31 August 2005

Corporate Emergency Response Teams...

1SecureAudit Joins Nationwide Coalition In Collaboration With The U.S. Department Of Homeland Security's National Preparedness Month

The company will join a wide variety of national, state and local organizations, including the U.S. Department of Homeland Security and the American Red Cross, in educating the public about preparing for emergencies.


For Immediate Release

MCLEAN, Va./EWORLDWIRE/Aug. 31, 2005 --- 1SecureAudit, an emerging leader in Operational Risk Management Solutions for the Financial and Healthcare Services Sectors, and its partners in a national coalition, today announced a free event that will describe the simple steps an organization can take to prepare for an emergency.

As part of a special effort during September, which is National Preparedness Month 2005, 1SecureAudit will join national, state and local organizations, including the U.S. Department of Homeland Security and the American Red Cross, in raising public awareness about the role of preparedness in protecting lives and property. Making an emergency plan, assembling an emergency supply kit and identifying community emergency-response resources greatly improve people's ability to survive a natural or man-made crisis.

"We're taking important steps to help organizations become even more educated, trained and better prepared, and we urge you to take time this month to do the same in your business," said Peter L. Higgins, managing director of 1SecureAudit.

On September 28, 2005, join 1SecureAudit at 1:00 p.m. EDT for a free online webinar to learn how to create corporate emergency response teams (CERT).
Produced in cooperation with Long Branch Systems, Inc. of Rockville, Maryland, and ABD Insurance and Financial Services of Redwood City, California, the web-based presentation will highlight tasks that a business can perform now, and issues that it must consider in the future as it develops a comprehensive all-hazards risk program.

Download Details

29 August 2005

Katrina: Category 4 Storm Blasts U.S....

Now that Hurricane Katrina has made landfall for the second time in the U.S., we are reminded of several important operational risk management topics.

If a third party service provider is being considered for the provision of critical information processing services, the organization requires outsourcing service providers to develop and establish a disaster recovery framework, which defines its role and responsibilities for documenting, maintaining and testing its contingency plans and recovery procedures. The vendor must review, update and test its business continuity plans regularly in accordance with changing technologies, conditions and operation requirements.

The organization must also be prepared for worst-case scenarios for service interruptions when a service provider is unable to continue operations or render the services required. The organization's business continuity plans must include additional vendors or in-house recovery procedures to resume information processing. Arrangements must be made to ensure continued availability of the information service in the event the third party service provider is unable to perform under their contract obligations.

Katrina's fury also was felt at the Louisiana Superdome, normally home of professional football's Saints, which became the shelter of last resort for about 9,000 of the area's poor, homeless and frail.

Electrical power at the Superdome failed at 5:02 a.m., triggering groans from the crowd. Emergency generators kicked in, but the backup power runs only reduced lighting and cannot run the air conditioning.

About 370,000 customers in southeast Louisiana were estimated to be without power, said Chenel Lagarde, spokesman for Entergy Corp., the main energy power company in the region.


Hibernia Bank, who is merging with Capital One and is in the path of Katrina has this to say about their BCCM operations:

Elevated back-up generators are in place to support the company's central processing operations in New Orleans in the event of a power outage in the city. Hibernia's operations centers in Houston and Shreveport are ready to serve as data back-up sites. In addition to providing contingency-planning support for the New Orleans center, the Houston center supports Hibernia's Texas operations.

"We constantly monitor the hurricane's track and communicate with emergency officials," said Herb Boydstun, president and CEO. "We have mobilized our people across Louisiana and in Texas to respond to storm-related issues."

Boydstun pointed out that Hibernia has comprehensive contingency plans designed to minimize disruption of service to its customers and to resume operations as soon as possible.

Employees are trained to transfer and recover systems, data and other vital components quickly. In Shreveport, the company has computers with redundant systems that can be activated in case of a New Orleans power outage. Hibernia maintains additional space in the Shreveport area that can quickly be converted to a technology center to support operations routed from New Orleans.


We wish them and all others in the New Orleans, LA and Biloxi areas Gods speed during these difficult days ahead.

26 August 2005

Safety & Security: Wi-Fi to the Rescue...

