like reading about cheats and impostors because they enjoy seeing how they get caught? Is it that they feel better that they aren't the only ones? Or is it that they want to make sure that they don't make the same mistakes.

Our organizations today are full of everyday cheats, impostors and fraudulent activity. The sales person who inflates their expense report so they can afford to buy the wife a nice piece of jewelry is just as much a crook as Andrew Fastow of Enron or Calisto Tanzi of Parmalat. It's not as if they don't know any better. They do know that they are cheating or being deceitful. They do it because they can, and no one has told them to stop.

The risks of employing people to run an organization are going to multiply until we figure out ways to keep humans out of each business process. And even then, human greed or lust for power or some other innate motivation will cause someone to figure out how to beat the system. As an investor and as a business owner you can only do one thing that will diminish your losses.

Be proactive. Be preventive. And be Relevant. All the locks, safes, controls, alarms, fences, procedures, education, laws and penalties will not stop the loss events. Only one thing will keep you from a total loss or complete business paralysis.

Change.

We've all heard it over and over. Yet we continue to dismiss the fact that our organization is different today than it was yesterday. That the world has changed since the cold war. That zeros and ones could arguably be our most valuable assets. Information and data will endure beyond the life span of any human leader or organization through out history.

The zeros and ones game is a change management game. Those who master the art of managing information will be able to adapt faster than the attackers. Whether they be digital, human or mother nature.

How do you feel about the integrity of your loss event database? The speed that you get the correct answer. What if the answer was never correct? Guess what. The risk factors being played out today are different than it was last month. Or last year.

Collusion. Embezzlement. Churning. Market manipulation. Limit Breach. Wrongful termination. Harassment. Non-adherence. Failure of due diligence. Input error. Insufficient capacity. Reconciliation failure. Inappropriate contract terms. Product complexity. Poor advice. Obsolescence. Network failure. Project overruns. Programming error. Bug. Security breach. Money Laundering. Terrorism. Arson. Robbery. Blackmail. Vandalism. Natural disaster. Bankruptcy. Breach of service. Loss of power. Regulations. Laws. New employees. And the list goes on.

Have a great day!

07 January 2004

Poor integration puts M&A at risk

Poor integration puts M&A at risk

By Gabrielle Costa
The Age

More than three-quarters of mergers and acquisitions are dismal failures because predatory companies fail to ask basic, pertinent questions about the mechanics of integrating a new business into existing structures, according to human resources consultancy firm DDI.

Inadequate communication, poor leadership, inappropriate corporate structures and misaligned internal systems are some of the factors that result in 77 per cent of predatory companies failing to even recoup the costs of their investment - let alone improve their bottom line.

Ian Paterson, general manager of DDI, which has advised 75 per cent of Australia's top 100 companies, said that the 77 per cent failure rate for M&A was extracted from worldwide data but would probably be closely reflected in Australia.

His comments follow this week's release of research by Thomson Financial showing that, in 2003, mergers and acquisitions involving Australian companies had risen to almost $US70 billion ($A91 billion), up 66 per cent on 2002.

This comes after KPMG Corporate Finance forecast M&A activity would continue to strengthen this year as a result of sound economic fundamentals, economic stability and a strong sharemarket. "

FEMA On-line Course Offers CERT Training

FEMA On-line Course Offers CERT Training:

WASHINGTON, D.C. – The Department of Homeland Security’s Federal Emergency Management Agency (FEMA) has an on-line, independent study course that can serve as either an introduction to those joining Community Emergency Response Teams (CERTs) or as a refresher to current volunteer team members.

“While nothing can replace the in-person training local jurisdictions offer to CERT volunteers, this independent course augments their education and serves to reinforce the knowledge they’ve gained,” said Michael D. Brown, Under Secretary of Homeland Security for Emergency Preparedness and Response. “This new independent study course underscores the importance that FEMA places on CERT and its importance to communities across the nation.”

CERT members work with a community’s emergency management officials to provide assistance in a disaster by helping victims, organizing spontaneous volunteers at a disaster site and supporting emergency responders.

