25 January 2005

Lessons Learned...

What did the US learn about security from the Presidential Elections and the respective conventions in New York and Boston? Michael Smith and Fred Klapetzky remind us of a few of them:

Lesson 1: Preparation Equals Prevention

Lesson 2: Security Saturation makes an Attack more Difficult

Lesson 3: Heightened Awareness makes all the Difference

Lesson 4: Monitoring News Coverage can be Helpful

All of the companies and organizations in these two metro areas should be better prepared than others in the country, right? A recent study (8/2004) by AT&T entitled, "Disaster Planning in the Private Sector: A Post 9/11 Look at the State of Business Continuity in the U.S., surveyed 1000 executives from 10 large metro areas. The survey indicated, surprisingly, that New York and Washington, DC were among those least prepared. In both cities, nearly 25% of companies lacked a plan. According to the survey, even those with BC plans are failing to test or update them on a regular basis. See BC Study

Let's just hope the convention has changed the stats in NYC.

24 January 2005

Compliance is a Strategic Differentiator...

We have to agree with Simon Moss of Mantas.

Prior to September 11th and the USA PATRIOT Act, financial institutions had a similar outlook and level of investment into their anti-money laundering efforts. "The systemic 'wall' to stop money launderers was generally at the same height," says Moss.

Differences in the size of that wall are beginning to emerge. "Over the last three years, firms have been making decisions that have essentially changed that landscape," notes Moss. "The firms that invest more into a serious culture of awareness, serious technology, serious training, and take this problem seriously, will drive money launderers or fraudsters or employees looking to do malfeasant actions to other institutions."

The feds are coming to an institution near you, and they will most likely be the neighborhood or community regional bank. These unfortunately are the institutions that the OCC and other US federal regulators are concerned about. Their programs are going to be tested for CIP (Customer ID Programs) compliance and other BSA/AML/OFAC related issues.

20 January 2005

ChoicePoint: Your Identity is Big Business...

Why are people getting nervous about companies like ChoicePoint? This article in the Washington Post by Robert O'Harrow comes from his book, "No Place to Hide," published by Free Press, copyright 2005. O'Harrow also received financial assistance from the Center for Investigative Reporting. He outlines the arguments from both sides of the "Big Brother" issues:

Now the little-known information industry giant is transforming itself into a private intelligence service for national security and law enforcement tasks. It is snapping up a host of companies, some of them in the Washington area, that produce sophisticated computer tools for analyzing and sharing records in ChoicePoint's immense storehouses. In financial papers, the company itself says it provides "actionable intelligence.

The question remains whether legislation will ever have as much control over ChoicePoint as they have over companies like Equifax or the other credit reporting agencies. However, everyone must accept that our lives are about full disclosure of who we are and what our historical "Modus Operandi" can tell someone about how we might act into the future.

Public information is there because each one of us has opend a bank account, filled out a credit application, applied for a job and traveled on an airplane. ChoicePoint is there to make sure that risks are managed and losses are mitigated. Period.

One only has to imagine in these times of Identity Theft and Suspicious Activity Reports how important it is for the good and law abiding citizen not to be confused with the person with a questionable history. Frankly, I don't want to be mixed up with the other John Q. Public's on the planet. All the decisions I have made in my life have defined who I am, the zip code I live in, the car I drive and the schools and jobs that I've had.

There is one word of advice for those who don't mind the fact that their information is available to any one who wants to buy it. Make sure that it is accurate. This is where the Fair and Accurate Credit Transactions Act (FACT Act) and other legislation allows the consumer to get access to a majority of the information on file and to see that it is correct. If you can't live with what you are reading, then maybe it's time to make some changes in your life.

17 January 2005

COSO: Operational Risk Standard?

Will COSO become the Operational Risk standard for Basel II? This paper by Patrick McConnell argues:

The wording of Basel II is sufficiently vague that banks are in danger of developing internal ORM systems that run the risk of not complying with interpretations of Basel II by local supervisors.

However, there are mature frameworks2 from other industries upon which the processes of Operational Risk Management could be based.