Have you ever wondered where high value assets are located in your facility or on your campus? Especially those that are mobile assets. Have you ever wondered who and where visitors to your offices are located at any given time? Now Ekahau is making the answers to these and other questions much easier and at a more rapid response. Safety, production costs, and time-to-market are vital points of consideration for industries such as oil refineries, chemical factories and other process-industry facilities. By being able to easily track people, vehicles, and assets, these factors can be made substantially more efficient.

Founded in 2000, Ekahau is the recognized leader in location-enabling enterprise Wi-Fi networks. Ekahau's mission is to provide the easiest, most cost effective and accurate positioning solutions for locating people, assets, inventory and other objects using wireless enterprise networks. The Ekahau solution tracks wireless laptops, PDAs, VOIP phones, Wi-Fi tags and other 802.11 enabled devices.

Ekahau’s solution allows businesses to keep track of valuable assets and equipment, improve the overall workflow, and improve the levels of corporate security and customer service. With Ekahau, the critical corporate resources, people and assets, will be always available at the right place and at the right time. As Ekahau's location tracking solution does not require installation of proprietary wireless infrastructure, but can be done individually over the private Wi-Fi network, the deployment cost is kept in minimum, and the overall system payback time is the fastest possible.


Safety and security applications are numerous especially in healthcare:

• Emergency management - more efficient and faster emergency response
• Patient monitoring - better patient safety and increased throughput
• Workflow management - better staff utilization and increased patient throughput
• Equipment management - reduced need for inventory
• Information delivery - improved workflow, reduced errors
• Billing support & verification - improved revenue capture

We can think of other homeland security and first responder applications using the Ekahau capabilities especially in post event incident management and key personnel tracking inside a closed perimeter. As WiMax and other 802.11 networks are deployed in major metro locations, the applications become wide spread.

24 August 2005

People: Beyond Travel Risk Management...

When was the last time your corporate travel department gave you some timely INTEL? Maybe you got a report on the current level of risk in the region, city or country you are now scheduled to visit in the next few days. What are you going to do if everything goes South in a matter of seconds or minutes?

The Mission

In situations that require instinctive response, you have to go beyond the traditional travel management report on what to do and who to call. You have to act and make decisions on your own.

In order to survive, one must be trained on the authoritative, detailed description of the methods by which terrorist organizations, hostile intelligence services, and criminal groups select and target specific individuals. Individuals and a team must learn how they can detect and counter potential threats against them, and their sponsoring organizations to better manage these operational risks.

These threats could include recruitment by a hostile service, kidnapping or assassination by terrorist and criminal elements or espionage by business competitors. Combined with real-time INTEL, you must receive intense, real-time instruction in surveillance detection and counter-surveillance so that you can take appropriate actions.

Combining real-time intelligence with a focused surveillance and threat detection-training program is exactly what savvy corporate executives and Chief Security Officers are looking for from a single source. Personnel threat management is a prudent risk mitigation solution. This combination is one key strategy to mitigate the operational risks associated with key personnel in your organization.

Individuals whose occupations place them at risk may include people with access to valuable proprietary information or holders of high level security clearances, the wealthy and those responsible for their safety.

The Take Away

Combine two parts Threat Detection & Management with one part INTEL and you have the perfect combination to ensure the successful completion of corporate missions across the globe.

22 August 2005

HIPAA: Outsourcing Protected Health Information...

At least in the U.S., the Department of Health and Human Services (HHS) is quite clear about Protected Health Information (PHI). What is personal or protected health information and under what circumstances as a business must you keep this information private?

Now let's introduce the offshoring or outsourcing component of running a data intensive and information centric business model. Healthcare is all about the collection, analysis and historical trending of data about our vital signs, symptoms, habits and test results. Where is all of that data being processed and stored from transcribed audio and visual media?

Most patients who visit the hospital probably do not spend too much time thinking what happens to information in their medical records after they leave, but in the age of outsourcing, the path of a patient's medical record can be a long and precarious one. Medical Data Theft is a growing concern.

Consider a recent case at a university hospital in California, where the doctor's notes from a patient visit were first sent to a transcription service company in Florida, which decided to subcontract to another firm in Texas. The Texas firm subcontracted the work yet again, ending up with a woman in Pakistan. This Pakistani woman became upset because her payments for her services were late, so she decided to send an e-mail to the university hospital, threatening to post the medical records on the Internet if she was not paid immediately. It might sound like a nightmare, but it is the reality of outsourcing today.

