29 April 2005

Managing Risk for Corporate Governance...

The financial enterprise today that understands the myriad of potential threats to its people, processes, systems and structures stands to be better equipped for sustained continuity. Business Crisis and Continuity Management (BCCM) is a dynamic change management initiative that requires dedicated resources, funding and auditing.

Since effective BCCM analysis is a 24/7 operation, it takes a combination of factors across the organization to provide what one might call C², or “Continuous Continuity”. A one-time threat or risk assessment or even an annual look at what has changed across the enterprise is opening the door for a Board of Directors worst nightmare. These nightmares are “Loss Events” that could have been prevented or mitigated all together.

According to the best practices from several sources, the Board of Directors is responsible for the BCCM of an organization. Let’s take a look at what the highly influential Basel Committee says about one principle as it pertains to business continuity:

Review and Testing of Business Continuity Plans – Basel Principle 13

“It is the responsibility of the organization's Internal Audit and Business Continuity functions to ensure that all of the organization's business continuity plans are tested and reviewed on a periodic basis to spot incorrect assumptions, oversights or changes to equipment, and employees and to identify any changes in business requirements not reflected in specific plans. Any undocumented requirements must immediately be documented. In addition, appropriate information owners and users must be informed of updates to plans.”


The following testing techniques must be used to ensure the continuity plan can be executed in a real-life emergency:

· Table-top testing: Discussing how business recovery arrangements would react by using example interruptions

· Simulations: Training individuals by simulating a crisis and rehearsing their post-incident/crisis management roles

· Technical recovery testing: Testing to ensure information systems can be restored effectively

· Testing recovery at an alternate site: Running business processes in parallel with recovery operations at an off-site location

· Test of supplier facilities and services: Ensuring externally provided services and products will meet the contract requirements in the case of interruptions

· Complete rehearsals: Testing to ensure the organization, employees, equipment, facilities and processes can cope with interruptions

The best practices talk about a BCCM that will be periodically updated. Periodic is not continuous. Change is the key factor here. What changes take place in your organization between these periodic updates? How could any organization accurately account for all the changes to the organization in between BCCM updates? The fact is that they can’t.

This will change over time as organizations figure out that this is now as vital a business component as Accounts Receivable. The BCCM will become a core process of the organization if it is not already, dynamically evolving by the minute as new change-based factors take place in the enterprise. As new or terminated employees, suppliers and partners come and go into the BCCM process, the threat profile is updated in real-time. This takes the operational management that much closer to C², or “Continuous Continuity”.

The Basel Accord for large global money center institutions says you have to test all of your suppliers and their plans so that you don’t have any service interruptions. The question is how often is enough? When is the last time you knocked on the door of your Power Company, Phone Company, and Water Company and said I’m here to audit your BCCM plans. And in every country you operate critical information processing and personnel centers.

Certainly the largest organizations realize that the threats are taking on different forms than the standard fire, flood, earthquake and twister scenarios. These large catastrophic external loss events have been insured against and the premiums are substantial. What it is less easy to analyze from a threat perspective are the constantly changing landscapes and continuity postures of the many facets of the organization having to do with people, processes and systems.

27 April 2005

Terrorism Risk...

For a copy of the 2005 Aon Terrorism Risk Map Click here to visit their site. It has their risk ratings for every territory in the world.

The Teorrism Risk Map shows that participation in the US-led Iraq coalition has increased terrorism risk in countries such as Australia, Poland and Estonia. There is concern that Al-Qaida and other international terrorist organizations could take advantage of anti-western sentiment and launch terrorist attacks in these countries in future. Businesses which originate from these countries should also be aware of threats to their operations and personnel abroad as evidenced by incidents such as the terrorist attack on the Australian embassy in Indonesia, the recent bombing of a British theater and school in Qatar and the thwarted plot to blow up the Italian embassy in Lebanon.

"Terrorism is not a new threat and many international businesses have to date been rightly pre-occupied with the risks facing their operations in the Middle East, Africa and the Gulf. Although companies do need to be aware of the global picture, the 2005 map highlights the need for vigilance in so called 'safer' European countries," commented Paul Bassett, executive director in Aon's Crisis Management division.

"Companies must acquire as much knowledge as possible about the risks they face and their exposure to those risks in order to minimize the human and financial impact of such attacks. Businesses can then assess how best to allocate their expenditure on insurance and counter terrorism risk management procedures effectively," he added.


