30 July 2004

Terrorism Risk Management

Over the past few months’ 1SecureAudit LLC has conducted an independent online poll to determine the areas of Operational Risk that are the largest focus of organizations right now. The results are as follows:

People - 22%
Processes - 31%
Systems - 28%
External Events - 19%


Processes (31%) and Systems (28%) are the two areas that CxO’s have the most control over and are the two main areas that they are working on right now to help mitigate risks.

This means that they have transferred or accepted the risk in the other two areas of Operational Risk Management, People (22%) and External events (19%). The key mechanism for the transfer of risk of people (fraud) and external events (natural disaster) is through insurance. There is a tremendous amount of existing data that the insurance industry understands and therefore they can create the economical products to effectively serve the interests of the corporate organization to hedge these areas of risk, except one. Terrorism Risk.

Terrorism Risk Management

Terrorism Risk includes the risk from attackers both internal and external to the organization. These attackers are using conventional (incendiary explosive devices) and unconventional (digital worms) methods to disrupt the operations and economic well being of corporate organizations, the real estate finance industry and of our critical infrastructures.

The process and systems for managing Terrorism Risk are rapidly changing as the commercial real estate finance and building owners strive to establish new standards. Critical Infrastructure Protection is now a national priority. The key catalysts for change could further motivate infrastructure owners to implement new risk reduction programs and measures.

Some of the key catalysts for change are:

· Insurance – those institutions that are sharing risks that a building owner faces.

· Finance – banks, REIT’s (Real Estate Investment Trusts), and others such as pension funds that provide the capital for investments in commercial infrastructure.

· Regulation – Federal, State and Local jurisdictions that regulate building design, construction and operations.


Overall Terrorism Risk reduction begins with these key catalysts in concert with owners of critical infrastructure, whether that is a corporate office building, a hospital, subway, or a hotel. These soft targets are where the risk management decision-making is already taking new directions.

In order to introduce new changes in process or design that impacts the physical or operational aspects of critical infrastructures (to reduce terrorism risk), it is important to better understand how these change levers can provide the incentives for owners. Being forced is never as appetizing as being induced to do anything. In order for changes to take place, the environment must reward investments in preparedness and safety. Consistently the conversations are not about “if” something is going to happen, it is about “where” or “when” it is going to happen. Therefore, it is imperative we initiate a proactive hedge against the inevitability of a loss event occurring in the future. First however, we must understand the character of terrorism risk in critical infrastructure and some of the anti-terrorism tools currently available to help manage that risk.

The recognition by insurers that owners will continue to invest in terrorism risk reduction and building safety with the proper incentives is vital to overall risk management of critical infrastructures. The assessment of terrorism vulnerability in key structures identified as soft targets can be a key component of the rating of risk for a specific structure. In order for owners to benefit from the potential of reduced premiums from direct insurers they must be able to demonstrate a combination of risk mitigation measures and programs to help improve the survivability of the infrastructure or to reduce it’s vulnerability to certain threat profiles. These need to be exercised on a continuous timetable with extensive documentation, training and reporting.

29 July 2004

Sarbanes-Oxley Readiness...

Following are sample questions from the Sections 302 and 404 Readiness Assessment by Deloitte.

Has your company:

1. Adopted a formal implementation plan (including a timetable) to address the requirements of Sections 302 and 404 of Sarbanes-Oxley?

2. Established communication channels among management, the board of directors, and the audit committee to ensure a timely discussion of the status and issues related to Sections 302 and 404 of Sarbanes-Oxley?

3. Incorporated steps within its implementation plan to address all five elements (control environment, risk assessment, control activities, information and communication and monitoring) of the COSO internal control framework?

4. Established an enterprise-wide control and risk management program in which controls and procedures are documented and continually reevaluated in response to major process or organizational changes?

28 July 2004

Top 10 Most Effective Cybercrime Policies

Top 10 Most Effective Cybercrime Policies

CSO recently partnered with Carnegie Mellon's CERT Coordination Center and the U.S. Secret Service to survey the cybercrime landscape. Here are the methods that our 500 respondents identified as the most effective to fight e-crime.

1. Engage in internal employee monitoring.

2. Have a written inappropriate-use policy.

3. Require employees and contractors to sign acceptable-use policies.

4. Monitor Internet connections.

5. Require internal reporting to management of insider misuse and abuse.

6. Host employee education and awareness programs.

7. Develop a corporate security policy.

8. Conduct new employee security training.

9. Do periodic risk assessments.

10. Conduct regular security audits."

27 July 2004

64% of Companies Have Dedicated Regulatory Compliance Budgets

64% of Companies Have Dedicated Regulatory Compliance Budgets

By: SmartPros Editorial Staff

-- Sixty-four percent of companies currently have budgets dedicated to financial regulatory compliance, with the average budget projected to be $7.2 million in 2005. Among those companies without a current budget, more than half (54 percent) plan to allocate money for compliance initiatives within the next 12 months.

META Group Inc. released its study, 'Organizational Trends in Sarbanes-Oxley and Regulatory Compliance Issues,' which found that companies are dispersing compliance-related spending across a wide range of financial and accounting regulations:

* 56 percent of companies surveyed have allocated resources for compliance with Sarbanes-Oxley (SOX) and the Health Insurance Portability and Accountability Act (HIPAA) regulations

* 48 percent are reserving a portion of compliance spending for USA PATRIOT Act-related initiatives.

* 35 percent have earmarked money for compliance with Financial Modernization Act and 33 percent for Basel II requirements.

* 28 percent have allocated budget for SEC Rule 17a-4, and 27 percent for International Accounting Standards initiatives.

Despite the broad range of funding, the study found one dominant compliance driver: 'SOX has had a significant impact on how regulatory compliance has been viewed and managed,' said Jon Van Decker, vice president with META Group's Enterprise Application Strategies. 'What makes SOX different is the heightened level of security around non-compliance. CIOs as well as other officers of a company can be liable for inaccurate information or insufficient controls, with the possibility of fines or prison sentences.'