In particular, there are two risk management standards - AS/NZS 4360/2004 and COSO/ERM – that, alone or in combination, could satisfy the requirements of Basel II for systems that are ‘conceptually sound’; and

The adoption of operational risk management processes that are based on proven, practical and usable standards, should reduce the overall costs to the industry of complying with Basel II.

COSO notes that the ERM Framework is “purposefully broad”, capturing “key concepts fundamental to how companies and other organizations manage risk, and may be applied across “organizations, industries, and sectors.”

13 January 2005

People: Travel Risk Management...

This iJet advertorial explains many of the benefits of having a travel risk management provider for your global corporate executives.

"They were rushing to catch the overnight train and wondered whether that was a secure option. With the train leaving in five minutes, he asked if they should get on? He was advised to take the train only if the meeting was absolutely time-critical. If they took the train, he was cautioned to stay awake for the second half of the trip because people had recently been robbed, removed from the trains and beaten up after crossing into Macedonia."

Combining real-time intelligence with a focused surveillance and threat detection-training program is exactly what savvy corporate executives and Chief Security Officers are looking for from a single source. Personnel threat management is a prudent risk mitigation solution. This combination is one key strategy to mitigate the operational risks associated with key personnel in any global organization.

Without the application of survivability and surveillance skills with relevant intelligence, employees traveling in harms way will continue to be at significant risk. The CSO is responsible for getting the correct INTEL and even more important, making sure those employees can take care of themselves without having to rely on third party executive protection or outsourced security firms. Sometimes you just have to think and act on your own.

10 January 2005

OFAC Compliance in U.S. Financial Institutions...

Foreign Assets Control Regulations for the U.S. Financial Services industry is a vital area of operational risk management in the enterprise. Institutions need to make sure that their employees and not just the compliance officer are enforcing the regulations.

The Office of Foreign Assets Control (OFAC) administers a series of
laws that impose economic sanctions against hostile targets to further
U.S. foreign policy and national security objectives. Economic sanctions
are powerful foreign policy tools. Their success requires the active
participation and support of every financial institution. The use of
sanctions by the U.S. goes back to the earliest days of the Republic
through trade embargoes, blocked assets controls, and other commercial
and financial restrictions. Many of them have been multilateralized
within the global community against pariah countries, as well as being
used against groups, such as narcotics traffickers and terrorists, who
threaten the security, economy, and safety of the United States.
Management of sanctions on the U.S. side is entrusted to the Secretary of
the Treasury.

It is often difficult to balance the demands of Federal and State bank
examiners with limitations on time, resources, and manpower imposed
by bank management. While every financial institution must comply
with the same laws and regulations, no one compliance program can be
prepackaged for everyone in the open marketplace. Every program must
be tailored to meet the needs and structure of individual financial

"financial institutions" include:

* banks, including:
o insured
o commercial
o trust companies
o private bankers
o U.S. branches of foreign banks
o credit unions
o thrift institutions
* introducing brokers
* commodities broker dealers
* commodity trading advisors
* commodity pool operators
* securities broker dealers
* futures commission merchants
* issuers, redeemers or cashers of travelers checks, checks, money orders, or similar instruments
* operators of credit card systems
* telegraph companies
* insurance companies
* loan or finance companies
* investment bankers or companies
* persons or companies involved in real estate closings and settlements
* currency exchanges
* casinos, card clubs, and gaming establishments
* money transmitters
* pawnbrokers
* travel agencies
* automobile, airplane and boat dealers
* dealers in precious metals, stones or jewels
* U.S. Postal Service or any agency of U.S., state or local government carrying out a duty or power of business

Under the provisions of the Patriot Act, the Department of Treasury has, or soon will specify anti-money laundering compliance program regulations specific to each above-listed industry. The Patriot Act, at a minimum, requires that these programs include:

1. the development of internal policies, procedures, and controls;
2. the designation of a compliance officer;
3. an ongoing employee training program; and
4. an independent audit function to test programs.

