26 March 2004

On Travel....

This blog will resume on April 9th, 2004

Managing Risk for Security Governance - A Series

By Peter L. Higgins
Managing Director
1SecureAudit

Part II

Security Governance, like Corporate Governance requires the oversight of key individuals on the board of directors. In the public sector, the board of directors may come from a coalition of people from the executive, judicial and legislative branches.

In watching Richard Clarke’s testimony the other day in front of the 9/11 commission, I was struck by his ability to deliver precise salvos of devastating sound bytes. These statements of opinion may or may not be backed up by witnesses. If there is anyone who could uphold the foundational policies of Security Governance, it is Mr. Clarke. You have to admire a person who stands up for what they believe, except when those beliefs begin to erode the management system for security governance.

The basic responsibility of management, whether in government or the corporate enterprise is to protect the assets of the organization or entity. Risk and the enterprise are inseparable. Therefore, you need a robust management system approach to Security Governance.

If a corporation is to continue to survive and prosper, it must take security risks. A nation is no different. However, when the management systems do not have the correct controls in place to monitor and audit enterprise security risk management, then we are exposing precious assets to the threats that seek to undermine, damage or destroy our livelihood.

An organization’s top management must identify, assess, decide, implement, audit and supervise their strategic risks. There should be a strategic policy at the board level to focus on managing risk for security governance. The security governance policy should mirror the deeply felt emotions of the organization or nation, to its shareholders and citizens. It should be a positive and trusting culture capable of making certain that strategic adverse risks are identified, removed, minimized, controlled or transferred.

More in this series over the next few weeks.

25 March 2004

Prove It's Secure

Bank Systems & Technology > Prove It's Secure:

Paul McDougall, InformationWeek

"Offshore-outsourcing opponents have, for the most part, focused their criticism on the number of U.S. jobs lost to overseas workers. Now some people are urging limits on the practice because they claim it threatens consumer privacy.

California state Sen. Liz Figueroa last week said she would propose legislation prohibiting the movement of Californians' medical and financial data overseas unless she receives assurances that strong privacy safeguards are in place. Concerns range from overseas call-center workers being able to view or manipulate personal records stored in U.S. data centers to having databases of information on U.S. citizens physically located in a foreign country and operated by a third party. 'Outside the U.S., medical privacy doesn't really mean anything,' Figueroa contends.

Figueroa, who chairs California's Senate Select Committee on International Trade Policy and State Legislation, says she's concerned that a growing number of U.S. medical and financial-services firms are shifting information-processing work to lower-wage countries that lack tough privacy laws, leaving consumers vulnerable to identity theft and other crimes. Figueroa, who authored California's medical-records privacy law, considered by many to be the strongest in the nation, also is sponsoring bills to require California employers to notify the state and employees if they plan to move 20 or more jobs overseas and to prohibit state contracts from being fulfilled offshore.

Figueroa's plan, and similar ones in other states, are evidence that politicians are looking closely at the growing practice of sending work offshore. Her proposal, if enacted, would be among the first to significantly affect businesses' offshore IT practices. Most other efforts to restrict offshore outsourcing seek to block federal or state contracts from going overseas. Offshore business-process-outsourcing services -- which, unlike application development, typically require the transfer of personal data -- grew 38 percent last year to just under $2 billion, according to Gartner. The research firm says most of that work was performed in India.

At the federal level, Sen. Dianne Feinstein, D-Calif., asked the U.S. Comptroller of the Currency earlier this month to investigate whether banks that process customers' financial data offshore have safeguards to protect that data from unauthorized use.
In Arizona, proposed legislation would bar companies from shipping financial data outside the country without written permission from consumers. A proposal in South Carolina would prevent companies from giving 'financial, credit, or identifying information' to a call-center representative abroad without the individual's written permission."

Housekeeping and Homeland Security

Housekeeping and Homeland Security

A year after the creation of the Department of Homeland Security, the House leadership ponders whether it needs a permanent committee to oversee the department. The answer is yes.

When the President proposed the Homeland Security Act to Congress, it was referred to 12 standing committees in the House thought to have jurisdiction over the legislation. That was the right thing to do. Domestic security missions touch every federal agency and cut across national programs. Even today, a year after the creation of the Department of Homeland Security, virtually every federal department has responsibilities for protecting the nation.

Safeguarding the lives and property of Americans remains a mission that cuts across the federal executive and correspondingly the committees of Congress. Officials in the Department of Homeland Security will always find themselves—and rightly so—scurrying from committee room to committee room, testifying on their efforts to integrate a plethora of activities into a coherent, integrated national structure of systems and programs.

The House Select Committee on Homeland Security has already demonstrated that there could be value added in consolidating oversight in a single committee. They’ve held productive hearings and rapidly assembled a capable staff with the energy, expertise, and dedication that make for good congressional oversight. Last week, the full committee passed out H.R. 3266, Faster and Smarter Funding for First Responders, a necessary piece of legislation and a great example of the kind of leadership needed from a permanent oversight committee.

FTC filed 319 Internet scam cases in 2003

FTC filed 319 Internet scam cases in 2003 - (United Press International): "

FTC filed 319 Internet scam cases in 2003

WASHINGTON, March 23 (UPI) -- The U.S. Federal Trade Commission said Tuesday its pursuit of Internet fraud and deception unit last year resulted in 319 cases being filed.

Speaking before a Senate committee, the director of the FTC's Bureau of Consumer Protection said the 319 cases involve identity theft, auction fraud, investment fraud, 'Nigerian scams,' and cross-border Internet fraud.

Howard Bales said, 'Internet fraud causes significant injury to consumers and harms public confidence in the Internet as an emerging market.'


He told the Senate panel that his bureau maintains a central clearinghouse of identity theft victims, making the information available to more than 850 criminal and civil enforcement agencies throughout the nation.

Last year 214,905 complaints were filed with the FTC's ID Theft Clearinghouse, about 10 percent of which came from consumers age 60 or older, Bales said."

24 March 2004

US approach to corporate governance looks set to be introduced in Europe

IT-Director.com: US approach to corporate governance looks:

Bob McDowall
Bloor Research

The European Union (EU) proposals for improvement in corporate governance in the slipstream of Europe's own corporate scandals take much the same approach as deployed in the USA in its Sarbanes-Oxley Act, primarily through improvement in auditing and accounting standards, oversight and responsibilities. Perhaps, the key difference is that .as the EU has no power to legislate on criminal law, its proposals may not enshrine criminal sanctions for violations, as they do in the USA, though individual EU nation states could introduce criminal sanctions for violations...

The EU Commission is proposing, and, of course this is subject to approval by the EU member states, the establishment of US styled Public Accounting Oversight Boards in each country. Auditors would be required to register with these national boards as well as an EU wide audit regulatory committee with responsibility for the implementation and oversight of detailed measures in proposed legislation. Non-EU auditors who worked on audits of EU listed companies would be obliged to with the relevant National Accounting Oversight Board. They would not be subject to any EU or EU nation initiated supervisory or disciplinary procedures if they are subject to such procedures within their own country."

Calpers Opposes PwC as Freddie Mac Auditor

Calpers Opposes PwC as Freddie Mac Auditor - - CFO.com:

Pension fund challenges Freddie's use of PricewaterhouseCoopers for non-audit services.

Stephen Taub, CFO.com

The California Public Employees' Retirement System (Calpers) is opposing Freddie Mac's reappointment of auditor PricewaterhouseCoopers and the reelection of members of the mortgage finance company's audit committee, according to the Washington Post.

The pension fund giant, which owns 5.1 million Freddie shares, is taking the action because the company has used PwC for non-audit services, Calpers spokesman Brad W. Pacheco told the paper.