Medical records are secured under HIPAA standards, but when they leave the United States, these rules may not necessarily apply.


QUESTION: To what extent does the HIPAA Privacy Rule (the "Privacy Rule") govern contracts with foreign contractors and subcontractors?

Do you know that soon your PHI may be located in a Medical Information Bureau (MIB)? And in this case, it could be a real problem or as this scenario describes, it could kill you:

Here's the scenario. A bad guy steals your identity. He ends up in the hospital and pretends to be you. His medical history becomes a part of your "MIB identity, or Medical Information Bureau identity." You could end up being denied insurance -- or much, much worse. If you show up on the medical bureau as having heart disease or diabetes and then show up at the hospital unconscious, they might kill you trying to save you.

18 August 2005

Big Blue Gets Serious About ORM...

Big Blue is getting ever more serious about Operational Risk Management. Recently unveiled solutions for biometrics, enterprise risk management frameworks, and customer relationship management cater to their financial customers.

When IBM says listen, most finance sector CIO's stop in their tracks.

IBM demonstrated a "cancelable" biometrics system, in which a prearranged transformation algorithm intentionally distorts a person's biometric data, such as a fingerprint, rendering the original biometrics useless for identification purposes. The biometrics project was conceived out of a need "to make replacing biometrics as easy as replacing credit cards," said IBM researcher Nalini Ratha during a presentation at IBM's Industry Solutions Lab in Hawthorne, N.Y.

IBM detailed an enterprise risk-management framework intended to help financial institutions cope with a stream of regulations such as Basel II and the Sarbanes-Oxley Act. The central themes of the IBM approach are that risk and compliance need to be managed centrally, and that operational risk, such as the likelihood of losses due to unpredictable events such as natural disasters, needs to be modeled using probabilistic means. IBM tested the risk framework during its own Sarbanes-Oxley compliance process, which involved almost 10,000 financial-control points.


As a public company, they are the perfect lab for testing their own systems and solutions, especially when it comes to regulatory compliance issues. The question remains whether the SOX process at IBM will produce positive outcomes. Time will tell. Even more interesting is their approach to "cancelable biometrics". The financial industry is under new pressure to solve some of the operational loss events due to unauthorized access. Authentication using more than a User ID and password is gaining momentum as a result of new focus by the banks to stem the millions of dollars they are losing each month. This solution tries to address the privacy issue for consumers feeling their data is safe and to thwart the value to hackers gaining access and utilizing your personal biometric for fraudulent purposes.

IBM's system wouldn't entirely solve the replaceability problem of biometrics: If a hacker got hold of a user's fingerprint and made a passable model, he could still wreak havoc with it. What IBM's technology could do, however, is significantly narrow hackers' opportunities to gain access to such data. If a user's fingerprints (or facial photographs, iris scans or any other biological marker) aren't stored in any of the systems she uses them to access, cracking those systems won't give the hacker keys to the victim's biometric kingdom. If a hacker did get in - and the frequency with which companies sheepishly confess to database hacks and inadvertently exposed personal information illustrates the reality of that risk - IBM's system would let a user quickly cancel the compromised biometric profile and generate a new one, akin to replacing a lost or stolen credit card.


The cryptographers think they have found irreversible algorithms to make this commercially feasible. We wish this becomes a reality.

15 August 2005

ISO 17799: Culture Sensitive Best Practices...

“Unlike ISO 17799, however, the SAS 70 is not a "best practices" standard. Instead, it documents the controls in place that satisfy the company's internal control objectives.” This CSO's worldly insights could not be more true.

Implementation of 7799 standards and a comprehensive ISMS provides your organization with a security & privacy governance framework… a one-stop best practices solution for cultural security and privacy issues across the globe. Measuring documented controls across Lines of Business and International Business Units requires a single benchmark. Without a pervasive global information security standard within the organization, employees and management can’t determine if they are improving, or where they are most vulnerable to new threats. Auditors can’t certify if controls are working without a published and well-established set of processes and procedures for checking the validity and evidence of information security.

CSO’s facing a myriad of new Operational Risks are quickly adopting the use of thoroughly tested or proven controls and best practices that span countries and cultures. More importantly, they have also discovered that supply-chain risk extends the reach of their management systems well beyond their own boardroom.