Although the severity of non-compliance has elevated SOX management to the highest executive levels within organizations, the study found that most compliance stakeholders are unclear as to where they fit in the compliance plan, relative to their peers. Moreover, those executives presumed to be in charge of compliance may be taking a much more limited role than previously thought.

Less than one-third of study respondents indicated reliance on the CFO as the primary role within compliance. In addition, only 16 percent of companies have tasked the CFO with supervision of the chief compliance officer (CCO) position. Similarly, while many compliance solutions are initially perceived as services solutions, the CIO is often not involved in the final decision-making stages. As a result, only 14 percent of CCOs report into the CIO position."

26 July 2004

eEye Digital Security - Vulnerability Management Solutions

eEye Digital Security - Vulnerability Management Solutions: "

Why Does the Industry Need Blink?

Unknown vulnerabilities represent the greatest threat to enterprises’ digital assets. Contrary to popular belief, many hackers do not wish for worms to be released, as this galvanizes enterprises to patch machines that could otherwise be used as doors into a network. This will continue to be a growing issue as enterprises become more successful at proactive vulnerability assessment and remediation – hackers will focus on ways to compromise systems in a “zero-day” fashion. Since Blink operates by stopping the activity that results from an attack rather than the signature of the attack itself, this technology is able to stop even unknown vulnerabilities from being exploited.

Additionally, as the window continues to shrink between the time vulnerabilities are announced and when enterprises are able to patch their systems, the costs incurred by companies through patch management will continue to grow. A company with thousands of machines in its network can expect to experience millions of dollars in lost productivity and business disruption when patching is immediately required. As a result, enterprises need the ability to defer patching to scheduled maintenance cycles, as well as intermediate protection from attacks that intend to leverage the unpatched vulnerability. By protecting individual machines, Blink allows corporations to patch their systems on a less disruptive, more cost-effective schedule.

Likewise, although the vast majority of enterprises have network-level security elements in place (e.g., firewalls, IDS/IPS, etc.), many remote workers, such as mobile workers, teleworkers, contractors and others, unintentionally acquire vulnerabilities “in the wild” and introduce these vulnerabilities to the corporate network once they reconnect. This internal attack vector is becoming a frequent cause of worms and virus outbreaks. Blink provides the means to isolate and evaluate each machine prior to its reconnection to the network. If any of Blink’s security mechanisms detect unusual behavior, the machine is isolated via its application and system-level firewalls, and the attack is prevented.

Blink also helps enterprises enforce policy compliance by constantly auditing corporate security standard configurations to reduce the risk of compromise. Finally, traditional security measures offer no defense against socially engineered security threats that attack from inside the organization. Even if a user unwittingly downloads a virus or worm, Blink is able to recognize the harmful activity, shut down the offending application, and isolate the machine from the rest of the network.

23 July 2004

Experts laud U.S. program to counter bioterror attack

Experts laud U.S. program to counter bioterror attack:

Matthew B. Stannard, Chronicle Staff

San Diego -- Fast action and the right medicines can save tens of thousands of lives in the event of a bioterror attack, a Stanford expert told a bioweapons conference just hours after President Bush announced Project BioShield, a $5.6 billion program to develop stockpiles of vaccines and antidotes for chemical and biological weapons.

'The most important thing for saving people is ... treating people before they become symptomatic,' said Dean Wilkening, director of science at Stanford's Center for International Security and Cooperation.

Bioweapons, which require days or weeks of incubation to become deadly, provide a crucial window of opportunity to treat those at risk, Wilkening said at a program Wednesday on public policy and biological threats for the Institute on Global Conflict and Cooperation at UC San Diego.

'You have to detect the event and get medicine into people's mouths within this window of opportunity,' he said. 'If enough people become symptomatic ... you've lost the game.'

In the case of anthrax, for example, which has a 2- to 4-day incubation period, if exposed people are treated before that window closes, as many as 95 percent may be saved, Wilkening estimated. But if it takes two weeks to procure the antidote, that figure could drop to 20 percent.

Project BioShield, which Bush signed into law on Wednesday, provides incentives to the drug industry to research and develop bioterror countermeasures, speeds up the approval process for antidotes and lets the government distribute treatments in an emergency, even before they receive Food and Drug Administration approval.

In signing the legislation, Bush said, 'We refuse to remain idle while modern technology might be turned against us,' and promised to enlist American science to 'confront the greatest danger of our time.' He noted that many of the legislators who passed it had 'experienced bioterror firsthand when anthrax and ricin were found on Capitol Hill.''"

22 July 2004

Phishing Attacks Linked To Organized Crime

Bank Systems & Technology > Phishing Attacks Linked To Organized Crime:

Michael Cohn, Security Pipeline

'There's a lot of activity in the former Soviet bloc, the Eastern bloc, Latvia and Ukraine,' says John Curran, supervisory special agent with the Federal Bureau of Investigation's Internet Crime Complaint Center. 'It definitely looks like there are organized groups.'

Phishing involves sending fraudulent e-mails that appears to be from a legitimate organization -- such as a bank, credit card company, online merchant or Internet service provider -- asking the recipient to divulge personal and financial information like birth dates, Social Security numbers and PIN codes. Unlucky victims are then subject to identity theft, monetary losses and credit card fraud.

While Curran notes that a broad array of criminals appears to be involved in phishing attacks, ranging from teenagers to grandmothers, the FBI is investigating links to organized crime. So far, Curran hasn't seen any indication that crime syndicates with ties to the Mafia are involved.