As a matter of policy, Calpers withholds votes from audit committee members at companies that allow auditors to perform non-audit work, elaborated Pacheco. 'We believe that auditors should not be compensated or perform work for anything else besides their role in conducting the audit,' he told the paper. 'It creates too many conflicts of interest, and our experience shows that it leads to problems.'

Calpers is withholding its vote from the reelection to the audit committee of presiding director Shaun F. O'Malley, who was chairman of PricewaterhouseCoopers when the firm was known as Price Waterhouse LLP, noted the Post."

Yankee Group Defines Dynamic Best Practices in Vulnerability Management

Qualys, Inc. Press Release: Yankee Group Defines Dynamic Best Practices in Vulnerability Management:

Yankee Group Defines Dynamic Best Practices in Vulnerability Management
Best Practices Derived from Laws of Vulnerabilities Research Identifies Weekly Auditing of Critical Assets as Top Security Priority

InfoSec World Conference, Orlando, FL – March 23, 2004 – The Yankee Group today announced the development of Dynamic Best Practices in Vulnerability Management to help organizations better manage network resources to identify and eliminate security weaknesses in a timely manner. Implementing dynamically changing best practices in vulnerability management is the most effective, preventative measure security administrators can use to thwart automated attacks and preserve network security. The guidelines and metrics developed by the Yankee Group were derived from The Laws of Vulnerabilities research, authored by Gerhard Eschelbeck, CTO of Qualys. The Dynamic Best Practices in Vulnerability Management is a custom consulting report contracted by Qualys from the Yankee Group.

"Performing regular security audits is a vital step companies must take to keep up with the changing security landscape," said Eric Ogren, Senior Analyst at the Yankee Group. "With each new breed of attack, it is clear that best practices in IT security must be achieved for organizations to effectively protect critical network assets."

The Dynamic Best Practices in Vulnerability Management are based on key findings from The Laws of Vulnerabilities. The best practices apply vulnerability management as the one solution IT can count on to measure and manage the effectiveness of a network defense program. The Laws of Vulnerabilities are derived from the industry's largest vulnerability dataset and reveal vulnerability half-life, prevalence, persistence, and exploitation trends. These trends were drawn from statistical analysis of vulnerabilities collected by more than three million scans during a two-year period.

Based on these Laws, the Yankee Group defines four dynamic best practices for vulnerability management as:

1. Classify: Enterprises should identify and categorize all network resources. They should classify these resources into categories and tier a hierarchy of assets by value to the business. Critical assets should be audited every 5 to 10 days to identify vulnerabilities and protect against exploits. Based on hierarchical priority, lower category assets can be scanned less frequently as the work plans to patch will also be less frequent.

2. Integrate: To improve effectiveness of various security technologies such as server and desktop discovery systems, patch management systems, and upgrade services, enterprises must integrate with vulnerability management technologies. Best practice organizations should also report on operational progress against vulnerability goals to raise the level of awareness for security within the executive management team.

3. Measure: Enterprises need to measure their networks against the half-life curve and persistence curves of vulnerabilities. Graphically track the percentage of vulnerabilities mitigated within each 30-day cycle and the number of vulnerabilities that extend past 180 days. Chart the security team's performance to make sure the end result is risk reduction, especially to critical assets.

4. Audit:
Security officers should utilize the results of vulnerability scans to understand a corporation's network security posture. Use the metrics to evaluate successes and failures of different policies to improve security performance. Use audit metrics to communicate security status to senior management.

"Regulations such as HIPAA and Sarbanes-Oxley, coupled with recent threats from viruses like MyDoom, have required companies like Geisinger to adopt industry best practices that will ensure compliance and proactive network protection" said Jaime Chanaga, Chief Information Security Officer for the Geisinger Health System in Pennsylvania. "Yankee Group's best practices underscore the importance of continuous vulnerability scanning in today's changing threat environment."

23 March 2004

Institutions Find it Tough to Meet Sarbox Deadline

Institutions Find it Tough to Meet Sarbox Deadline: "

As the first deadline for Sarbanes-Oxley compliance of June 15 nears, financial-institutions are finding that complying is more difficult than they had anticipated. According to a survey of Sarbanes-Oxley project managers from 54 financial institutions, 95 percent say they will meet the deadline, more than half say it will be difficult to do so. The study was conducted by PriceWaterhouseCoopers.

The most difficult areas seem to be documentation and testing of procedures. Sixty-nine percent said level of testing and documentation needed pose the most problems. Following these issues were evaluating and identifying deficiencies at 39 percent.

In order to comply with Section 404 of the Act, respondents said they would have to fix manual controls, computer controls and security.

All of this work is not being done simply to comply with new regs, said respondents. As a matter of fact, over half of the executives said that Sarbanes-Oxley compliance is a necessary cost of doing business and over 40 percent reported the perception that Sarbanes-Oxley will ultimately make them more productive.


Executives are even starting to look ahead and incorporate their Sarbox upgrades into other areas. For example, they plan to make improvements to risk identification, financial reporting, internal audit and compliance management in order to streamline compliance in future years.

Despite this approach, two thirds of respondents said their Sarbox plan is not integrated with other compliance processes."

Data regulation a critical concern

Data regulation a critical concern:

By Val Bercovici
Special to Globe and Mail Update

"Do you know the staff in your corporate compliance department? How about the names of your records management colleagues? If you're acquainted with your legal department, hopefully it's for all the right reasons.

Corporate scandals in Canada and the United States have given rise to investor and consumer concerns over business integrity and privacy issues. The media spotlight on these fiascos has created large-scale public demand for companies to redefine the processes and technologies used to store corporate information. Behind the scenes, a fascinating by-product of this movement is that information technology (IT) professionals are now more likely to have lunch with compliance, records management or legal colleagues than ever before — bridging the ever-present gap between C-level and IT executives.

Responding to corporate scandals at Enron, WorldCom and Tyco, American legislators enacted new federally enforced rules such as Sarbanes-Oxley and SEC Rule 17a that dictate enterprise financial data integrity and retention practices. Regulating consumer, employee and patient privacy and confidentiality, however, is left to the discretion of the individual states, with California (Bill 1386) leading the way. But doing business north of the 49th parallel exposes companies to very different rules that will determine short-term regulated data retention priorities.

Canada has embraced a different approach to data regulation over our American counterparts. One reason for this difference is that Canadian culture is less litigious and consequently places less emphasis on exposure to shareholder lawsuits necessitating onerous financial regulations.
Canadians are more focused on preserving individual rights. In an ironic contrast to our American neighbours, securities commissions are provincially operated in Canada, whereas privacy legislation such as PIPEDA (Personal Information Protection and Electronic Documents Act) is enforced at a national level.

Regulated data will likely outlive the people who manage it. And now, C-level executives have pulled a chair up to the IT department's lunch table and are working hand-in-hand in defining their company's technology requirements."

22 March 2004

White House Says Ex-Terror Czar Has It All Wrong

White House Says Ex-Terror Czar Has It All Wrong:

By David Morgan

WASHINGTON (Reuters) - The White House on Monday sought to brand former anti-terrorism czar Richard Clarke as a disgruntled employee bent on damaging President Bush's war image with politically motivated assertions about the Sept. 11, 2001, attacks.

Top officials including Vice President Dick Cheney and national security advisor Condoleezza Rice took to television and radio to deny Clarke's allegation that Bush ignored the al-Qaeda threat before the attacks and focused on Iraq rather than the Islamic militant group afterward.