What does all of this mean? It means that now more than ever the insurance industry is going to look more closely at the risk of your people and property being in harms way. And if they are, then what is being done to mitigate those risks. It all comes down to what the insurance companies want from you as a client. To buy more insurance. If that is all you do, then you have missed several other strategic and tactical means for protecting your organizations vital assets.

25 April 2005

CEO's vs. Boards...

There is another interesting perspective in this months Corporate Board Member Magazine regarding the trust factor between the CEO and the Board of Directors.

It seems that there is still a major battle going on here with some companies but the question is why does it exist? More and more the shareholders are upset with performance and other key issues and they are putting the pressure on Directors to act. What is a shareholder to think when the annual shareholders meeting becomes a one-way conversation and the Q & A is herded into the last 15 minutes and there is no longer a live mic on the floor. If there are suspected hostile or threatening entities in the audience then security should do their duty and remove these individuals. However, when the executive management are clearly shutting down a meaningful open dialogue with the shareholders, then the Board of Directors should be questioned on their allegiance.

Of course there are many examples of where the Chairman of the Board is still the CEO and this is one topic for another date. What is interesting in the debate on the anxiety between the executives and the board these days is this:

After nearly three years of fallout from Sarbanes-Oxley, plus the frightening realization that directors may be held financially liable for their oversight failures, boards are no longer looking at their CEOs with wonder. In fact, they’re downright skeptical. “Trust in the CEO is not at the levels it used to be,” says Richard Koppes, a director of Apria Healthcare and Valeant Pharmaceuticals International. Adds Philip Burguieres, chairman emeritus of Weatherford International and a former CEO of Panhandle Eastern Corp. and Cameron Iron Works: “The element of trust seems to be gone. A few guys have done great harm.”

Obviously the vast majority of CEOs are trustworthy, but all have been slimed to some extent by the scandals of recent years. In 2003 a joint BusinessWeek/Harris Poll survey found that nearly 80% of Americans believed that CEOs of large companies put their own interests before those of workers and shareholders.

To say that boards don’t trust the CEO is not to say that they suspect dishonesty. If they did, turnover at the top of the corporate totem pole would be even higher than it is. Last year 663 CEOs decamped to other jobs, retired, or were fired, down from the high-water mark of 1,106 in 2000, according to Challenger Gray & Christmas, an outplacement firm that keeps track of these peregrinations. Rather, what boards fear is that their CEO isn’t leveling with them, that all information that directors receive about the company is filtered through the CEO’s ego.

When McKinsey & Co., a management consulting firm, surveyed 150 directors in 2004, 81% said that the CEO largely or completely controlled and shaped what board members learned about the company. Only 30% said they felt they really knew what was going on. Directors want to take more control of the information they are getting, and that’s a direct challenge to the CEO’s power.


The risks facing organizations today go way beyond the typical issues you hear about in the Board of Directors meeting or the Audit committee conference calls. The risk of a systemic failure of the corporation is at it's roots a failure of the way information is collected, processed and delivered. Think about the simple process of sales forecasting and you begin to see where the root problem is. At each step of the roll-up and the chain of management there is another layer of guess work and sanitization. If a Board member ever got the chance to ride in the field with a seasoned sales rep and also attend a district sales meeting during a pipeline analysis then they would begin to understand why the CEO is guarding the "Corporate Fort" at all costs.

21 April 2005

Here is How to Protect Your Organization...

Rob Norton's cover story on Risk is a great primer to what corporate executives and board members around the globe have known for some time.

Crooked managers. Changing technology. Financial surprises. Who knows what company-killers lie ahead? Here’s how directors can protect themselves.

No single four-letter word is more likely to raise a board’s collective blood pressure these days than risk. The recent parade of corporate scandals can be blamed in part on a lack of effective systems to recognize and manage risk—not just insurance matters but broad operational and financial hazards to the enterprise. Now risk management has risen to the top of the agenda for many directors. Often the job falls under the authority of the audit committee, but some U.S. boards, including that of MCI (formerly WorldCom), have appointed special risk management committees. The boards of several European and Canadian companies have adopted formal processes aimed at alerting directors to the extent to which the outfits are exposed to risk and how it is managed.

The risks that blew up in the faces of boards at companies such as WorldCom, Enron, and Parmalat all come under the general category of operational risk, broadly defined as the danger of loss resulting from inadequate or failed internal processes, people, or systems, or from external events. These can include:

• Unscrupulous managers.
• Business interruptions caused by terrorism, war, or natural disaster.
• Supply-chain breakdowns.
• Changing technology.
• Increased competition.


