24 November 2005

Avian Flu: What are the Risks?

Avian influenza, or bird flu, is a contagious viral disease caused by certain types of influenza viruses that occur naturally among birds. Usually, these viruses do not infect humans, but several cases of human infection with bird flu viruses have been reported recently.

Why could this become an Operational Risk for your organization? Currently, these viruses are circulating in bird populations in Asia, and have resulted in severe illness and death in humans. Since the recent outbreaks of this strain began in 2004, more than 120 people have been confirmed as infected and more than 60 have died. Most human cases are thought to have occurred through contact with infected poultry or contaminated surfaces. However, some scientists worry that if the virus were able to mutate and be able both to infect people and then to spread easily from person to person in a sustained fashion, a global "influenza pandemic" (worldwide outbreak of the disease) could begin.

This WHO Avian Flu Fact Sheet can provide some of the answers on the disease.

21 November 2005

Simulation & Analysis: COOP on Steroids...

All of the planning tools that have automated the process of developing BCCM and COOP documentation have addressed only a small piece of the total mosaic for operational risk management. There is however a new "kid" on the block that is worth keeping your eye on. This is because they have created the tools for doing critical simulation and analysis of the impact of significant business disruptions to our critical infrastructures.

FortiusOne’s target market encompasses both the public and private sector. The former includes federal, state, local and international segments, with primary emphasis on Homeland Security, National Defense, Intelligence and Emergency Management for critical infrastructure vulnerability assessments and consequence management. FortiusOne’s private sector market addresses risk analysis for the Banking/Financial Services, Transportation, Energy, Telecommunications, Insurance and general Supply Chain segments with primary emphasis on business continuity planning, business optimization and disaster recovery. Market size exceeds $40B and is upward trending in both public and private sectors. Recent events and consequences related to hurricane Katrina, terrorist threats and attacks, and corporate management/mis-management events have created intense interest in FortiusOnes’s products and services. The Company’s revenue model for both public and private sectors includes fixed price product pricing for basic assessments with additional high valued consultation for detailed analysis of specific client defined scenarios.

While we have all the confidence that there is a market for tools like these, the largest challenge still remains. Human Factors.

All of the scenario planning and simulation is important to create new contingency procedures or the application of new methods for mitigating the impact of such scenarios. However, the human factors are and will remain unknown until you actually exercise and effectively test that scenario. Only testing will tell you what people did or didn't do or why they reacted the way they did. The psychological and physiological unknowns are what throw the planners and simulation operators for a loop every time.

We hope that FortiusOne also gives their clients the insight they require to create the most realistic and optimal tests to determine what the real outcomes will look like before and after a natural disaster or terrorist event.

17 November 2005

ISO 27001 : Information Security Management...

What Is ISO 27001?

ISO 27001, titled "Information Security Management - Specification With Guidance for Use", is the replacement for BS7799-2. It is intended to provide the foundation for third party audit, and is 'harmonized' with other management standards, such as ISO 9001 and ISO 14001.

The basic objective of the standard is to help establish and maintain an effective information management system, using a continual improvement approach. It implements OECD (Organization for Economic Cooperation and Development) principles, governing security of information and network systems.

This particular standard defines and specifies an 'Information Security Management System', known as an ISMS. It compliments the existing ISO 17799 security standard, and specifies a general framework for the creation and maintenance of the security process within an organization.

These two standards (ISO 17799 and ISO 27001) are closely related, and although their scope is wide, they have very distinct roles.

ISO 27001 defines the overall requirements for the security management system itself, the focus being on management. It is this standard, rather than ISO 17799, against which certification is offered. It was based upon an earlier standard, known as BS7799-2, but has been more closely aligned with other quality management standards.

11 November 2005

Strategic Organizational Resilience & Survivability...

According to the best practices from several sources, the Board of Directors is responsible for the "Strategic Resilience and Survivability" of an organization. Let’s take a look at what the highly influential Basel Committee says about one principle as it pertains to Business Crisis and Continuity Management (BCCM):

Review and Testing of Business Continuity Plans – Basel Principle 13

“It is the responsibility of the organization's Internal Audit and Business Continuity functions to ensure that all of the organization's business continuity plans are tested and reviewed on a periodic basis to spot incorrect assumptions, oversights or changes to equipment, and employees and to identify any changes in business requirements not reflected in specific plans. Any undocumented requirements must immediately be documented. In addition, appropriate information owners and users must be informed of updates to plans.”

The Basel Accord for large global money center institutions says you have to test all of your suppliers and their plans so that you don’t have any service interruptions. The question is how often is enough? When is the last time you knocked on the door of your Power Company, Phone Company, and Water Company and said I’m here to audit your BCCM plans. And in every country you operate critical information processing and personnel centers.

Having survived several large quakes in Southern California in years past, I’m not sure that all of the testing in the world can prepare people for human behaviors that come from within. People literally lose all sense of common sense when you are on the 42nd of the 50+ skyscraper and without any warning it physically sways a couple feet to the left and a few more feet to the right. Believe me, the issue is not the testing itself, it’s how to create a real enough scenario that you get similar behaviors out of unsuspecting people.

Certainly the largest organizations realize that the threats are taking on different forms than the standard fire, flood, earthquake and twister scenarios. These large catastrophic external loss events have been insured against and the premiums are substantial. What it is less easy to analyze from a threat perspective are the constantly changing landscapes and continuity postures of the many facets of the organization having to do with people, processes and systems.