Clarke, who quit his White House job a year ago after serving in four administrations, made the bombshell assertions in a new book and on Sunday in an interview with CBS' '60 Minutes.' The book, 'Against All Enemies,' was released on Monday and quickly climbed to the No. 5 slot on amazon.com's top 100 bestsellers list.

Clarke's assault on Bush's credibility comes at a time when the Bush-Cheney campaign has made the president's leadership on security and the war against terrorism a main plank of his re-election strategy.

Clarke told '60 Minutes' it was 'outrageous that the president is running for re-election on the grounds that he's done such great things about terrorism. He ignored it.'

But Cheney said Clarke was in no position to comment.

'He wasn't in the loop, frankly, on a lot of this stuff,' Cheney told conservative talk radio host Rush Limbaugh. The vice president also questioned Clarke's effectiveness in countering attacks on U.S. targets dating back to the 1993 World Trade Center bombing.

White House spokesman Scott McClellan had harsher words for Clarke, the second former top administration official to criticize the Bush administration's overriding focus on Iraq.

'His assertion that there was something we could have done to prevent the September 11 attacks from happening is deeply irresponsible. It's offensive and it's flat-out false,' McClellan said."

Managing Risk of Security Governance - A Series

By Peter L. Higgins
Managing Director
1SecureAudit

In the converging world of both information and physical security there is a new risk element managing “Security Governance”.

The ethics and issues surrounding the business world of Corporate Governance since Enron and WorldCom has been center stage. Now the ethics and human behaviors of the security and intelligence community are stealing the headlines in light of Richard Clarke’s recent memoir of his counterterrorism days at the White House. Clarke is chairman of Good Harbor Consulting LLC based outside Washington, DC and has recently published his new book about his opinions on terrorism.

Questionable ethics should be raised about the former security tsar and his motivations for the book, his comments on CBS 60 Minutes and through other media. It’s about time we wave a red flag when the poor governance of business spills over to the governance of security. It seems that the name of his new book, “Against All Enemies” is appropriate as he takes aim at his former bosses in the last few presidential administrations.

Security Governance is a discipline that all of us need to revisit and rededicate ourselves to. The policies and codes we stand by to protect our critical assets should not be compromised for any reasons. More importantly, security governance frameworks must make sure that the management of a business or government entity be held accountable for their respective performance. The stakeholders must be able to intervene in the operations of management when these security ethics or policies are violated. Security Governance is the way that corporations or governments are directed and controlled. A new element that has only recently been discovered is the role of risk management in Security Governance.

More in this series over the next few weeks.

20 March 2004

EU accord on anti-terrorism tsar

Guardian Unlimited | Special reports | EU accord on anti-terrorism tsar:

Ian Black in Brussels
The Guardian

The EU is to appoint a senior anti-terrorism coordinator to foil attacks following last week's atrocity in Madrid.


David Blunkett, the home secretary, told colleagues at emergency talks in Brussels yesterday that the EU must 'stop the waffle' and implement practical measures to fight the bombers.

Ireland, in the union's rotating presidency, said last night that the post would be created within months.

But Britain, France and the other big countries gave short shrift to calls from Belgium and other members for an EU intelligence agency. Underlining the point, ministers from Germany, France, Britain, Italy and Spain met separately before the full meeting.

Nicolas Sarkozy, France's interior minister, said: 'We have the most important intelligence services and we are used to working together.' It was unrealistic to share classified information with 25 countries."

19 March 2004

Before the business continuity plan

Before the business continuity plan:

By Nathaniel Forbes

What can you do if your organisation doesn’t yet have a BCP, but you want to prepare for emergencies? Forbes Calamity's Nathaniel Forbes offers some advice.

Having a business continuity plan is important but as business continuity consultants we are often asked if there’s anything an organisation can do to prepare for emergencies or disasters, even if it doesn’t yet have a BCP. Forbes Calamity Prevention (FCP) has prepared this list of actions you can take for little cost and a small amount of time, whether you have a BCP or not.

18 March 2004

Phishing scams 'likely to target corporate info soon'

Phishing scams 'likely to target corporate info soon' - Breaking - theage.com.au:

By Sam Varghese

Phishing scams will continue to flourish but their focus will change: they will increasingly target corporate information, the Asia-Pacific vice-president of one of the world's premier security company says.

Richard Turner of RSA Security said the current rash of phishing scams was just the proverbial tip of the iceberg and those who were perpetrating them would turn to the more lucrative field of stealing business secrets.

'Australian businesses are rapidly opening their networks to remote users, be they employees who want to work from home, customers or those from other companies who share information. As soon as you do this, you need to apply good policy to information systems and business systems,' said Turner, who has been with RSA for the last eight years.

'Once this stage is reached, the need to implement well-configured software becomes paramount, in order to provide protection against unauthorised connections.'

RSA derives its name from three researchers at MIT - Ronald Rivest, Adi Shamir, and Leonard Adleman - who formulated the first algorithm for implementation of public key cryptography along with digital signatures.

Turner said the increased incidence of break-ins was in large measure due to a lack of real skills among security professionals. 'Security is a relatively new field; traditionally, it was the domain of those from the mainframe and Unix background and not the most fashionable of areas,' he said.

'The basic tools for breaking in are more readily available on the internet these days and relatively easy to get' hence the class of person who could effect such a compromise did not need to be a security expert."

COMMENT:
==============================================================
Corporate espionage is not a new threat to the enterprise, the tools and incidents have changed. I wonder how RSA handles the prevention of Intellectual Property going out the door each evening on employees key rings. All 512MB on a Cruzer Titanium USB Flash Drive. See Sanddisk

Evil Twin of Research: Bioterror

The Evil Twin of Research: Bioterror:

COMMENTARY

The Evil Twin of Research: Bioterror

By Elisa D. Harris

Elisa D. Harris is a senior research scholar at the Center for International and Security Studies at Maryland and former director for nonproliferation and export controls at the National Security Counsel

Advances in modern biology offer great opportunities, but they can also pose grave risks.

In recent years, Australian scientists exploring ways to control the mouse population created a super virus that ended up killing all the mice instead of sterilizing them. Here at home, researchers interested in understanding why the body rejects organ transplants discovered a possible way of making some viruses closely related to smallpox more deadly. And government scientists attempting to prevent the spread of the bird flu virus among humans have been trying to make a more lethal form of the virus to determine whether such a strain might emerge.

All are examples of what is called dual-use research — scientific experiments that can have beneficial applications or be used for destructive purposes, either deliberately or inadvertently.

Prompted by a National Academy of Sciences report issued last October, the Bush administration has created a board to advise U.S. government agencies on how to reduce the risk that legitimate research will be used for hostile purposes. The board will develop guidelines for oversight of dual-use research and for the dissemination of research results. It will also develop codes of conduct and training programs for scientists and laboratory workers.

These are welcome steps, but they are not enough. As Elias Zerhouni, the director of the National Institutes of Health, acknowledged when the new board was announced, it will have "no real authority." It will therefore do little to prevent the misuse of dual-use research in the United States and nothing at all to prevent misuse abroad.

To begin with, any oversight guidelines developed by the board will apply only to government laboratories or those receiving federal dollars. Many commercial facilities will therefore remain entirely outside the scope of the system.

Even the government agencies that conduct or fund relevant research will not be required to accept or implement the board's recommendations. All of the affected agencies have agreed to encourage compliance, but any of them can choose to opt out.

And classified government research — including work on defenses against biological weapons, which last year's National Academy of Sciences report singled out as posing particular dual-use problems — would remain outside the scope of the guidelines.

Finally, because the board was created by the executive branch rather than through legislative action, it can easily be disbanded after its charter expires in two years. That means the board is unlikely to command the budget and staff resources necessary to be an influential voice for biosecurity within the federal government.