The U.S. Secret Service has also noted an increase in organized crime involvement in phishing. At AIT Global's Annual InfoSec Meeting at the United Nations in June, Robert Caltabiano, assistant to the special agent in charge in the New York Field Office of the U.S. Secret Service, pointed to the increasing presence of organized crime in phishing attacks. Although Caltabiano recommended that victims first go to local law enforcement for help, he noted, 'With phishing attacks, the information goes global.'"

21 July 2004

Operational Risk Enterprise Architecture (OREA)

The operational risks facing corporate organizations today are found across a wide spectrum:

  • People
  • Processes
  • Systems
  • External Events

Now take this and multiply by the number of business units or lines of business in your organization. Now multiply this by the industry environments you operate in, the countries you operate in and the number of transactions you do on an annual basis. This will give you an idea of all of the places you have the potential to experience a "Loss Event." These add up over the course of a day, week, month and quarter to erode your earnings, performance and competitive position.

The only way to come close to managing such a dynamically changing foe is to first understand how the architecture of your business is interdependent or dependent on various components that make up it's structure. Only then can you begin to understand why certain loss events happen and what environment or characteristics make it more probable that they will occur.

Recently, a new law in the US called the Identity Theft Penalty Enhancement Act was signed by President Bush. What is interesting about this fact is that it wasn't until Phishing victims lost $1.2 Billion to identity theft related fraud between 2003 and 2004 that the banking industry, the FTC and our legislators understood one of the important facts in accelerating the mitigation of these loss events. Make the penalties for getting caught more severe, if they ever get caught. The law also allows the US Sentencing Commission to potentially increase the penalties for employees who steal sensitive information from their employers. Watch for more on this in the months to come.

The speed of change in the connected economy has finally subjected modern criminal organizations to finally be acknowledged that they are a larger target for law enforcement and our justice system. Only through effective operational risk architecture will our institutions be able to detect, deter and defend against the next wave of threats to our people, processes, systems and critical infrastructures.

20 July 2004

Fact Sheet: A Better Prepared America: A Year in Review

DHS | Department of Homeland Security | Fact Sheet: A Better Prepared America: A Year in Review:

Fact Sheet: A Better Prepared America: A Year in Review

“Much like homeland security in general, America’s preparedness requires everyone’s help. That’s why we’ve called you together – to continue building an important partnership – one that will result in an enduring and successful strategy for emergency preparedness across the country.”

– Secretary of Homeland Security Tom Ridge

Today, the Department of Homeland Security, the American Red Cross, the George Washington University Homeland Security Policy Institute and the Council for Excellence in Government brought together leaders in disaster preparedness, and response and recovery as part of the “Public Preparedness – A National Imperative” Symposium. Working together, leaders identified certain challenges and barriers to citizen preparedness as well as specific recommendations that will support the Department of Homeland Security’s National Strategy for all Hazards Preparedness to be released later this year.

Preparedness is the responsibility of every American. At the Department of Homeland Security, we are hard at work creating and implementing preparedness plans; developing procedures and policies that will guide our actions in the event of a terrorist attack; conducting training and exercises to ensure that our first responders possess a necessary level of preparedness; enhancing partnerships with state and local governments, private sector institutions and other organizations; and funding the purchase of much-needed equipment for first responders, states, cities, and towns. These activities, along with an active American community, contribute to a level of national preparedness that is critical to achieving our goal of a better prepared America."

COMMENT:
==================================================
Some enlightened citizen soldiers have already been busy preparing Americans for a spectrum of incidents. For more information see:
Risk Mitigation for the Commercial Real Estate Industry

19 July 2004

Carpe Diem

Carpe Diem:


Yesterday's balkanized approach isn't going to get you where you want to go—or reduce your company's risk. CSOs need to seize the opportunities now to centralize security or pay the price later.

BY ANONYMOUS
CSO Magazine

IT'S BECOMING CLEARER and clearer to me that members of the information security community are enamored with the CSO title and have taken it for their own. And apparently there's nobody to challenge them or to correct this overstatement of responsibilities.

In fact, this very magazine recently ran an article noting the creation of the Global Council of CSOs comprising highly regarded information risk management professionals. In it, Howard Schmidt was asked to comment on the apparent lack of inclusion of physical security in the Council's scope. Schmidt confessed that he's "been forgetting to do that." Unfortunately, such oversight sums up the current landscape where we CSOs are unable even to define the elements of corporate protection within our scope of responsibility. (I'm just as dismayed, by the way, at the prospect of a CSO who owns only physical security and investigations as I am by one who is the sole proprietor of information security.)

Why does this balkanized viewpoint bother me? Because security is fundamentally about risk. The business imperative is sponsored by broader, deeper and more immediate risk, and the consequences potentially include corporate and executive survival. Board members and senior executives can no longer think simplistically about securing their corporation with antivirus software and a physical security program comprising a low-bid guard contract and an access control system. CSOs need a business model that clearly defines the scope of security responsibilities and a job description that includes oversight of securing every aspect of the organization.

16 July 2004

Congress approves 'Bioshield' legislation

Congress approves 'Bioshield' legislation:

By Joe Fiorill, Global Security Newswire

Congress approved legislation that would guarantee a government market for medical countermeasures against a biological, chemical, radiological or nuclear attack.

The chamber voted 414-2 in favor of a bill to implement Project Bioshield, which President George W. Bush first proposed in January of last year. The Senate passed identical legislation May 19. Bush is expected within a week or two to sign the bill, which is intended primarily to spur production of drugs that manufacturers would otherwise find unprofitable.

Select Committee on Homeland Security Chairman Christopher Cox, R-Calif., called the passage 'a watershed in our mission to defend America against bioterrorism, establishing our first line of defense against biological weapons.'

'This is the most significant first-responder program in our nation's history. It will ensure that we have treatments immediately on hand to save lives,' Cox said.

Besides authorizing the government to spend $5.6 billion over the next decade on countermeasures produced by private drugmakers, the act would speed National Institutes of Health countermeasure research and development, as well as allow the Food and Drug Administration to approve new drugs more quickly during emergencies.

