25 February 2005

The Modern Day "Bonnie and Clyde"...

As Bank of America now joins ChoicePoint to try and explain the theft of not just thousands but millions of data records, one has to wonder. Does the modern "Bank Robber" need a mask and a weapon to pull off a six figure heist?

Not so according to some of the latest operational risk losses by major financial services institutions. The modern day "Bonnie and Clyde" only needs to purchase one of the latest downloads from the Internet to create a portfolio of bait for a contemporary "Phishing" expedition. Or in the case of B of A, a supplier who seems to have lost a few data tapes on their way to a secure location.

If it isn't apparent already, the real issue here is the lack of controls and auditing of the supply chain of outsourced services or the key lego blocks in the Enterprise Architecture.

Sen. Charles Schumer, a New York Democrat, said he had been informed by the Senate Rules Committee that the data tapes were likely stolen off a commercial plane by baggage handlers.

"Whether it is identity theft, terrorism or other theft, in this new and complicated world, baggage handlers should have background checks and more care should be taken for who is hired for these increasingly sensitive positions," Schumer said.

Bank of America, based in Charlotte, North Carolina, said it will continue to monitor government cardholder accounts included on the data tapes and cardholders would be contacted if unusual activity is detected."

It won't be long before the Privacy Advocates give way to the reality that it's time to seriously revisit authentication beyond today's US norms.

One of the key drivers behind the push to take up biometric technologies is that governments are beginning to mandate that biometric identifiers such as facial images and fingerprints be used in official documents, including passports. And biometrics is also seen as essential for the provision of e-government services to citizens to ensure accurate authentication to prevent fraud.

However, in the long term, biometrics, by their very nature, will compromise privacy in a deep and thorough fashion. If and when face-recognition technology improves to the point where surreptitious cameras can routinely recognise individuals, privacy, as it has existed in the public sphere, will in effect be wiped out. No doubt there will be some benefits: fraud, in particular the persistent and increasingly annoying problem of identity theft, might be substantially reduced if biometric-identification systems, introduced in the form of passports, visas and identity cards, become widespread. But privacy advocates argue that such benefits are not worth the risk of “function creep”—that once biometric passes have been issued by governments, it will be tempting to use them for all sorts of things, from buspasses to logging on to your office PC.
See the Economist to see what the experts were thinking two years ago.

This of course won't have much impact on the savvy baggage handlers who are now becoming this generations equivalent of "Bonnie and Clyde".

23 February 2005

Why just having a Disaster Recovery Plan is not enough!

Association of Contingency Planners | Washington DC Chapter | February Chapter Meeting

Disaster Recovery Plans are only part of the picture! Do not forget your most important asset – your employees! In the fast moving readiness wave of global assurance and operational contingency, there is an important element missing from many plans. They are all predicated on having the key people actually surviving the disaster. Shouldn’t you be just as concerned with getting through the disaster when and as it occurs? Remember, in large-scale disaster, the professional rescuers may be hours or even days away from responding.

"FEMA defines an emergency as related to businesses as “any unplanned event that
can cause deaths or significant injuries to employees, customers or the public; or that can shut down your business, disrupt operations, cause physical or environmental
damage, or threaten the facility’s financial standing or public image.”

Obviously, there are many events that can be classified as emergencies. Of primary importance is creating a plan for dealing with various types of emergencies that may happen to your business. While you may not initially plan for every type of emergency, it is prudent to at least plan the likely scenarios and always try to improve your emergency response to other scenarios over time. This requires an “All Hazards” approach to your preparedness and response. All hazards planning are a clear step in the process of making sure your organization can survive an emergency event. All hazards planning include operational risks dealing with people, processes, systems and external events.

22 February 2005

NFPA 1600: Are you Ready?

NFPA 1600 Included in the Intelligence Reform and Terrorism Prevention Act of 2004 Senate Bill : S.2845

Passed by the U.S. Congress and signed into law by the President on December 17, 2004 (Public Law 108-458)

Intelligence Reform and Terrorism Prevention Act of 2004 (Enrolled as Agreed to or Passed by Both House and Senate) SEC. 7305. PRIVATE SECTOR PREPAREDNESS.