The many sources of significant loss events are changing as we speak. Here are a few that should not be overlooked:
· Public perception
· Unethical dealings
· Regulatory or civil action
· Failure to respond to market changes
· Failure to control industrial espionage
· Failure to take account of widespread disease or illness among the workforce
· Fraud
· Exploitation of the 3rd party suppliers
· Failure to establish a positive culture
· Failure in post employment process to quarantine information assets upon termination of employees

Frankly, corporate directors have their hands full managing risk and continuity on behalf of the shareholders. The risk management process will someday have as big an impact on the enterprise as other key functions because shareholders will be asking more questions about the changing landscape of managing risk for corporate governance.

In summation, the following six factors are the critical aspects of effective and strategic organizational resilience and survivability:

1. Business continuity planning will be conducted on an enterprise-wide basis 24/7.
2. A thorough and continuous business impact analysis and risk assessment is the foundation of an effective BCCM.
3. Business continuity planning is more than the recovery of the technology; it is the recovery of the business.
4. The effectiveness of a BCCM can only be validated through continuous and thorough testing.
5. The BCCM and test results will be subjected to continuous independent audit.
6. A BCCM will be continuously updated to reflect and respond to changes in the organization.

09 November 2005

The Risk of 4GW: It's Here to Stay...

In today's OSAC 20th Annual Briefing at the U.S. State Department Bureau of Diplomatic Security we witnessed some excellent briefs from corporate CSO's and keynotes from Sandy Weill, COB of Citigroup and Dr. Condoleeza Rice, U.S. Secretary of State.

All had the theme of the day, the valuable and lasting public private partnership established twenty years ago by former U.S. Secretary of State George P. Shultz. There was much talk of the current risk of Fourth Generation Warfare (4GW), the same method of guerilla warfare described in The Sling and the Stone. In the middle of the presentations, many of our PDA's and phones began their vibrations and buzzing. Within a few minutes, the podium was announcing the latest attack on our own corporate assets in the capital of Jordan.

At least 57 people were killed and more than 100 injured when suicide bombers blew themselves up at three hotels in Amman, the capital of Jordan.

The hotels were popular with foreigners and many of the guests were involved in work in Iraq. The attacks destroyed the fragile calm that Jordan has enjoyed despite its proximity to Iraq and the support of its ruler, King Abdullah, for American and British policy in Iraq.

Major Bashir al-Da'aja, a police spokesman, said: "There were three terrorist attacks on the Grand Hyatt, Radisson SAS and Days Inn hotels and it is believed that the blasts were suicide bombings." Said Darwazeh, the health minister, said there were more than 50 dead but the toll could rise.

The Overseas Security Advisory Council (OSAC) now claims over 3,000 U.S. companies, educational institutions, religious groups, and non-governmental organizations as members known as constituents. Although OSAC is rarely in the limelight, the ways in which it helps American businesses fight terrorism abroad is unparalleled.

Is that a "Predator" taking off?


The MQ-1 Predator is a medium-altitude, long-endurance, remotely piloted aircraft. The MQ-1's primary mission is interdiction and conducting armed reconnaissance against critical, perishable targets. The MQ-1 Predator carries the Multi-spectral Targeting System with inherent AGM-114 Hellfire missile targeting capability and integrates electro-optical, infrared, laser designator and laser illuminator into a single sensor package. The aircraft can employ two laser-guided Hellfire anti-tank missiles with the MTS ball.

Tomorrow, in our second day of the OSAC briefing the room will be missing many of the constituent members as they begin the investigations and deploy new resources in the pursuit of justice.

01 November 2005

Online Pharmaceutical Counterfeiting: The Digital Threat...

Pharma healthcare companies all over the globe are working hard to identify counterfeit drugs and to put these criminals out of business. This operational risk strategy saves countless lives each year. The first article in a series on counterfeiting at CSO Online misses a key focus on the Internet Channel of Distribution. In order to pursue this growing threat, organizations must consider the use of real professionals to deter, detect, defend and document effectively in order to have a comprehensive anti-counterfeiting program.

The continuing growth of the Internet provides counterfeiters with ready access to unsuspecting consumers. Since goods purchased via the Internet are normally delivered through the conventional mail system, they frequently by-pass national regulations for the distribution of controlled goods.

The use of intelligent Internet surveillance with proprietary software, enables the detection of illicit distribution, trademark abuse, objectionable association and counterfeit activities, which can then be countered in a highly focused manner.

Authentix identifies client products on sale from suspect counterfeit sources, retrieves them anonymously and tests them for authenticity. In cases of minor misdemeanors they issue Cease & Desist letters for clients and monitor compliance. Where counterfeit or diverted product is retrieved, they support our clients through legal remediation by maintaining a documented chain of evidence.

All of the forensic markers and post testing due diligence will not stem the tide of bogus pharma web sites selling counterfeit drugs. An effective corporate risk intelligence process combines both the low tech (HUMINT) sources and the high tech methods (DIGITAL SURVEILLANCE) from a single entity. Only then will the data fusion and correlation of information allow for a legal, competent and rapid interdiction of this lethal threat.

Counterfeit medicines are a global scourge. The World Health Organization (WHO) estimates that as much as 10 percent of the half-trillion-dollar pharmaceutical market is counterfeit. In some developing countries, more than half of the drug supply may be fake. Every year, thousands die from ingesting fake medicines, many of which have been produced in squalid conditions using ingredients such as boric acid and highway paint.