A $700 million contract for a new anthrax vaccine, the first contract under the new law, is likely to be awarded 'as soon as next month,' said Rep. Jim Turner, D-Texas, the top Democrat on the House committee.

'By bringing researchers, medical experts and the biomedical industry together in new and innovative ways,' Bush said in a statement today, 'we will not only help protect the homeland but also gain insights into other diseases. This will break new ground in the search for treatments and cures while strengthening our overall biotechnology infrastructure.'"

15 July 2004

Most Large Companies See Sarbanes-Oxley Compliance As Part of Broader Corporate Governance Initiative

Most Large Companies See Sarbanes-Oxley Compliance As Part of Broader Corporate Governance Initiative:

Majority Do Not Measure Cost of Regulation, PricewaterhouseCoopers Finds

NEW YORK, July 14 /PRNewswire/ -- By a margin of nearly two to one, large U.S. companies have made compliance with the Sarbanes-Oxley Act part of their regular corporate governance approach and have integrated it with other regulatory activities, according to PricewaterhouseCoopers' Management Barometer.

The survey of senior executives at U.S.-based multinational companies found that:

-- 64 percent say their company's senior management and board of
directors see Sarbanes-Oxley as one of many steps in a larger
corporate governance initiative, while 30 percent say it is simply a
goal to be achieved. Six percent are uncertain.

-- 62 percent report Sarbanes-Oxley is integrated with their other
corporate regulatory compliance processes, but 34 percent say it is
not. Four percent are uncertain.

'Integrating the requirements of Sarbanes-Oxley compliance into ongoing corporate governance and regulatory activities, rather than managing compliance with the law as a separate task, offers the potential for improved business performance in both the short and long term,' said Dan DiFilippo, Partner and U.S. Practice Leader, Governance, Risk and Compliance, at PricewaterhouseCoopers.

Tracking Costs of Compliance


Despite complaints by some companies about the increased costs and regulatory burden imposed by Sarbanes-Oxley, most respondents, 56 percent, said their company does not track and report internally on the costs of Sarbanes-Oxley and other compliance programs. Forty-one percent do track such costs.

'Given the early outcry about Sarbanes-Oxley's added costs, it's surprising that most companies do not document and track this expense,' said DiFilippo. 'However, many companies have only recently begun to understand the types of costs and value associated with compliance efforts. We expect more aggressive monitoring as companies examine the effectiveness of their compliance approach.'

Remediation Efforts Expected

According to the survey, 79 percent of surveyed executives say their company must make improvements in order to comply with Section 404 of Sarbanes-Oxley, which requires companies to file a management assertion and auditor attestation on the effectiveness of internal controls over financial reporting. Among areas needing remediation:

-- Financial processes ......................... 55%
-- Computer controls ......................... 48%
-- Internal audit effectiveness ................. 37%
-- Security controls..................... 35%
-- Audit committee oversight................ 26%
-- Fraud programs.................... 24%

Process Improvements for Future Compliance

Looking ahead, 93 percent of executives expect their company to launch process improvement initiatives to streamline future Sarbanes-Oxley compliance. Among areas cited:

-- Financial reporting..................................63%
-- Risk identification and assessment...........61%
-- Risk mitigation.......................................55%
-- IT security strategy and implementation...55%
-- Internal audit.........................................55%
-- Compliance management........................54%
-- IT oversight and operations.................... 45%

'Companies recognize the need to make improvements in order to comply with the requirements of Sarbanes-Oxley,' said DiFilippo. 'When executives are confident that they are in compliance, many will want to find ways to streamline business processes and make future compliance less difficult.'"

14 July 2004

Keeping Data Under Lock & Key

Keeping Data Under Lock & Key:

By Gregory J. Millman

July/Aug. 2004 (Financial Executive) -- In the fall of 2003, discount airline JetBlue hit heavy weather when a group of passengers filed a class action suit charging breach of contract, invasion of privacy and fraudulent misrepresentation. The reason? The airline had shared passenger information with a government contractor who was preparing a risk assessment study for the Department of Homeland Security.

'In the wake of the Sept. 11 attacks, and as New York's hometown airline, all of us at JetBlue were very anxious to support our government's efforts to improve security,' JetBlue CEO David Neeleman said in an apology posted on the company's Web site.

But JetBlue wasn't alone -- Northwest Airlines and American Airlines faced similar lawsuits. 'There are some indications that the law may not treat handing over that information as a violation of privacy, but these companies have already suffered a fair amount of loss of brand value from the flap,' says Stewart Baker, a Washington, D.C.-based partner in the law firm Steptoe & Johnson.

Only in America, perhaps, can a company get in trouble for sharing information with the government itself. But as the memory of 9/11 recedes, privacy rights and suspicion of the government once again seem to trump security concerns in the minds of many Americans. And companies are finding that privacy laws are confusing, frequently costly and ripe for misinterpretation.

A 2003 Privacy Trust Survey by The CIO Institute of Carnegie Mellon University and the Ponemon Institute asked Americans to rank various institutions, companies and professions in terms of their trustworthiness with personal information. Respondents ranked the Department of Homeland Security second from the bottom -- just ahead of grocery stores, but behind other retailers. What's more, hundreds of lawsuits have been filed against companies that allegedly violated privacy rights while obtaining, using or sharing information. 'The latest figure is $125 million recovered in lawsuits from companies,' says Dr. Alan Westin, Professor of Public Law & Government Emeritus at Columbia University and President and Publisher of Privacy & American Business.