11 August 2005

OREA: Operational Risk Enterprise Architecture

What impact does change have on Operational Risk? As Boards of Directors and Executives try to cope with increased market competition, organizational restructuring and mergers or acquisitions; complexity becomes exponential. Change has a monumental impact on risk exposures and consequences.

Adaptive continues to be a leader in the creation of effective Enterprise Architectures to manage risk on a global scale.

Many organizations have difficulty effectively tracing how their strategies are implemented and how resources are used across the organization. Every year, millions or even billions of currency is lost on mismatches between strategies, processes, performance targets, roles and responsibilities, human resources, IT applications and projects to improve all these.

Top executives recognize that effectively managing an organization requires a clear understanding and alignment of several key factors. However, they typically lack the tools they need to manage the complexity involved. This is where Adaptive's Top Slice Architecture comes in.

To continuously adapt to their changing environments, executives must know about, keep in balance, and communicate several things:

What exactly are the strategies of the organization and how should they be implemented? (Strategy Development and Organizational Change)

What are the processes the organization executes, how are they integrated, and how do they contribute to the strategy of the organization? (Business Process Management)

How are human resources being utilized and whether there is optimum use of skills and resources available across processes and functions? (Human Resource Management)

To what extent is the organization chart a proper reflection of appropriate roles and responsibilities, in order to effectively and efficiently carry out all work?(Organization Management)

What IT applications are available in the organization, how do they interface and what processes and functions do they support? (IT Portfolio Management)

How does the performance of each process, each function and each individual add up to the organizationÂ’s performance? (Performance Management)

What projects are currently underway, how do they effect and impact change, what processes and IT applications do they change and how does this contribute to the strategy of the organization? (Project & Program Management)


Companies who are in highly regulated industry sectors are perfect examples of organizations who must rapidly adapt to new laws, government mandates and must remain proactively compliant. How can you effectively keep pace in managing risk without an Enterprise Architecture? Simply stated: It's literally impossible.

Can you visualize how information flows through your organization? In order to report new information to regulators you first have to know what applications and databases are impacted by the new law or a request for additional data. Without a repository of metamodels to start with, you won't know where to begin.

In the context of Operational Risk Management, Enterprise Architecture enables the construction of end-to-end visualization of the information flows from any point (e.g. origin, final report, any intermediate point), in a form suitable for both business and technical users: and also allows the linkage of the technical definitions to business term descriptions.

If your Operational Risk professionals are not working side by side your Enterprise Architects, maybe it's time you booked that conference room for a few weeks.

09 August 2005

US National Security: Critical Infrastructure Protection...

Now that InfraGard has a Memorandum of Understanding with DHS, only time will tell what impact the new formalized relationship will have on national preparedness.

WASHINGTON--(BUSINESS WIRE)--Aug. 8, 2005--InfraGard National Members Alliance (INMA) today announced it has struck an official Memorandum of Understanding (MOU) with the Department of Homeland Security (DHS) Private Sector Office (PSO) regarding a Strategic Partnership. The announcement was made at the 2005 "InfraGard Congress," InfraGard's annual business meeting, which is taking place today at the JW Marriott in Washington D.C.

The purpose of the MOU between InfraGard and DHS is to outline the objectives of a Strategic Partnership between the two parties, as well as their related roles and responsibilities. A Strategic Partnership between InfraGard and DHS will provide both organizations with the opportunity to develop and cultivate existing relationships between the government and the private sector in an effort to engage private sector subject matter experts for the protection of our nation's critical infrastructure.

"InfraGard highly values its MOU with DHS, and is looking forward to engaging our local members with DHS leadership to identify issues and develop programs to address them," said Dr. Phyllis Schneck, chairman of the Board of Directors, InfraGard National Members Alliance. "DHS has expressed interest in InfraGard's success in engaging subject matter experts in all 50 states across all 14 critical infrastructure sectors to build trusted relationships with Federal, state and local law enforcement and government agencies. Additionally, the relationship between DHS and InfraGard is critical as our membership grows to serve as the primary liaison between private sector and all areas of government and law enforcement."

The joining of forces between InfraGard and DHS will enable both organizations to raise security awareness more effectively in communities across the country. Through National and local events coordinated by InfraGard across its 84 chapters, DHS leadership will have a forum to better inform the business community about homeland security programs and initiatives. In turn, the private sector will have a channel via InfraGard to communicate its issues to DHS, and also provide direct feedback about DHS initiatives.