(a) FINDINGS- Consistent with the report of the National Commission on Terrorist Attacks Upon the United States, Congress makes the following findings:

(1) Private sector organizations own 85 percent of the Nation's critical infrastructure and employ the vast majority of the Nation's workers.

(2) Preparedness in the private sector and public sector for rescue, restart and recovery of operations should include, as appropriate--

(A) a plan for evacuation;

(B) adequate communications capabilities; and

(C) a plan for continuity of operations.

(3) The American National Standards Institute recommends a voluntary national preparedness standard for the private sector based on the existing American National Standard on Disaster/Emergency Management and Business Continuity Programs (NFPA 1600), with appropriate modifications. This standard establishes a common set of criteria and terminology for preparedness, disaster management, emergency management, and business continuity programs.

(4) The mandate of the Department of Homeland Security extends to working with the private sector, as well as government entities.

(b) SENSE OF CONGRESS ON PRIVATE SECTOR PREPAREDNESS- It is the sense of Congress that the Secretary of Homeland Security should promote, where appropriate, the adoption of voluntary national preparedness standards such as the private sector preparedness standard developed by the American National Standards Institute and based on the National Fire Protection Association 1600 Standard on Disaster/Emergency Management and Business Continuity Programs.

See NFPA 1600

21 February 2005

ID Theft: SB-1386 on it's way West...

The latest ID Theft scandal with ChoicePoint is just the "Tip of the Iceberg".

The reputational losses will soon be felt as firms like Lexis Nexis pick up accounts from the fall out of this unfortunate criminal act. "Social Engineering" and plain old fraud will continue to haunt the companies who make it there job to know who we are, right down to the places we eat and where we shop.

If you get the warning letter from Choicepoint that you are one of the 145,000 people whose identity could be compromised, what are you going to do?

Disclosure of the incident was required under California's SB-1386,which took effect July 1, 2003. According to the law, any state agency, person, or business that does business in California and owns or licenses electronic data that includes personal information, is required to disclose any data security breach to California residents whose unencrypted personal information may have been accessed by an unauthorized person.

Last year, according to the Federal Trade Commission, consumers reported fraud losses of more than $547 million. Internet-related fraud accounted for 53% of all reported fraud complaints. According to the Better Business Bureau, 9.3 million Americans were victims of identity-theft fraud in 2004.

These are operational risks that not only the financial and health care institutions are responsible for mitigating, but also the Data Information Brokers who sell and share our identities to direct marketing firms. Remember that there really is only one way to keep yourself protected. Constantly monitor your identity and the details that exist in these companies databases. Make sure it is accurate. Put alerts on your account for suspicious activity. Consider using your middle initial or entire middle name when opening new accounts. This will help you differentiate yourself from every one else who shares your same first and last name.

Finally, review the security and privacy policies of your most trusted institutions. You will be amazed at what you have already accepted them to do with your personal information.

17 February 2005

DNI: Gods Speed...

President Bush on Thursday named his top representative in Iraq John Negroponte as the new DNI or director of national intelligence, a position created as part of the investigation into the Sept. 11, 2001 attacks.

The role of national intelligence chief emerged an investigation into lapses before the Sept. 11 attacks prompted Congress to overhaul the nation's intelligence efforts in 50 years. As part of the Intelligence Reform and Terrorism Prevention Bill of 2004 and in response to what members saw as failures in communication between the country's intelligence agencies, Congress called for one position to direct national intelligence.

The new position will oversee 15 agencies including the CIA, according to Reuters, and as its chief Negroponte will be charged with giving the president daily intelligence briefings.

"If we're going to stop the terrorists before they strike, we must ensure that our intelligence agencies work as a single, unified enterprise," the president said.

If we are forecasting a terrorist strike in the US as Porter Goss and company are predicting, then Mr. Negroponte has accepted the job between a "bomb and a hard place."

In a Senate Intelligence Committee hearing, CIA Director Porter Goss said the United States still faces threats from Islamic extremists groups such as al Qaeda, who are using the war in Iraq to recruit terrorists from around the world.