Two steps are required for an effective biosecurity policy.

First, the scientists carrying out dual-use research and the facilities where this research takes place should be licensed.

Second, all proposals to conduct relevant research should be reviewed by scientific peers before being carried out so that the potential benefits can be weighed against the possible risks.

The creation of an American advisory board does nothing to address the risks posed by dual-use biological research in other countries. We must find a way to apply these oversight requirements comprehensively on a mandatory basis and on a global scale.

The knowledge and the technologies that could be misused for destructive purposes are widely available around the world. In 2002, for example, about 60% of the nearly 14,000 manuscripts submitted to 11 key scientific journals in the U.S. included foreign authors, from more than 100 countries.

Only when all institutions, whether in the United States or any other participating country, are required to follow the same rules will an effective biosecurity response be achieved.

17 March 2004

Security Pipeline | Trends | Outsourcing Overseas Brings Consumer Privacy Concerns

Security Pipeline | Trends | Outsourcing Overseas Brings Consumer Privacy Concerns:

Legislators want CIOs and service providers to show that customer data sent overseas is as safe as it is at home.


By Paul McDougall, InformationWeek

Offshore-outsourcing opponents have, for the most part, focused their criticism on the number of U.S. jobs lost to overseas workers. Now some people are urging limits on the practice because they claim it threatens consumer privacy.

California state Sen. Liz Figueroa last week said she would propose legislation prohibiting the movement of Californians' medical and financial data overseas unless she receives assurances that strong privacy safeguards are in place. Concerns range from overseas call-center workers being able to view or manipulate personal records stored in U.S. data centers to having databases of information on U.S. citizens physically located in a foreign country and operated by a third party. 'Outside the U.S., medical privacy doesn't really mean anything,' Figueroa contends.

Figueroa, who chairs California's Senate Select Committee on International Trade Policy and State Legislation, says she's concerned that a growing number of U.S. medical and financial-services firms are shifting information-processing work to lower-wage countries that lack tough privacy laws, leaving consumers vulnerable to identity theft and other crimes. Figueroa, who authored California's medical-records privacy law, considered by many to be the strongest in the nation, also is sponsoring bills to require California employers to notify the state and employees if they plan to move 20 or more jobs overseas and to prohibit state contracts from being fulfilled offshore.

Figueroa's plan, and similar ones in other states, are evidence that politicians are looking closely at the growing practice of sending work offshore. Her proposal, if enacted, would be among the first to significantly affect businesses' offshore IT practices. Most other efforts to restrict offshore outsourcing seek to block federal or state contracts from going overseas. Offshore business-process-outsourcing services-which, unlike application development, typically require the transfer of personal data-grew 38% last year to just under $2 billion, according to Gartner. The research firm says most of that work was performed in India.

At the federal level, Sen. Dianne Feinstein, D-Calif., asked the U.S. Comptroller of the Currency earlier this month to investigate whether banks that process customers' financial data offshore have safeguards to protect that data from unauthorized use. In Arizona, proposed legislation would bar companies from shipping financial data outside the country without written permission from consumers. A proposal in South Carolina would prevent companies from giving 'financial, credit, or identifying information' to a call-center representative abroad without the individual's written permission."

Scare Tactics

Scare Tactics - CSO Magazine - March 2004:

How will employees at your company react if a real crisis hits? Here's what to do to keep panic at bay.

BY DAINTRY DUFFY

IN THE PRESSURIZED cabin of a commercial jet, 30,000 feet in the air, 125 people are clamoring to get out.

Five minutes earlier, they looked just like any other group of passengers sitting back in their seats, some resting with eyes closed, others quietly reading, still others making small talk with the person next to them. The plane had a sudden drop in altitude during a turbulent ride, and panic ensued. That's all it took—one anxious passenger to stand up and announce he couldn't take it any more. He wants off the plane now. Before the crew can respond, everyone is out of their seats.

When rational thought is gone, all we have to fall back on is emotion. Whether it's on a flight to Chicago or in an elevator in your office building, emotion can be a dangerous thing in a high-stakes security emergency.

Panic. It's what causes us to run instead of evacuating in a calm, orderly manner. And you can't imagine the speed with which it spreads. You probably like to think that your employees would be calm during a crisis. But unless you've trained them to work through the stress of a security emergency, you might be surprised at that too.

You're not alone. Many security executives put extensive time and effort into developing contingency plans, but they fail to take the steps—training and practice—that enable employees to calmly follow those procedures during a crisis.
In fact, most CSOs are far less prepared to handle crises than they would like to think—or have led their bosses to believe.

COMMENT:
==================================================
You can be a proud CxO if you can confidently say that in the event of a "Crisis" your employees are trained and ready to handle it. As this article so clearly explains, you can never predict human behavior in the face of a sudden and shocking incident. If your company doesn't have "Corporate Emergency Response Teams" (CERT) exercising test scenarios monthly or quarterly, you face the consequences of poor operational risk management; losses that could have been prevented. We are amazed at how many Executive Rows we visit that still doesn’t have an AED within arms reach in the event of a heart attack. Protecting corporate assets first begins with common sense and then expands exponentially from there.

16 March 2004

Report rates corporate governance

Report rates corporate governance - (United Press International): "

FRANKFURT, Germany, March 16 (UPI) -- A report by U.S. firm Governance Metrics International ranks Canadian firms first for corporate governance.

European corporate leadership received relatively low marks in the study, compared to U.S. and British corporate leaders, German newspaper Frankfurter Allgemeine Zeitung reports.

Canadian firms did the best, receiving an average score of 7.6 out of 10
, followed by U.S. firms (average score 7), Australian firms (6.9) and British firms (6.7).

Japanese firms did the worst of any studied, receiving an average score of 3.

Governance Metrics International evaluated the corporate governance of 2,100 companies in 20 countries based on factors including information available to investors, compensation for top managers, internal control mechanisms, stockholders rights, provisions to prevent hostile takeover and the composition of company administration.

Perfect scores went to 22 companies, including General Electric, General Motors and Vodafone."

Operational Risk - Where It's At and Where It's Going...

Operational Risk - Where It's At and Where It's Going...:

Find out at OpRisk USA 2004, March 30 & 31, New York

LONDON, March 16 /PRNewswire-FirstCall/ -- There has been an unprecedented interest in Risk magazine's annual operational risk conference, Oprisk USA 2004, being held in New York on 30 & 31 March. The conference -- the sixth annual event that Incisive Media (LSE: INM - News) has held -- examines the sophisticated operational risk management frameworks that organisations are having to adopt and implement in order to keep up with the increasing complexity of today's business environment and the ever more challenging regulatory demands.

The measurement and management of operational risk is a rapidly growing area of interest within the financial industry, and is considered to be one of the greatest threats to banks, asset management firms, and insurers. It has been estimated that operational risk has accounted for $112 billion in losses over the past five years. Examples of operational risk failures include cases such as National Australia Bank, Allied Irish Banks, and the late trading/market timing scandals at US mutual funds. Reflecting recognition of the scope of these losses, the new capital adequacy accord proposed by the Basel Committee on Banking Supervision will require banks to set aside regulatory capital specifically against operational risk, from the end of 2006."

Survey finds firms have few plans to cope with disaster

New Zealand News - Technology - Survey finds firms have few plans to cope with disaster:

16.03.2004
By RICHARD PAMATATAU

New Zealand organisations have become complacent since Y2K and are ignoring business continuity and disaster recovery, according to a survey by consultancy KPMG.