Many companies are struggling just to keep up with the proliferation of privacy-protection measures. 'We have scores, maybe thousands, of laws in the United States on the federal and state level, as well as millions of contracts and as many if not more informal or administrative requirements based on letters from government agencies,' notes Alan S. Goldberg, a Washington-based attorney and former president of the National Health Lawyers Association. A study by IBM and the Ponemon Institute found that some companies spend over $22 million annually on privacy. "

Tripwire_21_CFR11

Tripwire_21_CFR11

The U.S. Food and Drug Administration (FDA) has issued a set of regulations, collectively called 21 CFR11, that provide criteria for acceptance of electronic records and electronic signatures as equivalent to paper records and handwritten signatures executed on paper. These regulations, which apply to all FDA program areas, are intended to permit the widest possible use of electronic technology, compatible with the FDA’s responsibility to promote and protect public health.

Though electronic submissions are currently optional, the FDA is paving the way, with 21 CFR11, for routine and eventually mandatory submission of clinical trial records electronically. The 21 CFR11 provides in-depth guidelines and criteria for ensuring authenticity and integrity of digital records, and for documenting and validating authorized change processes to systems and software involved in the creation of digital records. The common goal is the ability to discern invalid or altered
records and, conversely, to assure accuracy, reliability and validity of electronic records and signatures. Typical FDA regulated activities that can accept 21 CFR11-compliant validated electronic records and signatures include new drug applications (NDAs), medical product license applications (PLAs) and biologics license applications (BLAs).

Tripwire® Integrity Management solutions are a natural fit for organizations that want to use electronic submissions and signatures in compliance with 21 CFR11. Tripwire software enables trust in information technology (IT) and data validation by establishing a baseline of your systems and data in their known good state, and detecting any change from that trusted state.

The trust and validation of electronic data enabled by Tripwire software is so fundamental that it transcends specific industries and regulations, and, yet, satisfies several key comments found in 21 CFR11. In this paper, we will detail which guidelines of the 21 CFR11 are supported by Tripwire software, and how Tripwire software takes a snapshot of what data looks like in its desired state. The software then monitors for differences from the baseline snapshot to see if anything has changed. If change is detected, the administrator is quickly notified and an auditable record is kept. Tripwire software then reports details on which files were added, deleted or changed.

13 July 2004

Director's Cut

Director's Cut:


Board members are turning to specialized software to help manage their affairs.


John P. Mello Jr.,
CFO Magazine

Board membership may have its privileges, but in this era of increased regulatory scrutiny, it also has its risks. This is not to say that sitting on a board of directors is a bad gig. Serving on a board remains one of the most effective ways for executives to network. It can offer rewarding work to those who have decided to step back from full-time jobs. And despite the hue and cry over executive compensation, board members get paid handsomely for their efforts: directors at larger companies typically rake in more than $100,000 in annual total compensation.

Still, these days they earn it. The Enron scandal initiated a new level of liability concerns; the Sarbanes-Oxley Act of 2002 (Sarbox) effectively multiplied the workload for any director willing to take on the job. Meetings are longer and more frequent. And it's arguably toughest for CFOs, who almost inevitably end up on the audit committee of the boards they join.

Longer meetings and heftier reading loads can create real headaches for directors. In some instances, just coordinating the topics for committee meetings can be a pain. Tom Lienhard, who serves on two boards, knows the problem only too well. 'Everyone is very busy, so our work carries over from month to month,' he says. 'Every month we have the same thing on our agenda. It drives me nuts.'

To address this vexation, Lienhard's boards (including the Ronald McDonald House Charities of Spokane, Wash.) recently installed an online software package called Director's Desk. The program, which is designed specifically for board and committee members, is intended to solve many of the logistical problems directors encounter. Using the software, for example, executive-committee members can conduct meetings online. Says Lienhard: 'We've actually been able to get a lot more done in less time.'

Director's Desk is one entry in an emerging category of software aimed at streamlining board communication and increasing board interaction. Some of these programs, including BoardVantage as well as Director's Desk, provide virtual meeting places for board members, along with specialized document management and communication tools. Others, like the suite from The Board Institute, based in Phoenix, help directors assess their own performance. Bret Beresford-Wood, CEO of Director's Desk Corporate Governance Services, in Post Falls, Idaho, believes the board-software market is set for a takeoff. 'In three to five years, a majority of companies will have some form of board-management system.'

Is This Anything?
The argument is that using IT to enhance board communication is a logical extension of current practice. 'Many CEOs communicate via letter to board members in odd months,' says Jay Lorsch, a professor at Harvard Business School and co-author of Back to the Drawing Board: Designing Corporate Boards for a Complex World. In fact, Lorsch is such a believer that he works with a company that is developing software to enhance board communication. 'Technology can provide a valuable way for board members to stay plugged in,' he says.

'If board members are inclined to communicate with one another, then these platforms will serve a great purpose,' predicts Stuart Robbins, executive director and founder of The CIO Collective, an organization for IT executives, in Oakland, Calif.

But some wonder if board software is more hype than help. Nell Minow, editor of The Corporate Library, a corporate-governance research firm in Portland, Maine, isn't sure the stuff is even necessary. 'There's nothing in this software that can't be accomplished through conventional communication and password-protected Websites,' she says.

Further, the cost of the programs, while cheap by enterprise-software standards, might spook finance chiefs at smaller companies. BoardVantage, for example, charges $2,000 to $4,000 per user per year.

Better communication seems to be the big selling point of board software, experts say. Both Director's Desk and BoardVantage offer secure E-mail and document management in a hosted environment. The feature can come in handy, since labor disputes and takeover bids don't necessarily crop up while board meetings are in session. 'Board members need to respond to issues as they arise,' asserts Tim Hampson, a marketing consultant with Menlo Park, Calif.-based BoardVantage. 'They need to communicate in a secure manner outside those meetings.'

12 July 2004

RealEstateJournal | Landlords and Tenants Disagree on Priorities

RealEstateJournal Landlords and Tenants
Disagree on Priorities
:

By SHEILA MUTO
Staff Reporter of The Wall Street Journal

From The Wall Street Journal Online

Talk about being out of sync with your clientele.