FBI Director Mueller's keynote is another indicator that public / private cooperation is essential to the government in order to protect our vital national assets.

"Director Mueller's participation in the InfraGard 2005 National Conference is proof positive of the significant role InfraGard has played in National security. Furthermore, thanks in large part to InfraGard's vision and dedication, law enforcement agencies across local, state and Federal levels actively are and will continue to work together to secure the United States from threats to its critical infrastructure."

In addition to Mueller's keynote at the InfraGard 2005 National Conference there also will be tracks and technical sessions dedicated to the following topics: Drinking Water Security; Maritime and Port Vulnerabilities and Security; Computer Forensics; Cyber Security; First Responders; Financial Institution Security; Regulatory Compliance; and Supervisory Control and Data Acquisition (SCADA) Systems.

08 August 2005

Healthcare Risk: Counterfeiting & Online Pharmacies...

Pharmaceutical companies are on the offensive along with the FDA to rid the Internet from bogus Online Pharmacies.

The continuing growth of online pharmacies provides dealers and counterfeiters with ready access to unsuspecting consumers. Since goods sold online are typically sent through the conventional mail system, they frequently by-pass national regulations for the distribution of controlled goods.

Jim Kouri's thoughts on this subject are correct:

Those Americans demanding the US government to allow citizen's access to foreign prescription drugs should heed the concerns of the world's foremost health organization. According to the World Health Organization's definition a counterfeit medicine "is one which is deliberately and fraudulently mislabelled with respect to identity and/or source. Counterfeiting can apply to both branded and generic products and counterfeit products may include products with the correct ingredients or with the wrong ingredients, without active ingredients, with insufficient active ingredients or with fake packaging."

It is estimated that one in 20 pharmaceutical products on the market is counterfeit, with the number rising to one in three in some developing countries.

Counterfeit pharmaceuticals are manufactured and distributed by criminals, companies or individuals who have the desire to make money unlawfully. They may contain too much, too little or no active ingredient, the wrong ingredients or high levels of impurities, contaminants and even toxic substances. They could be reject or out-of-date formulations withdrawn from the market which are obtained by counterfeiters, relabelled as bona fide product and introduced back into circulation. They have killed and injured thousands around the world.


The use of effective operational risk mitigation strategies for Pharma and Healthcare companies, enables the detection of illicit distribution, trademark abuse, objectionable association and counterfeit activities, that can then be countered in a highly focused manner. The outcomes can save lives and millions of dollars per year.

For a list of Certified Online Pharmacies see:
VIPPS Program

For more information on this health care risk see:
Safe Medicines

05 August 2005

ORM for Board Directors: 4D Risk Strategy...

Savvy Operational Risk Management Executives and Audit Committee Directors should ask themselves the following questions:

Do we have the management systems we require to audit compliance, risk, and claims data?

Are the corporate data collection systems automated?

Are we in compliance with state and federal regulations affecting my industry?

How do we merge data from internal and external sources so it provides me with a holistic view of risk?

How do we easily compare data across Lines of Business?

How do we chart risk exposures in real-time for the company as a whole?

How do we access our audit information in the organization?

In our current threat environment, interested parties inside and outside of an organization are demanding more accountability from Board Directors to handle all facets of Operational Risk Management (ORM). This cannot happen until there is a clear understanding of the different types of risk that could impact the company as well as the consequences and frequency.

In order to survive, corporations need a "4D Risk Strategy". Only then, can any of these questions begin to be answered with any certainty.

02 August 2005

National Preparedness Month 2005 Coalition Members...

NATIONAL PREPAREDNESS MONTH 2005 COALITION MEMBERS
AS OF August 1, 2005

The U.S. Department of Homeland Security and the American Red Cross are working with a wide variety of public and private sector organizations to educate the public about the importance of emergency preparedness. Throughout September, these organizations will provide information, host events and sponsor activities that disseminate emergency preparedness messages to and encourage action in their customers, members, employees, stakeholders and communities across the nation. Below is a listing of the 166 members of the 2005 National Preparedness Month Coalition as of August 1, 2005.

Click Here to Join the National Preparedness Month Coalition Members

1SecureAudit is hosting a Webinar in collaboration with Long Branch Systems and ABD Insurance, Inc. on September 28th, 2005. We hope you will join us!