Fewer than 35 per cent of the businesses surveyed in a KPMG Asia-Pacific business continuity management benchmarking survey have organisation-wide business continuity plans in place and almost one-third have no plan at all.

The result has shocked Rupert Dodds, KPMG Wellington director of information risk management. He said the report surveyed 200 organisations in the Asia-Pacific region, including 18 in New Zealand.

Doss was unable to say how much the lack of planning might cost New Zealand if disaster struck.

Many organisations thought that the work done for Y2K was enough but four years on information systems and staff had changed, he said.

In some cases staff did not know where or how business continuity plans were to be implemented.

Business continuity management identifies, assesses and manages events that may have a significant impact on an organisation's business operations.


Doss said the report showed that organisations were not doing structured risk assessments and might be speculating about the threats they were spending money on - and possibly leaving themselves exposed to the things that would hurt them."

AIG Companies Launch Product and Professional Liability Coverages for Companies Developing Homeland Security Products And Technologies

AIG Companies Launch Product and Professional Liability Coverages for Companies Developing Homeland Security Products And Technologies:

NEW YORK--(BUSINESS WIRE)--March 15, 2004--The AIG Companies today introduced SAFETY Act Homeland Protector(SM), a new set of product and professional liability coverages designed for companies developing and selling anti-terrorism products and technologies in accordance with the Support Anti-Terrorism By Fostering Effective Technologies Act of 2002 ('SAFETY Act').

The SAFETY Act Homeland Protector program insures companies against the product and/or professional liabilities that can arise when a product or technology certified by the Department of Homeland Security is deployed to defend against, respond to, or recover from a terrorist attack. Coverage is available with limits of liability up to $25 million. Consistent with the protections afforded to companies under the SAFETY Act, coverage is activated only when an act of terrorism has occurred.*

'It is important for companies developing anti-terrorism products and technologies to be innovative in order to effectively protect the nation from terror threats,' said Kevin Kelley, Chairman and Chief Executive Officer of Lexington Insurance Company, a member company of American International Group, Inc. 'With the protection offered by SAFETY Act Homeland Protector coverage, insureds can establish a sound strategy for managing product and professional liability risks, which ultimately allows them to focus on developing innovative solutions for our nation's security issues.'

SAFETY Act Homeland Protector coverage also includes a referral service to legal experts who will guide insureds through the application process for legal protection provided by the SAFETY Act, under the administration of the Department of Homeland Security.

Developed by the AIG Companies in conjunction with AIG Corporate Product Development, SAFETY Act Homeland Protector is currently available in the United States through brokers. For more information, please contact Wanda Johnson, Vice President, Specialty Casualty at 617-443-4614, or SafetyAct@aig.com."

COMMENT:
==================================================
We have contacted AIG to find out more about these new products and will be reporting back in due course.

15 March 2004

Terrorism Risk Management for Critical Infrastructure Protection - A Series

By Peter L. Higgins
1SecureAudit LLC

Part V

Asset Identification & Valuation
Priorities for protecting both physical and information assets is obtained through a comprehensive process for enterprise risk management. You must identify the relative importance and value of assets whether they are people, processes, systems or facilities. Business Impact Analysis has three primary actions that must take place:

· Identification and Definition of core business processes to sustain the organization in business
· Identification of critical business infrastructure assets such as:
o Personnel to run the functions and facilities
o Information systems and data
o Life safety systems and safe havens
o Security systems
· Assign a relative protection priority
o High – Loss or damage would have grave consequences for extended time
o Medium – Loss or damage would have serious consequences for a moderate time
o Low – Loss or damage would have minor consequences for a short period of time

Threat Assessment
Once this is completed a thorough threat assessment must take place. This is a continuous process of information gathering, analysis and testing. There are five key elements associated with threat profiles definition and analysis factors:

1. Existence – who or what are hostile to the assets
2. Capability – who or what weapons or means have been used in the past
3. History – what and how often has this occurred in the past
4. Intention – what outcomes or goals does the threat agent hope to achieve
5. Targeting – what is the likelihood that surveillance is being performed on the assets

Next a set of Event Profiles for the threat scenarios must be created. These detailed profiles describe the mode, duration and extent of an incident event as well as mitigating or exacerbating conditions that may exist.

The output of the threat assessment is the determination of threat rating to each hazard and to each asset in the priorities for protection. Assigning a threat rating could be as easy as using high, medium and low as long as you have specifically defined what each one is and also with the use of expert judgment.

One alternative here is to assign a level of protection against the threat itself. This could be arrived at through management decision-making however this is only used where you are assessing potential damage and expected injuries in DOD profiles.

Vulnerability Assessment

The Vulnerability Assessment is next in the process and looks at facilities across a spectrum so that you can determine the protection measures you may use either physically or operationally.

This is done answering questions concerning known and unknown vulnerabilities and involves visual inspection, document review and review of management or organizational procedures.

Visual Inspections encompass evaluation of the site, location, architectural, structural, utilities, communications, information technology, mechanical and plumbing. Investigations should be extended to all third party suppliers who have critical functions in the organizations operations. Document reviews include blueprints, contracts, maintenance records, equipment operation logs and visitor logs. Procedures review may uncover where modifications or alternatives can reduce risk exposure without making substantial changes to the physical structure or location.

Example Questions:
1. What critical infrastructure, government, military or other commercial facilities such as stadiums are in the local area that could impact this location?
2. What is the source of electrical service?
3. Is the parking garage adjacent and at a standoff distance from the main building?
4. What major structures surround the facility?
5. Is high visitor traffic located away from critical assets?
6. What type of construction?
7. Is the structure vulnerable to progressive collapse?
8. What systems receive emergency power and have capacity requirements been tested?
9. Where are the air intakes and how are the air handling systems zoned?
10. What is the method of gas distribution?
11. Are there redundant off-premises fire alarm reporting?
12. Are loading docks, mail rooms and service entrances separated from all critical building mains, including power, water and communications?
13. Do the IT systems meet requirements for confidentiality, integrity and availability?
14. What is the status of the current security plan?

These are just a few of questions that need to be addressed in the vulnerability assessment of the building, facility or infrastructure.

As landlords and other interested real estate finance industry partners move towards new standards to mitigate terrorism risk, the necessity for state-of-the-art tools and systems to mitigate those risks is paramount. CxO’s in corporate enterprises are ever more concerned about emergency preparedness and the continuity of their enterprises. Now that threats to government and business operations are becoming more prevalent, organizations must plan for every type of business disruption from hardware and communications failures, to natural disasters, to internal or external acts of terrorism.

Last part of a five part series.

14 March 2004

High Anxiety

High Anxiety:

By JAMES GLANZ
The New York Times

Published: March 14, 2004

Right now, the designers of the Freedom Tower are struggling to master three colossal forces that are at work in the stark, empty sky above the World Trade Center site: gravity, wind and, perhaps most formidably, fear.

Any architect or engineer who works on a tall structure is morally and professionally obligated to become something of a safety obsessive. The steel and concrete of every Manhattan skyscraper has to resist hurricane-force winds, for example, as well as the downward pull of the Earth. But only the Freedom Tower will rise over a patch of ground that is forever shaken with the terror and paranoia of the worst building catastrophe in the history of the planet. As with the very first generation of skyscrapers, the work will have to be so visibly solid, so secure, that it will convince an anxious public to step into the building. After all, those who enter will not only be haunted by what occurred at the site in the past; they will also be apprehensive about what could happen again.

Last December, the twisting, tapering outlines of the building were unveiled: 70 occupied floors topped by a cable superstructure and a spire reaching 1,776 feet. At the ceremony, David M. Childs, the architect and consulting partner at Skidmore, Owings & Merrill who is leading the design team, said it would 'probably be the safest building in the world.'