Accounting and advisory firm J.H. Cohn LLP recently surveyed a group of mostly developers and landlords in New York and New Jersey, asking them to, among other things, rank four factors -- technology, life-safety systems, high-end finishes and security -- in the order they believe are important in attracting tenants.

New York respondents ranked building security as the most important factor, while New Jersey respondents put high-end finishes first. Both New York and New Jersey respondents put life-safety systems -- which include fire alarm, sprinkler and communications systems -- at the bottom. Robert DeMeola, the partner in charge of J.H. Cohn's real-estate services group, which conducted the survey, says he was 'so surprised' that all respondents ranked technology and high-end finishes as more important than life-safety systems.

To determine whether the group of 59 respondents were out of touch or simply had 'short memories' of what happened on Sept. 11, 2001, Mr. DeMeola decided to pose the same question in an informal telephone survey to a handful of major tenants that recently leased space in Manhattan. (His group plans to conduct a formal survey of tenants.)

The result: The tenants deemed life-safety systems followed by building security as the most important of the four factors.

There's 'a disconnect between landlords and tenants,' says Mr. DeMeola. The results make clear that 'before landlords put a waterfall in the building, they should be putting in extra security' measures and 'upgrading life-safety systems and emergency lighting,' he says. Landlords are 'precluding a lot of the higher-end tenants' from their buildings if they don't."

Assessing Your Storage and Backup for Regulatory Compliance

Assessing Your Storage and Backup for Regulatory Compliance:

By Ken Barth

The complicated nature of data management makes backups a crucial issue for I.T. In general, users are concerned about protection from data loss and the risk of being non-compliant. Current backup methods leave crucial data at risk, many organizations fear.

Compliance is one of the most talked-about issues in data management in recent years. As deadlines for federally mandated programs loom near, the issue is becoming more and more important.

Yet, despite all of the discussion and buzz, few organizations have actually implemented a compliance plan as part of their business operations. Perhaps the greatest stumbling block to devising and rolling out compliance plans is a widespread and high degree of confusion as to what the various regulations and legislation require, and the actions and activities that organizations must take in order to be in compliance with those regulations.

The challenges facing I.T. managers seem never-ending in the consistently and rapidly changing world of technology. The issue of regulatory compliance adds another murky, albeit important area of concern. The term 'compliance' is an umbrella term that has come to cover the recent spate of federal and state regulatory legislation dictating how organizations must retain and preserve their vast stores of data.

The impact of such legislation is bound to be widespread, affecting most of corporate America. Furthermore, the confusion over compliance initiatives, their cost, and their potential impact stems from the lack of clearly defined guidelines. In fact, the very term itself continues to grow and expand in what it encompasses.

As it stands, regulatory compliance legislation directly affects private and public companies, particularly those in regulated industries such as government, finance, and health care. In addition, many organizations have come to realize the importance of data as an asset for business operations and continuity. The result is I.T. departments facing new and developing compliance requirements for security and data retention set by their own organizations.

Central to the whole issue of regulatory compliance are three questions:

What data types are subject to archiving?

How long does that data need to be stored and accessible?

What do organizations need to do in order to be compliant?

While there are numerous pieces of legislation that deal with data retention, including the Health Insurance Portability and Accountability Act (HIPAA) of 1996, The Gramm-Leach-Bliley Act (GLB) also known as the Financial Modernization Act of 1999, and the Uniform Electronic Transactions Act (UETA) of 1999, probably the most talked-about and anxiety-producing is the Sarbanes-Oxley Act of 2002.

Sarbanes-Oxley was signed into law by the current President Bush following such high-profile corporate scandals as Enron, Tyco and WorldCom as an attempt to correct problems in the way organizations had been reporting their financial information. Sarbanes-Oxley states what records an organization must archive and for how long those records must be stored (all business records must be saved, including electronic messages, for at least five years and possibly longer).

It does not offer a set of business practices or guidelines on how organizations are to store records, leaving I.T. managers to create archiving programs and procedures that both fulfill the requirements of Sarbanes-Oxley and fit within their budgets. Failure to meet the mandated Fall 2004 deadline for compliance carries severe penalties."

09 July 2004

What's under the business continuity umbrella?

What's under the business continuity umbrella?


Although the need to implement business continuity management processes is understood by the majority of organisations, there is much variation in what is actually included under the auspices of 'business continuity'. Continuity Central recently conducted a survey amongst the readers of the website to discover what the trends are in this area.

Respondents were asked to indicate what areas of activity were the responsibility of the business continuity function / department in their organisation. The full results are presented in the table below.

Activity
Percentage saying that this was a business continuity responsibility

Business impact analysis
93.5%

Testing and exercising the business continuity plan
92.1%

Crisis management
84.9%

Training and awareness raising amongst non-business continuity staff
84.9%

Training business continuity staff
78.4%

Crisis team building and development
75.5%

Risk assessment
74.8%

IT disaster recovery planning
71.9%

Crisis communications planning
69.8%

Auditing of own business continuity plan
65.5%

Risk awareness culture development
59.7%

IT disaster recovery solution design
50.4%

Liaison with local authorities
50.4%

Operational risk management
48.2%

Auditing of supplier business continuity plans
46.0%

08 July 2004

AIA: Momentum Grows to Extend Terrorism Insurance Law

AIA: Momentum Grows to Extend Terrorism Insurance Law

New legislation authored by several House Democrats to extend the Terrorism Risk Insurance Act of 2002 (TRIA) demonstrates strong, bipartisan congressional support for keeping TRIA's temporary, yet vital, economic safety net fully in place while long-term solutions are being evaluated, the American Insurance Association (AIA) said Thursday.

TRIA secures virtually every sector of the U.S. economy against catastrophic terrorist attacks by making sure that businesses of all sizes and types can purchase commercial insurance that covers losses resulting from terrorist attacks.