Fortunately, the article mentions "Supply Chain Risk" as an area that needs more scrutiny as companies continue to increase offshoring and outsourcing to gain competitive advantages. This area of Operational Risk is a growing concern by not only shareholders, but the plaintiffs who follow the aftermath of Eliot Spitzer's investigations.

A significant business disruption (SBD) will occur at your organization each day, week, and month this year. The question remains that of what you are already doing to manage these inevitable incidents. We suggest a "4D" approach:

Deter

Detect

Defend

Document


This "4D" Managed Services approach to managing Operational Risk provides the initial framework for creating a strategic enterprise risk management (ERM) initiative in the organization. Each area has it's own tools, systems and processes yet each is connected to the Risk Nervous System via the 1SecureAudit Operational Risk Enterprise Architecture. (OREA)

OREA utilizes a proven and systematic approach for risk assessment, data capture, risk treatment and reporting. To facilitate efforts to transform the organization into one that has lower volatility of earnings growth and is more secure, 1SecureAudit co-designs the Operational Risk Enterprise Architecture (OREA), a business-based framework for organizational-wide improvement.

People
· Employee Fraud / Malice
· Unauthorized Activity
· Rogue Trading
· Employee Misdeed
· Employment Law
· Loss/lack of personnel

Processes
· Payment / Settlement
· Delivery / Selling
· Documentation / Contract
· Valuation / Pricing
· Internal / External Reporting
· Compliance

Systems
· Technology Investment
· Development
· Access
· Capacity
· Failures
· Security Breach

External
· Legal Liability
· Criminal Activities
· Outsourcing
· Suppliers / Insourcing
· Disasters / Infrastructure
· Regulatory / Political

OREA is constructed through a collection of interrelated “reference meta models” designed to facilitate cross-lines of business analysis and the identification of duplicative processes, departments, gaps, and opportunities for collaboration within and across lines of business (LOB). This OREA and Business Reference Model is intended for use in analyzing investments in Operational Risk projects and other capital assets. It also serves as a foundation for the development of a broader architecture that can serve as the platform for a comprehensive budget and performance reporting system that supports enterprise wide business risk integration and change management initiatives.

20 April 2005

VoIP, WiMAX: Business Resilience

What about the risks of VoIP? In case you haven't seen a presentation from Lucent Technologies recently, you should.

As a witness to their latest presentation in Washington, DC on "How Next Generation Networks Can Impact Business Resilience", there are some very interesting trends and capabilities here now and on the horizon worth exploring.

The Lucent approach to VoIP security is largely based on standards, many of which Lucent and its "innovation engine," Bell Labs, have helped to develop and shape. For instance, the International Organization for Standardization offers ISO 17799,which provides recommendations for information security management and provides a common basis for developing organizational security standards and effective security management practices. Similarly, the International Telecommunications Union's X.805 standard defines a security architecture for systems providing end-to-end communications.And NRIC,the Network Reliability and Interoperability Council, provides best practices guidance in a number of areas that relate to VoIP operations.

Lucent, with its unmatched telecom heritage and broad experience can be a partner in helping develop actionable plans and in implementing successful VoIP security programs based on these standards. Lucent's best practices include security policies that outline expected behavior and security awareness of users, administrators, managers and other employees as well as security assessments to pinpoint security gaps, and to determine what is happening in practice rather than simply what may be documented in policies.


You have to keep in mind who Lucent's customer base really is. The Regional Bell Operating Companies (RBOC), MCI, AT&T as well as all of the major wireless providers make up the majority of their client base. They will have advance notice of what providers are launching new technologies when, and they will have plenty of non-disclosure about who they think is the best vendor. It sure is refreshing to talk with a company who is all about capability and soundness of technologies. How the provider ends of servicing the customer is another topic.

On another front, they predict that by 2008 about 60% of laptops will be shipping with WiMAX.

The WiMAX Forum™ is working to facilitate the deployment of broadband wireless networks based on the IEEE 802.16 standard by helping to ensure the compatibility and inter-operability of broadband wireless access equipment. The organization is a nonprofit association formed in June of 2001by equipment and component suppliers to promote the adoption of IEEE 802.16 compliant equipment by operators of broadband wireless access systems.

Principles:
WiMAX Forum is comprised of industry leaders who are committed to the open interoperability of all products used for broadband wireless access.

Support IEEE 802.16 standard
1. Propose and promote access profiles for their IEEE 802.16 standard
2. Certify interoperability levels both in network and the cell
3. Achieve global acceptance
4. Promote use of broadband wireless access overall

18 April 2005

The Risk Barometer...