With an annual budget estimated at $4 Billion, we are going to eventually find out why all of the intelligence in the universe will not prevent another attack on the American Homeland. In the mean time, the private sector itself should be spending more time and money on preparing their respective employees, suppliers and stakeholders in the event of another attack on our economy. If business waits for government to protect its assets, critical infrastructure or overall well being, business will again be disappointed if and when an attack occurs.

If you are the CEO or Chairman of the Board, what are you going to do to protect your people, processes, systems and supply chain assets from an event as predictable as the next major earthquake? It's only a matter of when. Not what or how.

As President Bush so kindly stated to John Negroponte today at the press conference podium: "Gods Speed".

16 February 2005

Operational Risk: Outsourcing

BIS has a white paper on outsourcing in the Financial Services Sector

Case study 4: OCC action against a bank and service provider

In 2002, the Office of the Comptroller of the Currency (OCC) in the USA took enforcement action against a Californian bank and a third-party service provider to the bank. The service provider originated, serviced, and collected certain loans booked by the bank in 18 states and the District of Columbia. Among other things, the service provider failed to safeguard customer loan files. The files, which represented loans carried on the books of the bank, were discarded in a trash dumpster in 2002.

The OCC alleged that the improper disposal of loan files resulted in violations of laws and regulations. The OCC also determined that the service provider committed unsafe and unsound practices that included a pattern of following the policies and procedures of the bank and a pattern of mismanagement of the bank's loan files. This case demonstrated the risks national banks expose themselves to when they rent out their charters to third-party vendors and fail to exercise sound oversight.
In the case of the bank, the OCC found that it failed to manage its relationship with the service provider in a safe and sound manner. In addition to violating the Equal Credit Opportunity Act and the Truth in Lending Act, the bank violated safety and soundness standards and also violated the privacy protections of the Gramm-Leach-Bliley Act, which sets standards for safeguarding and
maintaining the confidentiality of customer information. These violations and unsafe and unsound practices led to a cease and desist order against the bank. The order required the bank to pay civil money penalties and to terminate its relationship with
the service provider.

The service provider also paid a sum in penalties and was ordered to not enter into any agreement to provide services to a national bank or its subsidiaries without the approval of the OCC. To protect the privacy rights of consumers, the order also required the bank to notify all applicants whose loan files were lost. This notification was to advise the consumer of any steps they could taketo address potential identity theft.

15 February 2005

Relief for the "A" word...

The thought of the "A" word (Audit) brings shortness of breath to many in executive management these days. As this Audit Agitation continues to occur, many corporate managers are welcoming their next audit. As this anonymous CSO so clearly states:

What do you do when your customers want you to do an independent security audit—and your CEO doesn't?

Whether your CEO is backing any initiative to improve the performance of the enterprise they still want to know what it really means to the organization. In this case, the CSO uses the fact that customers are asking for it. And because the customer is the almighty entity to serve and listen to, then we must have to comply.

While customers do provide the core catalyst for many corporate projects, the first priority is to make sure that you select the correct solution for what your customer is really asking for. In the case of a customer asking for a SAS 70, many uninformed CEO's would respond with a large question mark above their head.

For those who don't know, a SAS 70, or Statement on Auditing Standards No. 70, is an internationally recognized standard developed by the American Institute of Certified Public Accountants. A SAS 70 audit represents that an IT services provider (for example, a financial services organization) has been through an in-depth audit of its control activities, which generally include information technology, security and related processes. The Sarbanes-Oxley Act of 2002 makes SAS 70 audits even more important to the process of reporting on effective internal controls at IT services organizations. That's because the reports signify that a service organization has had its control objectives and control activities examined by an independent accounting and auditing firm, as Section 404 of Sarbanes-Oxley requires.

All of the SAS 70 audits will never change the culture or the skills of the people who are responsible for the areas of the organization that a SAS 70 audits. In many cases, the fear is that there will be so many "red lights" at the end of the examination that they will not get a favorable opinion letter. One way to avoid this potential hazard, is to inject the organization with a management system far in advance of the SAS 70 audit. A good example is the BS 7799 Information Security Code of Practice.