In an attempt to live up to that very public promise — to overcome public fear, and reassure prospective tenants — the designers of the tower are carrying out a most unusual exercise that is in equal parts brainstorming, forensic analysis and Götterdämmerung-style what-iffing. They are systematically mapping out a dark spectrum of possible calamities, from major fires to terrorist attacks, and they are attempting to measure, with the greatest precision that technology affords, how well the building would hold up and safeguard the people inside. With that information in hand, the designers are improving the structure and trying to make it safer.

"This is at ground zero," said Daniel Libeskind, the architect who is the master planner for the site. "So I think the site has the responsibility to go way beyond the ordinary safety codes. Everything in the power of engineering, security thinking, safety thinking, architecture, urbanism has to be done to recognize that this is a special site."

The first goal, of course, will be to prevent any future terrorist attacks, and the builders of the Freedom Tower say that a variety of intensive security measures will be put in place. Even so, every prospective tenant is likely to entertain the same thought on his first trip to the top. As John W. McCormick, an engineer and code expert who is a consultant on the project, puts it: "There's a need to recognize that, just very possibly, it might be a target."

12 March 2004

Complying with regulatory and business security needs

Complying with regulatory and business security needs:

A pragmatic primer for protecting your most critical assets
by David Johnson.

For most businesses, government agencies, institutions and other organisations, security can at times seem like an overwhelmingly complex challenge. Threats to your data, both real and perceived, loom from all angles. Hacker attacks, disgruntled or dishonest employees, and competitive snooping are just some of the concerns with respect to protecting proprietary information.

Regulatory drivers are mounting, as well, as an ever-growing list of legislation and new acronyms to contend with. In Europe, the EU and individual countries have their own regulations governing the privacy of information including, as examples, the European Community Directives on human rights, electronic commerce, data protection, and privacy and electronic communications and the UK’s Data Protection Act. In the US, HIPAA, GLBA, and “SOX” are just a few to contend with. On a worldwide basis, the Basel II Capital Accord is front of mind for all internationally active banks.

Faced with a long and growing list of international regulations affecting IT security, compliance is viewed as one of the top concerns for many executives. Some of these laws hold organisations accountable for protecting the confidentiality of consumer or patient information. Others require companies to provide detailed and reliable documentation on financial decisions, transactions and risk assessments. And new laws are being passed all the time.

Deciphering the regulatory alphabet soup

Here is a quick primer on some of these regulations and what they mean:

11 March 2004

Identity breach risk accelerates

OSAC - Identity breach risk accelerates:

from VNUNet
Article ID: D141380

Flaws in identity management have huge impact


Security breaches resulting from identity management flaws are rising and creating huge problems for businesses, research shows. Identity management breaches affected one in 10 large companies last year, and half of them said it was their worst security problem of the year, according to the Department of Trade and Industry's biennial Information Security Breaches Survey 2004.

The identity management part of the survey, sponsored by Entrust, found that confidentiality breaches tended to cause long term disruption to businesses, with 15 per cent of those that had been hot, reporting problems that lasted a month or longer.

'If you compare the problem of identity management to viruses, it's not growing as fast so the number of organisations that have had a major breach resulting from identity management is not as large,' said Chris Potter, the PricewaterhouseCoopers partner leading the survey.

'However, the large sting in the tail is that when people suffer financial fraud, theft or disclosure of confidential information, these breaches tend to be very, very significant to their business,' he said.

Confidentiality breaches resulted in the largest amount of staff time required to remedy the problem, at 10 to 20 man days. They also resulted in the largest monetary loss with 15 per cent costing £100,000 in legal fees, investigation costs and fines."

COMMENT:
=================================================
As this article states: The organizations are bringing this upon themselves because they have not implemented new technologies and basic controls. For more information on this growing operational risk see "Six Ways to Mitigate the Risk of Corporate Identity Theft"

10 March 2004

Microsoft Says Latest Software Flaw 'Critical'

Reuters.com Microsoft Says Latest Software Flaw 'Critical':

SEATTLE (Reuters) - Microsoft Corp. (MSFT.O: Quote, Profile, Research) upgraded a recent security warning to 'critical' after discovering new ways in which an attacker could run malicious software on a vulnerable computer, the world's largest software maker said on Wednesday.

The software flaw, which affects the two latest versions of Microsoft's Outlook e-mail, calendar and contacts program, were initially rated as 'important' in Microsoft's monthly security bulletin issued on Tuesday.

Redmond, Washington-based Microsoft said that it reissued its latest security bulletin with a 'critical' rating, which means that software should download and install a patch to correct the problem as quickly as possible.

'This change is based on information concerning a new attack scenario discovered after the bulletin's original release on March 9th,' Microsoft said in a statement."

09 March 2004

So What Keeps You Up at Night? Ten Ways to Help CFO's Sleep Better

www.cybersure.com - ABD Insurance:

By John Schaefer, VP Enterprise Risk Management
ABD Insurance and Financial Services

In a recent survey conducted by Robert Half Management Resources the top two areas of potential vulnerability and concern cited by CFOs are disaster recovery (37%) and the security of information systems (24%). A common theme between these exposures is the need to better identify and understand the full range of risks that companies face today and the need for all organizations to develop new ways to more effectively manage these risks. By developing cross-company approaches for addressing all areas of risk, companies will begin to move toward a systematic, enterprise risk management process that most effectively reduces risk and controls cost.

In a comprehensive enterprise risk management program companies identify and assess potential losses without regard to which department or function they may occur in. Broad categories such as strategic, operational and financial risks are sometimes used to group related exposures. The scope of this exercise is frequently daunting and leads some executives to defer implementation until the board of directors or regulators (such as in the financial industry) requires this overarching approach. However, there is a way to reduce the concern related to IT security and disaster recovery without performing a comprehensive assessment.

Most companies exist to produce goods and services. Doing so requires raw materials, processing and a system of delivery. Underlying these processes are support functions such as accounting and human resources. By thinking of information as one of the raw materials, the scope of the risk management process is simplified. The following ten-step program can be used to initiate a relatively quick risk control program for your critical business functions. After completing these measures you can develop a more comprehensive plan."

08 March 2004

Terrorism Risk Management for Critical Infrastructure Protection - A Series

By Peter L. Higgins
1SecureAudit LLC

Part IV

TRIA (Terrorism Risk Insurance Act) is an interim solution to the management of unknown risks and information as a result of a particular incident. The act provides temporary help to:

· Protect consumers by providing widespread availability of property and casualty insurance for terrorism risk.

· The Insurance industry to establish standards, protocols, and time for the stabilization of the pricing and models.

The building finance sector is focused on the commercial infrastructure including malls, banks, hotels and other high profile commercial structures in downtown districts. Currently the models have covered major threats such as bomb blast, aircraft impact, and chemical, biological, nuclear and radiological. The Real Estate and Insurance industry has yet to grasp a model that takes into consideration all of the potential events and their impact. So far, the models have been slow in coming and many property owners have a wait and see attitude about purchasing terrorism insurance.

TRIA requires insurers to provide terrorism risk and to disclose the cost of added coverage as a percentage of the total premium. Some insurers charge from 0% to 80% depending on how much risk coverage they want to write and the details of a building location. Without actuarial data to work from, the insurers are working more from a subjective point of view than objective. Models may be good for now until we have real data to work from.

As new standards are developed across the spectrum of the industry from architectural design to building codes and operational mitigation strategies the new baselines will emerge. These new baselines will help determine how organizations effectively prepare for incidents of catastrophic proportions.