The Risk Barometer may be changing if this latest survey is correct:

The most significant issues facing business today, according to respondents to the first Risk Barometer survey, are reputational risk (defined as the threat of any event that can damage a company's reputation) and regulatory risk (defined as problems caused by new or existing regulations). These two risk categories received the highest scores in the Risk Barometer, indicating that they are seen as more significant issues than market risk, foreign exchange risk and country risk by the majority of executives in the survey. The third most significant threat cited by executives is IT network risk, which encompasses network security breaches and IT systems failure.


The natural hazards category is decreasing as a priority in the eyes of these risk managers predominately from the financial services sector as this is being covered primarily by insurance. Also, the frequency of events is a factor here. Reputation and Regulatory Risk are both areas that need attention in the enterprise and managers are finding it more challenging to put the correct controls and measures in place to mitigate these two growing threats to the organization.

15 April 2005

Where is Your Courage Today?

Fear is a paralyzing condition. What sometimes can paralyze some people, often motivates others. Think about it. What are you afraid of? When was the last time you felt so paralyzed with fear that you either couldn't move or it pumped you up so much that the adrenaline took over and made you do things that you never thought were possible.

Where is your courage today? Hiding out for the day it seems safe? You are going to be waiting a long time. There is no such time or space where it is safe. In the board room or on your battle field, the world is looking for leaders and people with courage. Often times the answer is action, regardless of the threat. This in itself is a sign to show your foe that you are aware of the threat and will not only respond, but retaliate.

It takes courage to pursue the unpopular agenda. Whether it is to save lives, save investors, or save precious physical or digital assets, the game is the same. Those who decide to do nothing in the face of an obvious threat have nothing but paralysis. Those who decide to do something dig deep to find the purpose and justification for their actions. Once you find courage, it's very hard to turn the other way. Paralysis becomes so foreign that whenever you feel even a little unresponsive, you compensate the other direction almost by instinct.

If you spend enough time around courageous people it starts to rub off on you. If you still don't have the bug, then you must not be surrounding yourself with those who can take fear by storm. What are you afraid of?

As Steve Farber would say, you need some more OS!M's....

Once you have enough of these to know that you won't freeze, then you are well on your way to really making a difference on this rock. If you are not there yet, then now is a good time to start speeding up your OS!M's.

14 April 2005

Enterprise Security Risk Management (ESRM)

The Gartner Group has identified three major questions that executives and boards of directors need to answer when confronting information security issues:

1. Is your security policy enforced fairly, consistently and legally across the enterprise.

2. Would our employees, contractors and partners know if a security violation was being committed?

3. Would they know what to do about it if they did recognize a security violation?


In today’s wired world, threats to the information infrastructure of a company or government agency are not static, one time events. With new viruses, vulnerabilities, and digital attack tools widely available for download, a “complete information security solution” in place today can easily become incomplete tomorrow. As a result, a security architecture solution must be flexible, and dynamic.

Presently, news of digital-threat events tends to spread through the computer security world in a “grapevine” manner. Threat information is obtained from websites, e-mail listservs and countless other informal sources. This haphazard system is incomplete, and therefore raises concern when evaluating the damaging, costly effects of an aggressive, systematic digital attack.

A comprehensive security solution requires the careful integration of people, processes, systems and external events that allows correlation and implementation of a “layered” defense coupled with a firm application of risk-management principles. To fully protect electronic information architectures, an organization needs current intelligence and analysis that allows constant adjustment and fine-tuning of security measures (e.g., firewalls, intrusion-detection systems, virus protection) to effectively defend against a rapidly changing landscape. Threats and vulnerabilities relating to computer networks, websites and information assets must be addressed before an attack occurs. Awareness and the ability to make informed decisions are critical.

In short, as the electronic economy plays an increasing role in the private and public sectors, organizations must take advantage of the resulting new opportunities for growth and gains in efficiency and productivity. Realizing these gains depends on an organization’s ability to open its information architecture to customers, partners and, in some cases, even competitors. This heightened exposure creates greater risk and makes an organization a more likely target for attack (e.g., information and monetary theft, business disruption). Furthermore, the cost of critical infrastructure failure climbs exponentially in relation to increasing reliance on integrated systems.

Highlights of the 2004 Computer Crime and Security Survey include the following:

-- Overall financial losses totaled from 494 survey respondents were $141,496,560. This is down significantly from 530 respondents reporting $201,797,340 last year.

In a shift from previous years, the most expensive computer crime was denial of service. Theft of intellectual property, the prior leading category, was the second most expensive last year.