A brief history of BS 7799

In the early 1990s concern was growing about the security of information due to the proliferation of computer networks and the reliance of businesses on electronic data collection and processing. Security threats to organisations include fraud, espionage, sabotage, vandalism, fire, flood, computer hacking and computer viruses. The concern of the UK government’s Department of Industry (DTI) led them to ask BSI to work with businesses and other concerned communities to develop a standard that would increase awareness of security issues and suggest controls to help protect information within all types of organisations in the UK.

BS 7799 was originally published in 1995 to give guidance on implementing Information Security Management and was substantially revised in April 1999 to take account of developments in the application of information processing technology, particularly in the area of networks and communications. It also gave greater emphasis to business involvement in and responsibility for information security. New controls were included in areas such as e-commerce, teleworking, mobile computing and so on but remained technology-independent.

Against this backdrop was the implementation of the revised UK data protection legislation, the 1998 Data Protection Act, which includes increased obligations on organisations to adopt appropriate data security measures. The objective of this is to prevent unauthorised or unlawful processing and accidental loss or damage to data that relates to living individuals. The new legislation has been extended to include non-computerised, or manual, records. Material held in filing cabinets, index cards, microfilm collections and videotape collections are now also subject to the Act. Consequently, BS 7799 also covers security of all types of information, held both electrically and non-electronically.

By implementing a culture of risk management utilizing the published standards of BS 7799 the enterprise is not only becoming more prepared for the SAS 70, they are well on their way to achieving compliance with US and other Global standards. Relief for the "A" word is only a few key strokes away. See BSI

14 February 2005

Operational Risks are Taking Executives by Storm...

Executive Summary

There is a growing threat on the business horizon. The risk of loss from inadequate or failed processes, people, and systems or from external events is taking executives by storm. This definition of Operational Risk also includes legal risk, which is the risk of loss from failure to comply with laws as well as prudent ethical standards and contractual obligations. It also includes exposure to litigation from all aspects of institutions activities. In the course of a single day the organizational exposure to threats ranges from low to severe on the horizontal axis. It isn’t until you put the vertical spectrum into consideration that you arrive at your "Operational Risk Profile" for that particular slice of time. This vertical axis is the range of consequences that would impact the business should the threat event actually occur. It ranges from minor to disastrous. Each day our organizations live in a dynamic spectrum of tolerable and intolerable threats to our most precious corporate assets

The Take Away

While you were in the Board of Directors meeting, your Operational Risk Profile changed. When you were asleep last night it changed again. The people, processes, systems and external events are interacting to create a new and dynamic threat matrix for your organization. Who is responsible for Operational Risk Management in your business? Everyone is. You see, if everyone in the organization was able to understand and perform the mission flawlessly, then the business could stay in the lower left quadrant. This is where the threat exposure is low and the consequences are minimal. This is exactly why you are spending less and less time here. Only a guarded few understand the mission of operational risk management in your company. Only a guarded few can do it flawlessly. If you want to protect your corporate assets better than you do today, then turn those guarded few into the mission ready many.

10 February 2005

Why geolocation?

Quova has their act together when it comes to compliance and security issues for e-commerce.

The idea of the Internet as a borderless business realm, free of "real world" rules, has been exposed as a myth. While any company of any size can deploy an economic presence online, true e-commerce success has turned out to be a function of —and dependent on —the same business principles that determine success in the brick-and-mortar world. And one of those principles is geographic knowledge. Geolocation — knowing where the online customer is coming from — is as vital to e-commerce as the location of a store is to offline business operations. Consumers have distinct regional preferences based on where they live, and the online merchant must tailor his products, marketing strategy and messaging content to the customer’s language, currency and cultural priorities to earn his business — and his loyalty. Fraud is significantly higher in cyberspace, and the originating location of the transaction is a key indicator to its fraud risk. And both regulations and digital rights vary by jurisdiction, so the business-critical issue of compliance is heavily dependent on the geographic knowledge that can only be provided by a best-practice geolocation solution.