In light of the fact that the insurance industry is still immature in their models due to a lack of actuarial data the real estate financiers are considering alternative approaches to risk mitigation and management. For example, tools for the assessment of terrorism vulnerabilities exist today that could be introduced into the cycle of due diligence. As these tools are adopted to assess and help reduce the risk of unknown man-made events, the lenders and the insurers will converge on these new models to help rate buildings and critical infrastructure in terms of their exposure to terrorism risk.

Due diligence requires detailed property inspections and audits to provide sound advice to key decision makers on the state of a real estate property. Vulnerability to terrorist attack will become, if it isn’t already, a critical component of due diligence. The individuals and firms that provide these solutions must be multi-faceted in operations, security and building systems in order to provide a comprehensive and fair report. This assessment shall include the operational procedures and hazard mitigation programs of the building to determine the overall vulnerability to a combination of both natural and man-made events.

More on this series over the next few weeks.

06 March 2004

Fast Company Magazine - Company of Friends - Reston Cell - Executive Breakfast Briefing

Company of Friends : Reston : Calendar:

Fast Company Magazine - Company of Friends - Reston Cell

Presents an exclusive:

“Executive Breakfast Briefing”

Sponsored by: 1SecureAudit LLC

TO REGISTER: Click Here

Guest Speaker - Brian Murray - Author

Each attendee will receive a signed copy of Brian's book - "Defending the Brand: Aggressive Strategies for Protecting Your Brand in the Online Arena"

Brian's topic for the Briefing: "Six Ways to Mitigate the Risk of Corporate Identity Theft"

Global companies are increasingly falling victim to fraudsters using “spoofed” emails and websites to dupe their customers into sharing credit card numbers and other personal information. These kinds of corporate identity attacks undermine customer confidence and loyalty, ultimately costing a business dearly in customer service issues, bad publicity, and lost revenues.

About the Author
Brian H. Murray (Arlington, VA) is vice president of client services at Cyveillance, whose clients include more than half of the Fortune 50. He is one of the world's leading experts on brand and digital asset protection. Murray's publications and studies have been reported by USA Today, The New York Times, and The Wall Street Journal, among others. He has appeared on CNNfn, TechTV, CBS MarketWatch, and CNET Radio. Murray has served multiple appointments as an expert advisor to the Virginia General Assembly's Joint Commission on Technology and Science. He is also a founding member of the American Management Association's Homeland Security Council. Murray holds an MBA from The Darden School at the University of Virginia, an MEE from The Johns Hopkins University, and a BS from Syracuse University.

Book Description

Leading brands and the intellectual property of successful organizations are increasingly falling victim to hostile tactics from unscrupulous businesses. Unwanted brand associations, product piracy, and other forms of online brand abuse threaten to alienate consumers and undermine the success of companies in every industry.

Defending the Brand introduces strategies being used by companies around the world to fight back and regain control, preserving brand equity and rescuing potentially lost revenue. From marketing and sales initiatives that discourage abuse to how to collect intelligence on possible wrongdoers, this timely book is as valuable as it is fascinating.

Punctuated with eye-opening stories from real companies like Home Depot, Disney, the Red Cross, Nintendo, and the Associated Press, Defending the Brand is a call to action for companies unwilling to compromise the power of their brands and the success of their products.

Seating is limited and on a first come basis! No walk-in's on the day of the event will be accepted so register here now."

04 March 2004

Management - It pays for employers to take a healthy interest in their staff

Management - It pays for employers to take a healthy interest in their staff:

ALAN MCEWEN

EMPLOYERS are increasingly being encouraged to take a greater interest in the health and safety of their workforce.

With an average of 7.4 working days lost per employee in Scotland in 2003, cutting down unnecessary absenteeism is an obvious way to boost a company’s bottom line, as hundreds of millions of pounds are lost every year through sick days while accidents can result in costly compensation claims.

Similarly, long hours and increasing job pressures have seen a rise in stress-related illnesses which can have a debilitating effect on the well-being of businesses as well as staff.

Looking to avoid risky business


SAFE and Healthy Working carried out a survey of small to medium-sized enterprises prior to launching its services to gauge the state of their practices.

The most frequently reported actions taken by SMEs to improve health and safety were implementing a general health and safety policy (83 per cent), training employees (64 per cent), accident reporting (55 per cent) and documented risk assessment (52 per cent).

Some 89 per cent of small firms said they routinely record and monitor accidents. Accident reporting was most likely to occur in the manufacturing, transport and distribution and healthcare sectors, but least likely in the hotel and catering, finance and postal or telecoms sectors.

Overall, 74 per cent of workplaces record sickness absence. Medium-sized workplaces appeared more likely to monitor and record ill-health through sickness absence than the very smallest workplaces.

Broken down by sector, finance and healthcare firms were most likely to record absence through sickness, but least likely in the hotel and catering and postal and telecoms sectors.

At least nine out of ten of the survey respondents said they had acted on perceived risks relating to fumes, moving parts of machinery, fire, lifting and manual handling, electricity, chemicals, and infection or contamination.

The survey also found that the issues least likely to be acted upon, despite being aware of the risks, included psychosocial hazards and long working hours."

03 March 2004

Functional Principle: Information Risk Management

Generally Accepted Information Security Principles

Statement:

Management shall ensure that information security measures are appropriate to the value of the assets and the threats to which they are vulnerable.

Rationale:

In order to choose effective and efficient information security measures, management must identify the assets to be protected, the threats to the assets, and the vulnerability of the assets or their environment to the threats.

The security of information assets, with regard to the value of their confidentiality, integrity, and availability, and the security of the supporting Information Technology resources, must be assured by well-informed owners, managers, custodians, or other responsible parties. Such an approach (performed strategically, on an on-going basis, or as changes dictate) must enable well-informed decisions regarding whether to accept, mitigate, or transfer the risks associated with the information assets and supporting Information Technology resources. These decisions should be based on the monetary value of the assets, probability and consequences of direct or indirect harm or loss, related threats, effectiveness of existing safeguards and controls, and whether additional safeguards or controls could be expected to provide cost-effective incremental risk mitigation.

Example:

In migrating to a newer version of the standard corporate e-mail, a team of analysts working for ABC, Inc., assessed whether or not the in-place access rules would migrate intact. This was regarded as a critical factor, since highly confidential project information was passed regularly from one department head to another. In the post-migration test analysis, the team found that proxy rules did not transfer, with the result that mail became visible to "public." Also found was a failure of the encryption feature, due to version incompatibilities, when applied to mail sent externally.

The Directors of Internal Audit and Corporate Legal reviewed the matter for potential ramifications. Given the kind of information that could have been compromised, their consensus was that exposure to loss of intellectual property, and possible violation of employee privacy, could have exposed the company to an estimated $39M in total losses. $9M of loss would stem from a combination of litigation costs and settlements in privacy matters, and another $30M from redevelopment costs due to exposure of proprietary process details while in transit to remote corporate sites. Consequently, the transition effort was halted until the problem was fully resolved, and effective security measures were implemented and successfully tested.

More information can be found at: GAISP

U.S. Multinationals Make Sweeping Changes in Corporate Governance, PwC Finds

U.S. Multinationals Make Sweeping Changes in Corporate Governance, PwC Finds:

Finds New relationship evolving between board and management

(SmartPros) -- The relationship between management and boards of directors at U.S. multinational companies has been changed dramatically through an array of corporate governance initiatives begun in response to corporate scandals, the Sarbanes-Oxley Act, and other requirements.