Although the CSI/FBI survey clearly shows that cybercrime continues to be a significant threat to American organizations, our survey respondents appear to be getting real results from their focus on information security.


How is an organization going to quickly and effectively address what we call ESRM? If you go to "Google" and query "Enterprise Security Risk Management", you'll find one company at the top of the list and for good reason.

The Consul W7 Methodology is on the right track with an approach to ESRM that is gaining traction in the market place.

The W7 Methodology
Security data (logs, syslogs, SNMPs, NetBios, etc.) from the entire enterprise are consolidated and normalized through Consul's patent-pending W7 methodology whereby Who, did What, When, Where, Where from, Where to and on What is determined based on deep knowledge of the operating system matched to the information in security alerts and log files. Through best-practice and customizable policy templates, only the essential events are processed to provide urgent, relevant and actionable information. The W7 methodology underpins the way InSight normalizes and correlates the data and is the language spoken by the Policy Generator to filter out the relevant data.


Today, ISO17799 is one of the most widely recognized information security standards in the world. ISO17799 defines a management structure and process within the organization that allows it to

* Identify genuine risks to the organization’s computing environment
* Establish a level of risk tolerance
* Select appropriate control measure to mitigate risk
* Manage incidents, events, and security breaches, and
* Manage risk in a constantly changing environment

The ISO17799 standard is appropriate for a wide variety of organizations. The standards are written in an open framework that could be applied as easily to a bank as to a hospital, university, e-retailer, non-profit charitable organization, or government.

Consul InSight™ enables ISO17799 compliance by monitoring “who” touches “what” information, monitoring security events and archiving all relevant log information. In this module, the best-practice recommendations of ISO17799 are embedded into the reports, policy and classification templates to facilitate compliance.

The ISO17799 Compliance Management Module Comes complete with an:

* ISO17799 Compliance Dashboard
* ISO17799 Report Center
* ISO17799 Policy Template
* ISO17799 Classification Template
* ISO17799 Resource Center


Your goal is to provide the organization with the following Information Security value propositions:

1. A System with Best Practices to Establish, Implement and Monitor Compliance

2. Early Warning & Awareness for the Entire Enterprise

3. Relevant Decision Support

4. Trusted Threat Information/Analysis

5. Actionable Threat Countermeasures

And remember, a Single Enterprise Security Risk Management System will not solve the operational risk problem without the right processes and the people to implement such a solution.

12 April 2005

CFO's vs. SOX 404...

The battle lines are heating up as more and more companies delay their reports on performance. The lines are being drawn in the sand over whether the SOX 404 compliance mandates are just too much for some finance and IT departments to handle. And the CFO Executive Board is shouting that this Sarbanes-Oxley Act is the reason we are losing jobs.

Candice S. Miller is now in the hot seat as the Republican from Michigan becomes the new chair of the House Government Reform subcommittee on regulatory affairs. Her first agenda item is the impact of regulation on US manufacturing. The CFO's in America are waving the white flag as they pretend to be drowning in regulatory compliance issues. The question now is whether all of this hard work on SOX 404 and other laws will ultimatley benefit corporate America. The answer is yes.

In the long run not only will the investor's win, so to will the executives who have devoted so much time and energy into regulatory and legal compliance. As stewards of the enterprise and overseers of their own corporate sandbox, they will soon realize the investment in their own organization has been a prudent one.

For more on the CFO Point of View, see this proprietary report by the CFO Executive Board.

The report includes the predictions of a proprietary model the CFO Executive Board built to estimate the impact of Section 404 compliance activities on the US economy.

A key finding reveals that unless senior corporate executives take extraordinary measures to ensure that Section 404 compliance efforts do not crowd out key managerial activities and R&D investments, these requirements threaten both economic growth and job creation. More specifically, the report concludes that Section 404, as implemented, could retard job creation by more than 300,000 jobs and slow GDP growth by nearly 0.5 percent during the next three years.

"When you consider that Sarbanes-Oxley was drafted in only a few months, it's not surprising that companies have experienced serious, unexpected problems and high costs in complying with these new requirements," says Scott Bohannon, executive director of the CFO Executive Board

Of course, not all the news is bad.

08 April 2005

Terrorism Risk Management

In light of the fact that the insurance industry is still immature in their models due to a lack of actuarial data the real estate financiers are considering alternative approaches to risk mitigation and management. For example, tools for the assessment of terrorism vulnerabilities exist today that could be introduced into the cycle of due diligence. As these tools are adopted to assess and help reduce the risk of unknown man-made events, the lenders and the insurers will converge on these new models to help rate structures and critical infrastructure in terms of their exposure to terrorism risk.