The knowledge that online fraud is frequently a geographically—based phenomenon, with 60% of fraudulent transactions emanating from just 15 nations, has provided a focal point for combating the problem. Leading companies in a variety of industries have incorporated Quova's GeoPoint as a key element in a "best practices" security solution for online fraud prevention. Quova has leveraged this experience to develop new sources of information and enhanced data analysis services specifically designed to protect against fraud and preserve assets and revenues. See Quova

08 February 2005

OREA: Operational Risk Enterprise Architecture

UBS has their own interpretations of Operational Risk and it's definitions. Of particular note is this:

Operational Risk is the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external causes, whether deliberate, accidental or natural. It is inherent in all our activities, not only in the business we conduct but also from the fact that we are a business – an employer, owning and occupying property, and holding assets, including information, belonging to ourselves and our clients. Our operational risk framework is not designed to eliminate risk per se but, rather, to contain it within acceptable levels, as determined by senior management, and to ensure that we have sufficient information to make informed decisions about additional controls, adjustments to controls, or risk mitigation efforts.

Without an effective Operational Risk Enterprise Architecture (OREA) an institution is driving blind in a blizzard of incidents that increases their potential for losses and diminishes their performance. In order to make certain that you have sufficient information in order to make informed decisions, you must have a system. Not only a management system. But a software system to provide relevant and actionable intelligence.

When operational risk ‘events’ occur – actual failures of processes, people or systems – we assess their causes and the implications for our control framework, because an event such as a virus attack or a customer complaint, even if it does not lead to a direct or indirect financial loss, may indicate that our standards are not being complied with or that they are ineffective, and that remedial action must be taken. --UBS

OREA enables enterprises to establish a cohesive framework for enterprise risk management in their organizations. OREA is a management system supported by an enterprise software platform that enables organizations to automatically collect, manage and distribute real-time operational risk content. This includes homeland security alerts, business continuity policies, emergency response procedures, control standards, facilities and IT assets, baselines, threats/vulnerabilities and delivers education and awareness programs to customers, employees and partners.

In light of new global terrorist threats, government regulation, increasing investor scrutiny, continuous litigation and changing response to risk, the stakes for public companies and complex organizations have never been more extreme. The solutions never more challenging. Today more than ever, it is vital that senior executives and board members have all the information, tools and answers they need to fulfill their fiduciary duties.

07 February 2005

Is Your CIO Getting More Complex?

If this Optimize survey is an indicator, the CIO's job is becoming more complex each day.

The CIO's role continues to evolve, and by all indications the job isn't getting any easier. In addition to overseeing day-to-day technology needs, IT executives increasingly must generate new business opportunities, contribute to regulatory-compliance efforts, bolster information security, reduce risk, and improve supply-chain efficiency.

How well-equipped are CIOs to meet these growing responsibilities and where are they turning to gain additional expertise? Are companies doing enough to help IT support the business and take advantage of new technologies, even as security and regulatory compliance take up more time and resources? This month, Gap Analysis examines the CIO's expanding role.

Multifaceted CIOs Conventional wisdom says the CIO's role is becoming more complex, particularly with the addition of regulatory-compliance and risk-management responsibilities.

More CIO's should make time to have lunch with external partners and the CFO, CRO and CEO than ever before. New regulations such as SOX and other new emphasis on Anti-Money Laundering are keeping everyone on their toes and the CIO needs to understand the big picture to see how they can achieve corporate goals.

And yet only 22% of the business and technology managers surveyed expect their CIO or VP of IT to work more closely with external business partners in supply-chain development during the next 12 months. A greater number (49%) said the CIO will work with external partners on business-process improvements, development of new-business opportunities (46%), information security (46%), regulatory compliance (44%), risk management (42%), and application development (41%).

04 February 2005

U.S. Public Readiness Index...is Business Ready?

The Public Readiness Index is on the way and the question is: Is business ready?

In one of his last public speeches as the head of the U.S. Department of Homeland Security, Secretary Tom Ridge shared his insights about critical next steps for public preparedness, and encourage a ground-breaking "public readiness index" for communities.