'Momentum is building on both sides of the political aisle and on both sides of Capitol Hill to extend TRIA this year,' Leigh Ann Pusey, AIA's senior vice president of government affairs, said. 'The House majority's 'Terrorism Insurance Backstop Extension Act of 2004' (HR 4634) and the Democrats' bill (HR 4772) clearly show that members of Congress want to devote significant energy to this issue this year.'

According to AIA, TRIA is a three-year, public-private risk sharing mechanism that has worked well, enabling the commercial insurance marketplace to function even though the very real threat of further catastrophic terrorism remains."

COMMENT:
=================================================
While extending TRIA is crucial to get the marketplace stabilized for the long haul, there may be a new risk on the horizon. By purchasing Terrorism Risk Insurance, REIT's and other property owners may think they are off the hook when it comes to hedging this specific type of risk. Nothing could be farther from the truth. Without clear evidence that landlords are preparing their tenants and staff for potential loss events of any magnitude, they face one of the greatest of Operational Risks. Legal Liability and loss of reputation. There is much more to the mosaic of risk management than just purchasing an insurance policy. Let's just hope that those entities involved are encouraging their respective staff and tenants to become more proactive, preventive and relevant when it comes to their critical infrastructures Operational Risk Management.

07 July 2004

Storage: Compliance Cuts Across Industries, Storage Products

Storage: Compliance Cuts Across Industries, Storage Products

By Mark Ferelli
CRM News

Ever since the large corporate scandals involving Enron WorldCom, and the like, new government regulations ar entering the business world. Many in the mass-storag world see many of these regulations as saviors from th business strains created by cuts in capital spending i enterprise IT

It is true that compliance requirements with new federal and state regulations will result in more capital spending in storage hardware, software, automation, architectures and services. More records will be retained than ever before, and the impact will touch both structured data like databases and unstructured data like e-mails and instant messages.

What the Laws Look for

The various regulations are almost never specific on technology; they are more involved with such things as dates. For example, many of the new regulations require companies to retain records for 2 to 10 years or more, and to retrieve records quickly at a regulator's request. Other regulations require systems to keep secure audit trails of changes and deletions or to prevent changes or modifications to archived data. Audit trails will be nothing new for many corporations, since their own auditors demand such safeguards. These rules show immediate requirements for storage hardware that will meet the government's test of time as well as sophisticated software for indexing, tracking, archiving, backup and retrieval.

In point of fact, the demand for reliable storage will increase for a cultural reason as well. Very few end users want to take the time or effort to decide which files to delete, so they save everything. No one gets fired for saving everything, but you take a risk when you decide to press the "delete" key.

Financial Services

The securities trading industry now has some of the most stringent regulatory requirements for record retention and data storage, particularly under SEC Rule 17 for broker-dealer operations. These high-profile requirements have inspired the architectural concept of the "compliance engine."
SEC rules and interpretations were initially focused on the creation and retention of hardcopy records (paper or microfiche). However, hardcopy records and manual processes did not grow the speed and information requirements of today's global markets and trading operations. High-speed, accurate throughput is a requirement instead of an option. Hence the development of a variety of data processing tools, both off-the-shelf and proprietary.

Health Care

The Health Insurance Portability & Accountability Act [HIPAA] (Public Law 104-191, 110 Stat.1936 L1996]) addresses a variety of health care reforms. Title II, subtitle F addresses "administrative simplification" and covers healthcare plans, healthcare clearinghouses that provide healthcare transactions and healthcare providers. Unlike the financial services laws, HIPAA drills down into small medical practices, medical billing areas, pharmaceutical firms and more.

Failure to comply would have the offender face significant financial, legal and business penalties including criminal prosecution. Best security practices require traditional front-end security methods such as physical access controls, data network transport protection, host defenses, system and applications authorization, and security policy. This layered defense model must extend to backend storage preventing unauthorized access to data-at-rest.

But HIPAA impact reaches across key concepts in mass storage and storage management. Storage consolidation, storage pooling on tape media, data stored remotely, data in motion and stored information leveraging third-party services have access vulnerabilities that affects compliance efforts.

PHI controls dictates where and how the data can be stored and used. PHI data protection often has related management, training, data classification and infrastructure costs that can be significant.

There are many different types of regulatory compliance issues facing storage administrators and systems integrators today. The pacing concern is that organizations are in need of a cost-effective solution that provides synchronous levels of protection with no distance limitations and with no application degradation. The hard fact is that compliance issues will be added to everyday storage issues in installations of various sizes from the SMB to the enterprise. And make no mistake, effective management of storage is crucial to meeting compliance issues and day-to-day operations.

06 July 2004

iPod is latest security risk for business, say analysts

iPod is latest security risk for business, say analysts

from Silicon.com on Tuesday, July 06, 2004
Article ID: D149172

Companies should consider banning portable storage devices such as Apple's iPod from corporate networks as they can be used to introduce malware or steal corporate data, according to an analyst.

Small portable storage products can bypass perimeter defenses like firewalls and antivirus at the mailserver, and introduce malware such as Trojans or viruses onto company networks, claimed analyst house Gartner in a report issued this week. Analysts have warned for some time of the dangers of using portable devices, but the report points out these also now include 'disk-based MP3 players, such as Apple's iPod, and digital cameras with smart media cards, memory sticks, compact flash and other memory media.'

Another potential danger is that the devices - that typically make use of USB and FireWire - could be used to steal large amounts of company data as they are faster to download to than CDs. Also the size of the portable devices means they can be easily misplaced or stolen.

Gartner advises that companies should forbid the use of uncontrolled, privately owned devices with corporate PCs and adopt personal firewalls to limit what can be done on USB ports.

'Businesses must ensure that the right procedures and technologies are adopted to securely manage the use of portable storage devices like USB 'keychain' drives. This will help to limit damage from malicious code, loss of proprietary information or intellectual property, and consequent lawsuits and loss of reputation,' the report stated.