According to the report by PricewaterhouseCoopers:

* 88 percent of senior executives report that directors at their company are expected to have more input on a variety of issues.
* 73 percent say their board will be more vocal on risk identification and risk management.
* 72 percent say their company has established a 'whistleblower' complaint process, as required by Sarbanes-Oxley, even though this provision is not yet in effect. Five percent of these report an increase in the number of complaints received and addressed by the audit committee.
* 64 percent report that their audit committee reviews the company's 10-Q prior to filing with the SEC.
* 63 percent have made changes or improvements in the skill sets of their audit committee.
* 57 percent of audit committees and 47 percent of boards have performed a self-assessment in the past 12 months.

'Boards and audit committees at large corporations have responded actively to the call for change and have accomplished a lot,' said Garrett Stauffer, of PricewaterhouseCoopers' U.S. corporate governance practice. 'We expect the increased attention and focus on governance will continue.'

Among other governance initiatives in place:

* 46 percent have a formal process for evaluating auditor performance.
* 43 percent have revised their audit committee charter as a result of Sarbanes-Oxley or proposed stock exchange listing standards.
* 31 percent of audit committees have engaged outside advisors to assist in meeting new requirements.
* 28 percent have appointed, or plan to appoint, a lead director or non-executive chairman, since passage of Sarbanes-Oxley."

02 March 2004

Advanced Continuity / 1SecureAudit - Emergency Preparedness and Business Crisis Executive Briefing

Advanced Continuity / 1SecureAudit - Emergency Preparedness and Business Crisis Executive Briefing:

Date: Mar 19, 2004

Time: 1:30 pm - 2:30 pm

Location: Webinar Via Raindance.com
All Times are Eastern US (GMT - 05:00)


Register Online Click Here or
To RSVP and register via Telephone - 1 800 299 5235 - Jessica Heckert can assist you


Event Details:
This online webinar is for CxO's and other executive managers who have the ultimate responsibility for activating an emergency response plan in the event of a business crisis for their organization.

The Event ID# and all details will be e-mailed on the morning of the briefing. Copies of the slides will be mailed to all registered attendees after the briefing. Each attendee will also receive a complimentary copy of our Whitepaper entitled:

'Emergency Preparedness & Continuity of the Enterprise'


In addition, each organization who registers will also qualify for a no obligation two week pilot of the Advanced Continuity service 'Floodgate': A Global Notification Solution.

Now that threats to business operations of our vital industry sectors are becoming more prevalent, organizations must plan for every type of business disruption from hardware and communication failures, to natural disasters, to internal or external acts of terrorism. During these times of emergency, where every second counts, Floodgate can play a key role to an organization's communication system, and their crisis management and business continuity plans.

1SecureAudit assists you in the transfer of business management practices to prevent, mitigate, and recover from a disruptive (crisis) event in a manner consistent with your strategic and compliance objectives. The process of mitigating the risk of hazards/threats before they become disasters is similar for both natural and human-caused threats; whether you are dealing with hurricanes, earthquakes, tornados or other acts of conventional or digital terrorism. The real estate finance industry and owners of critical economic infrastructure require rapid screening methods for the evaluation of threats and detailed guidelines for mitigating a spectrum of operational risk.

Webinar Topics include:

1. Crisis Communications
2. Critical Success Factors in Infrastructure Protection
3. Event Profiles and Mitigation Examples to Reduce Losses
4. Regulatory and Compliance Issues

These types of unpredictable emergency disruptions can wreak havoc on any organization, its clients and the public. As a result, business crisis and continuity management has become a high priority as organizations recognize the importance of responding to an unplanned event, so that employees and personnel remain safe, critical business functions continue, and relevant people are fully informed. "

Secretary Tom Ridge Approves National Incident Management System (NIMS)

Secretary Tom Ridge Approves National Incident Management System (NIMS): "

For Immediate Release
Press Office
Contact: 202-282-8010
March 1, 2004

U. S. Department of Homeland Security Secretary Tom Ridge today announced approval of the National Incident Management System (NIMS), the Nation's first standardized management plan that creates a unified structure for Federal, state, and local lines of government for incident response. 'NIMS gives all of our Nation's responders the same framework for incident management and fully puts into practice the concept of, 'One mission, one team, one fight,'' Ridge said.

'I recognize the efforts of the dedicated professionals from state and local governments, law enforcement, the fire and emergency management communities, emergency medical services, tribal associations, public health, the private sector, public works, and non-governmental organizations across America who teamed together in a collaborative effort to create NIMS,' Ridge said. 'This unique system provides all of our Nation's first-responders and authorities with the same foundation for incident management, in terrorist attacks, natural disasters, and other emergencies. From our Nation to our neighborhoods, America is safer.'

NIMS strengthens America's response capabilities by identifying and integrating core elements and best practices for all responders and incident managers. Through a balance between flexibility and standardization, and use of common doctrine, terminology, concepts, principles, and processes, execution during a real incident will be consistent and seamless. Responders will be able to focus more on response, instead of organizing the response, and teamwork and assignments among all authorities will be clearly enhanced. Key elements and features of NIMS include:See NIMS"

01 March 2004

Terrorism Risk Management for Critical Infrastructure Protection - A Series

By Peter L. Higgins
1SecureAudit LLC

Part III

Insurance losses resulting from a catastrophic events such as terrorism fall into several key areas:

· Property Losses to the target building and adjacent buildings, incurred by the owners themselves.

· Liability Losses for claims due to inadequate procedures for evacuation or fire prevention incurred by building owners.

· Workers compensation, health and life insurance losses resulting from death or injury of tenants or visitors to the building.

· Business income and rent loss due to inability to occupy the buildings incurred by tenants and owners.

· Financial losses by various lenders and investors in mortgage-backed securities associated with the mortgage notes themselves.

The real estate finance community and building owners associations have been subjected to a substantial debate since 9/11 about the exclusions of Terrorism Risk insurance. The real estate and lending environments in target cities such as New York, Washington, DC and Los Angeles have been in turmoil over the unavailability or terrorism risk insurance at reasonable prices.

This insurance crisis prompted the legislation of the Terrorism Risk Insurance Act of 2002 (TRIA) effective through 2005. The Act requires property and liability insurers in the United States to offer coverage, however, the act only addresses a defined category of terrorism losses. To be certified as a loss by the Secretary of the Treasury, it must have the following characteristics:

· It must be a violent act or an act this dangerous to human life, property or infrastructure.

· It must have resulted in damage within the United States or on the premises of any U.S. mission abroad.

· It must have been committed by someone acting on behalf of a “Foreign person or foreign interest, as part of an effort to coerce the civilian population of the United States or to influence the policy or affect the conduct of the U.S. Government by coercion.”

· It must produce property and casualty insurance losses in excess of $5 million.

It is important to note that chemical, biological and radiological losses are excluded from the terrorism risk coverage.

Under TRIA the federal government reimburses the insurers 90% of covered terrorism losses exceeding a deductible paid by the insurance companies.

The gap that exists today based on these criteria is losses under $5 Million as well as acts of terrorism such as the Oklahoma City bombing.

More on this series over the next few weeks.

Will the Government Legislate Executive Pay?

Will the Government Legislate Executive Pay? - - CFO.com:

If business leaders don't wake up, says the PCAOB chairman, ''I predict that there will be legislation.''

Stephen Taub, CFO.com
March 01, 2004

The chairman of the Public Company Accounting Oversight Board warned that the U.S. government could intervene to control executive compensation if company managers do not, according to Reuters.

'If the anger of the American people continues and business leaders do not wake up soon, I predict that there will be legislation,' William McDonough reportedly told a gathering last week at the Economic Club of Chicago.

McDonough said a company's compensation committee should review the appropriate level of CEO pay "