Each financial institution is also required to implement a Customer Identification Program (CIP) that includes reasonable procedures to:

1. collect identifying information about customers opening an account
2. verify that the customers are who they say they are
3. maintain records of the information used to verify their identity
4. determine whether the customer appears on any list of suspected terrorists or terrorist organizations

For more information on how you can tailor your compliance program for your institution contact 1SecureAudit who can provide you with:

Compliance Policies & Procedures Customization

> Employee Training

> Due Diligence & Internal Investigations

> Automated Systems for SDN

> Independent Audits

> Anti-Money Laundering Compliance Programs

06 January 2005

Ops Risk for Tier II Institutions...

Operational Risk is not just for the big banking institutions any longer. The latest research from Financial Insights indicates that the ramifications of Basel II are impacting four key areas of U.S. financial institutions:

1. Integration difficulties. Although most large institutions have robust risk-management processes, there's much to be done to achieve Basel II compliance. Most risk processes and systems that are currently used grew up within the individual silos of particular business units. The systems aren't integrated and may have different data requirements and formats.

2. New competitive pressures. Even small banks that aren't required to comply with Basel II will face peer pressure, and they may need to comply anyway. If they don't comply, they'll be at a competitive disadvantage.

3. Consistent methodologies for different risks. Regulators require that different risks be treated the same. Institutions using the advanced internal-ratings-based approach for credit and market risk must also use the advanced-measurement approach for operational risk. This poses problems since credit and market risk are well-established practices in most firms, but operational risk is not.

4. Continuing presence of silos.
Silos between business units and systems must be removed for effective risk management. This task is especially daunting for larger institutions, since there are more people and systems involved.

04 January 2005

What is your 2005 Corporate Resolution?

If you don't have one yet, consider this one:

A Model 2005 Operational Risk Resolution

The organization shall develop, implement, maintain and continually improve a documented risk management system. Identify a method of risk assessment that is suited for the organizations business information to be protected, regulatory requirements and corporate goverance guidelines. Identify the assets and the owners of these assets. Identify the threats to those assets. Identify the vulnerabilities that might be exploited by the threats. Identify the impacts that losses of confidentiality, integrity and availability may have on the assets. Assess the risks. Identify and evaluate options for the treatment of risks. Select control objectives and controls for treatment of risks. Implement and operate the system. Monitor and review the system. Maintain and improve the system.

If you can agree with this then you are already a candidate for implementing a management system and becoming a BS 7799 compliant organization.

For more info see: BSI Management Systems

03 January 2005

Tsunami Contingency Planning and Early Warning...

The latest catastrophic Tsunami natural disaster as a result of a huge undersea earthquake reminds us of the need for effective contingency planning and preparedness. The warning signs and detection devices can only go so far in helping with the potential threats that our planet throws our way.

This article by Beldeu Singh compares the sequence of events and makes the point for a more effective early warning system.

Firstly, it is common knowledge that undersea earthquakes cause tsunamis and these waves can come ashore within minutes of nearby earthquakes. An undersea earthquake must have been picked up by some seismic center in the region but it failed to issue. This inaction exacerbated the death toll because most people in this region do no know what to do in the event of a "felt" earthquake in low lying coastal areas. There was little or no preparation by the Governments in the region for catastrophic calamities caused by convulsions of nature with the exception of an incipient disaster relief systems more suitable for monsoon floods. Typical in Asian management culture is the lack of contingency planning or planning for the uncertain outcomes of events or worst case scenario planning. Structured long term models with comprehensive plans, strategies, systems, logistics and training is also not a norm. The management speaks more of tactical responses and reactions after the tragedy.

On a planet continually being challenged by all types of natural catastrophic events there seems to be only one real way to mitigate the potential losses. Intelligence from early warning systems are only a part of the answer. Emergency Preparedness and Response is the other proactive strategy for dealing with the risk of future threats of this magnitude by mother nature.

Beldeu makes the comparison of this event to the Japanese attack on Pearl Harbor in 1941.

Half a century later, in spite of advances in seismic science and a vast network of modern communications supported by satellite technology, the world relives another day of infamy in the month of December that bears some semblance to the attack on Pearl Harbour. Only this time, it was not failure of collection or analysis of data but one of communication and proper response. In fact, the situation as it unfolded in the region devastated by the tsunami shows that there was no organized response to protect people from the impending impact of the tsunami.