Specialists at FEMA’s Emergency Management Institute developed the course, which is part of the institute’s extensive independent study program. The course, Introduction to Community Emergency Response Teams, IS 317, has six modules with topics that include an introduction to CERT, fire safety, hazardous material and terrorist incidents, disaster medical operations, and search and rescue. It takes between six and eight hours to complete the course; those successfully finishing it receive a certification of completion. The course is located at: CERT Training Online.

The course can be taken by anyone interested in CERT, but only those who are actual CERT volunteers can take the in-person training FEMA offers.

On March 1, 2003, FEMA became part of the U.S. Department of Homeland Security. FEMA's continuing mission within the new department is to lead the effort to prepare the nation for all hazards and effectively manage federal response and recovery efforts following any national incident. FEMA also initiates proactive mitigation activities, trains first responders, the National Flood Insurance Program and the U.S. Fire Administration.

COMMENT:
==================================================
1SecureAudit is leading a project to create a Corporate Emergency Response Team for all the businesses in a commercial building in Fairfax County, VA. We highly recommend that CERT volunteers take the FEMA online courses while they are waiting for the official county certified training in the classroom. In our case, the demand exceeds the capacity of the instructors so you could be waiting up to 8 weeks to get your team officially trained.

'Dirty Bomb' Was Major New Year's Worry

'Dirty Bomb' Was Major New Year's Worry

By John Mintz and Susan Schmidt
Washington Post Staff Writers
Wednesday, January 7, 2004; Page A01

With huge New Year's Eve celebrations and college football bowl games only days away, the U.S. government last month dispatched scores of casually dressed nuclear scientists with sophisticated radiation detection equipment hidden in briefcases and golf bags to scour five major U.S. cities for radiological, or 'dirty,' bombs, according to officials involved in the emergency effort.

The call-up of Department of Energy radiation experts to Washington, New York, Las Vegas, Los Angeles and Baltimore was the first since the weeks after the Sept. 11, 2001, attacks. It was conducted in secrecy, in contrast with the very public cancellation of 15 commercial flights into this country from France, Britain and Mexico -- the other major counterterrorism response of the holiday season.

The new details of the government's search for a dirty bomb help explain why officials have used dire terms to describe the reasons for the nation's fifth 'code orange' alert, issued on Dec. 21 by Homeland Security Secretary Tom Ridge. U.S. officials said they remain worried today -- in many cases, more concerned than much of the American public realizes -- that their countermeasures would fall short.

'Government officials are surprised that people [in the United States] aren't more hyped about all this,' said one source familiar with counterterrorism preparations.


Even now, hundreds of nuclear and bioweapons scientists remain on high alert at several military bases around the country, ready to fly to any trouble spot. Pharmaceutical stockpiles for responding to biological attacks are on transportable trucks at key U.S. military bases."

06 January 2004

Beyond Compliance: The Business Value of Sarbox

Beyond Compliance: The Business Value of Sarbox

Investing in Sarbanes-Oxley could offer a competitive edge, according to a recent TowerGroup report. The report suggests that investing appropriately could be an opportunity to change how the organization tackles related IT transformation.

'In the compliance mindset, which is manifested in a quantitative and qualitative top-down approach, risk and control data is extracted from across diverse business lines for comparison purposes. Measurable business improvements will be confined to a focused set of actions,' the report says.

The report also says that forward-thinking institutions will look beyond the immediate concerns of Sarbanes-Oxley and 'pursue the legislation's broader strategic opportunities for risk mitigation, operational efficiency and business-process transformation.'
In order to do this, the organization must look at compliance issues as a whole and leverage other improvements made for issues such as the USA Patriot Act and Basel II.

The recommendation? A bottom-up approach to interpreting data and records from various sources. The report suggests that rules-based engines, business-process models and quantitative analytics be used to mitigate risk and improve operational efficiency. Ultimately, this information will provide essential information that will help managers make better decisions at a lower cost."