Copyright 2004 CNET Networks, Inc."

COMMENT:
==================================================
We hope this message is clear. If not, see the movie "The Recruit".

02 July 2004

“Managing Risk for Corporate Governance” – A 1SecureAudit Education Series

By Peter L. Higgins

Corporate Directors are responsible for Continuous Continuity of the Enterprise

The modern enterprise today that understands the myriad of potential threats to its people, processes, systems and structures stands to be better equipped for sustained continuity. A Business Crisis and Continuity Management (BCCM) program is a dynamic change management initiative that requires dedicated resources, funding and auditing.

Since effective BCCM analysis is a 24/7 operation, it takes a combination of factors across the organization to provide what one might call C², or “Continuous Continuity”. A one-time threat or risk assessment or even an annual look at what has changed across the enterprise is opening the door for a Board of Directors worst nightmare. These nightmares are “Loss Events” that could have been prevented or mitigated all together.

According to the best practices from several sources, the Board of Directors is responsible for the BCCM of an organization. The following testing techniques must be used to ensure the continuity plan can be executed in a real-life emergency:

· Table-top testing: Discussing how business recovery arrangements would react by using example interruptions

· Simulations: Training individuals by simulating a crisis and rehearsing their post-incident/crisis management roles

· Technical recovery testing: Testing to ensure information systems can be restored effectively

· Testing recovery at an alternate site: Running business processes in parallel with recovery operations at an off-site location

· Test of supplier facilities and services: Ensuring externally provided services and products will meet the contract requirements in the case of interruptions

· Complete rehearsals: Testing to ensure the organization, employees, equipment, facilities and processes can cope with interruptions

The best practices talk about a BCCM that will be periodically updated. Periodic is not continuous. Change is the key factor here. What changes take place in your organization between these periodic updates? How could any organization accurately account for all the changes to the organization in between BCCM updates? The fact is that they can’t.

This will change over time as organizations figure out that this is now as vital a business component as Accounts Receivable. The BCCM will become a core process of the organization if it is not already, dynamically evolving by the minute as new change-based factors take place in the enterprise. As new or terminated employees, suppliers and partners come and go into the BCCM process, the threat profile is updated in real-time. This takes the operational management that much closer to C², or “Continuous Continuity”.


Having survived several large quakes in Southern California in years past, I’m not sure that all of the testing in the world can prepare people for human behaviors that come from within. People literally lose all sense of common sense when you are on the 42nd of the 50+ skyscraper and without any warning it physically sways a couple feet to the left and a few more feet to the right. Believe me, the issue is not the testing itself, it’s how to create a real enough scenario that you get similar behaviors out of unsuspecting people.

Certainly the largest organizations realize that the threats are taking on different forms than the standard fire, flood, earthquake and twister scenarios. These large catastrophic external loss events have been insured against and the premiums are substantial. What it is less easy to analyze from a threat perspective are the constantly changing landscapes and continuity postures of the many facets of the organization having to do with people, processes and systems.

Visit: 1SecureAudit

01 July 2004

Coast Guard to inspect all foreign ships

Coast Guard to inspect all foreign ships

BY THOMAS FRANK
WASHINGTON BUREAU

BAYONNE, N.J. -- The Coast Guard launched an ambitious maritime anti-terrorism program Thursday when it started inspecting every foreign ship coming to a U.S. port to make sure it has taken steps to improve security.

Ships that fall short of international standards could be barred from U.S. ports, or allowed in under Coast Guard escort and forced to hire security guards while docked.

In addition, the Coast Guard will soon begin inspecting ports in 135 countries to evaluate their security. Ships that have docked in ports found to have weak security could be barred from the United States or subject to increased Coast Guard scrutiny that would delay their arrival and add costs.

Experts fear the inspections could isolate nations -- most likely poor ones -- with weak port security by blocking their exports to the United States.

'The Coast Guard can effectively bankrupt a country by barring its ships,' said Kim Petersen, president of SeaSecure Inc., a maritime security consultant, and executive director of the Maritime Security Council, a shipping industry group.

The inspections are tied to an international maritime treaty proposed by the United States shortly after the Sept. 11 attacks to create the first worldwide security standards for ships and ports.

Each of the 147 countries that signed the treaty in 2002 must certify that its ports and the ships registered there comply with the International Ship and Port Facility Security codes.

The codes, which took effect Thursday, require such measures as fencing and security guards at ports to control access. Ships must restrict who gets on and enters areas such as the bridge and engine room, and must have a security officer."

Policy Issues - SAFECOM Program

Policy Issues - SAFECOM Program

What is the problem?
– When public safety personnel cannot talk to each other by radio at the scene of an accident or a disaster, the problem often reflects lack of coordination and partnerships. Public safety agencies sometimes feel reluctant to coordinate or share communications systems because of "turf issues." Elected and appointed officials often do not fully understand the vital role interoperable communications play in protecting life and property. Local, tribal, state, and federal agencies generally lack opportunities to share experiences, develop common approaches, and identify best practices.

What has been done? – Government agencies at all levels are increasingly developing partnerships to support shared communications systems that improve interoperability, lower costs, and feature shared management and control. States are also beginning to establish executive-level committees to lead efforts to address interoperability issues.

What remains to be done?
– Information about the benefits of coordinated communications should be broadly and actively shared at all levels. Local, tribal, state, and federal agencies should form working groups or executive committees to coordinate interoperability activities, and government leaders should work with these groups by issuing appropriate policies or executive orders. Associations that represent government officials or public safety executives should commit themselves to supporting and working for interoperability. All of these groups can use Public Safety WINS: Wireless Interoperability National Strategy to pursue solutions to the technical and policy challenges to improving interoperability.

Public Safety Coordination and Partnerships Awareness Guide