Ridge made his remarks at a breakfast event hosted by the Council for Excellence in Government tomorrow, Friday, Jan. 28 at 8 a.m. at the Willard Hotel in Washington.

In conjunction with Ridge's remarks, The Council for Excellence in Government, in partnership with the American Red Cross, the George Washington University Homeland Security Policy Institute, and the U.S. Department of Homeland Security will announce plans to create a Public Readiness Index. The Index will gauge the readiness of citizens, schools, businesses, and other community organizations to respond to emergencies -- from terrorism to public health emergencies and natural disasters -- and allow individual citizens and community leaders to measure, track and address gaps in local preparedness.

More than 100 leaders in the nation's homeland security enterprise have already signed a commitment to work together to create the Public Readiness Index, which will be independent from government.

The "Public Preparedness, A National Imperative" Report is 52 pages of great information from the consortium of "Brain Power" who assembled in July last year. Their conclusion is summed up with the following quote:

“I know no safe depository of the ultimate powers of the
society but the people themselves; and if we think them not enlightened enough to exercise their control with a wholesome discretion, the remedy is not to take it from them, but to inform their discretion.”

—Thomas Jefferson

If we can interpret Mr. Jefferson's and the consortiums conclusion correctly, business is in for a whole lot of readiness exercises. Again, the question remains: Are they ready?

03 February 2005

Terrorism Risk Management for Critical Infrastructure Protection

The process and systems for managing Terrorism Risk are changing as the commercial real estate finance and building owners or developers strive to establish new standards. Critical Infrastructure Protection is a national priority. The key catalysts for change could further motivate implementing new risk reduction programs and measures.

Some of the key catalysts for change are:

Insurance – those institutions that are sharing risks that a building owner faces.

Finance – banks, REIT’s (Real Estate Investment Trusts), and others such as pension funds that provide the capital for investments in commercial infrastructure.

Regulation – Federal, State and Local jurisdictions that regulate building design, construction and operations.

Overall Terrorism Risk Reduction begins with these key catalysts in concert with owners of critical infrastructure, whether that is an office building, a hospital or a hotel. These soft targets are where the risk management decision-making is already taking new directions.

In order to introduce new changes in process or design that impacts the physical or operational aspects of buildings (to reduce terrorism risk), it is important to better understand how these change levers can provide the incentives for owners. Being forced is never as appetizing as being induced to do anything. In order for changes to take place, the environment must reward investments in preparedness and safety. First however, we must understand the character of terrorism risk in critical infrastructure and the tools currently available to help manage that risk.

For more information see 1SecureAudit

01 February 2005

Basel II: Investment Advisors Operational Risks

If Pat McAnally from Sungard is correct, then Information Technology Risk is here to stay especially when it comes to Continuity of Business Operations.

"Basel II represents the first time technology entered the definition of operational risk," McAnally says. "In Basel it’s the first time we’ve seen this enter the lexicon—normally it’s all about credit risk and liquidity and market portfolios. We’re hearing from our clients that it’s trickling down even to institutions that are not top-tier because they believe that eventually, if the big firms will have to adhere to that, then they will, as well. And the whole issue of it coming out of some of the European accords as the market moves more into global outsourcing of business processes means it doesn’t matter if you’re headquartered in the US if your processes are being managed elsewhere."

McAnally sees similar beefed-up business continuity requirements in the SEC’s new mandates for hedge funds and investment advisors.

"From the hedge fund perspective, the SEC’s registration rule follows rules 206 and 38A for registered investment advisors passed last February," she says. "These rules require board approval for a chief compliance officer, and specifically spelling out security and privacy, and they’re specifically spelling out business continuity plans. So if you want to register as an investment advisor with the SEC, if that’s important to your business model, then they’re requiring those things."

For hedge funds with institutional investors and that utilize incubators, ASP providers or other third parties for their business continuity function, McAnally recommends extensive due diligence—fund managers themselves should make sure their providers can duly support any business interruption.

"If institutional investors are not careful, they’re going to be exposed to risks that are not under their control, and smaller hedge funds utilize things like technology incubators," McAnally says. "You’ve got to find out if they did their due diligence to see what the provisions are for availability, for continuity."