Due diligence requires detailed property inspections and audits to provide sound advice to key decision makers on the state of a real estate property. Vulnerability to terrorist attack will become, if it isn’t already, a critical component of due diligence. The individuals and firms that provide these solutions must be multi-faceted in operations, security and building systems in order to provide a comprehensive and fair report. This assessment should include the operational procedures and hazard mitigation programs of the building to determine the overall vulnerability to a combination of both natural and man-made events.

Asset Identification & Valuation
Priorities for protecting both physical and information assets is obtained through a comprehensive process for enterprise risk management. You must identify the relative importance and value of assets whether they are people, processes, systems or facilities. Three primary actions must take place:

1. Identification and Definition of core business processes to sustain the organization in business (sales, customer service, accounting)

2. Identification of critical business infrastructure assets such as:
o Personnel to run the functions and facilities
o Information systems and data
o Life safety systems and safe havens
o Security systems

3. Assign a relative protection priority
o High – Loss or damage would have grave consequences for extended time
o Medium – Loss or damage would have serious consequences for a moderate time
o Low – Loss or damage would have minor consequences for a short period of time

Threat Assessment
Once this is completed a thorough threat assessment must take place. This is a continuous process of information gathering, analysis and testing. There are five key elements associated with threat profiles definition and analysis factors:

1. Existence – who or what are hostile to the assets
2. Capability – who or what weapons or means have been used in the past
3. History – what and how often has this occurred in the past
4. Intention – what outcomes or goals does the threat agent hope to achieve
5. Targeting – what is the likelihood that surveillance is being performed on the assets


Next a set of Event Profiles for the threat scenarios must be created. These detailed profiles describe the mode, duration and extent of an incident event as well as mitigating or exacerbating conditions that may exist.

The output of the threat assessment is the determination of threat rating to each hazard and to each asset in the priorities for protection. Assigning a threat rating could be as easy as using high, medium and low as long as you have specifically defined what each one is and also with the use of expert judgment.

As landlords and other interested real estate finance industry partners move towards new standards to mitigate terrorism risk and protect critical infrastructure, the necessity for state-of-the-art tools and systems to mitigate those risks is paramount. CxO’s in corporate enterprises are ever more concerned about emergency preparedness and the continuity of their enterprises. Now that threats to government and business operations are becoming more prevalent, organizations must plan for every type of business disruption from hardware and communications failures, to natural disasters, to internal or external acts of terrorism.

06 April 2005

Operational Risk: BPO Relationships...

Researchers at the McCombs School of Business are working on empirical studies ("Global Sourcing and Value Chain Unbundling", "An Empirical Analysis of Information Processing Requirements in BPO Relationships") that investigate key decision variables in the choice of BPO relationship structure and form. They argue that the primary questions that managers must address to design and effectively manage a BPO relationship include the following:

1. What are the unique operational risks and challenges associated with outsourcing a particular business process? What demands does the outsourced process place on agent capabilities?

2. What governance model will help the firm address these challenges and architect a sustainable relationship that meets its outsourcing objectives?




If you are like most organizations you rely on a portfolio of 3rd parties to supply you with products, services and labor. These supply chain relationships are a key aspect of effective risk mitigation in your enterprise. Here are a few BS 7799 controls to consider:

Section:10.5.5 Outsourced Software Development
Description: Where software development is outsourced, the following points should be considered:
a. licensing arrangements, code ownership and intellectual property rights (see 12.1.2);
b. certification of the quality and accuracy of the work carried out;
c. escrow arrangements in the event of failure of the third party;
d. rights of access for audit of the quality and accuracy of work done;
e. contractual requirements for quality of code;f. testing before installation to detect Trojan code.

Section:11.1.2 Business Continuity and Impact Analysis
Description:
Business continuity should begin by identifying events that can cause interruptions to business processes, including suppliers, e.g. equipment failure, flood and fire. This should be followed by a risk assessment to determine the impact of those interruptions (both in terms of damage scale and recovery period). Both of these activities should be carried out with full involvement from owners of business resources and processes. This assessment considers all business processes, and is not limited to the information processing facilities.Depending on the results of the risk assessment, a strategy plan should be developed to determine the overall approach to business continuity. Once this plan has been created, it should be endorsed by management.

Section:12.1 Compliance with Legal Requirements
Description:
Objective: To avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligations and of any security requirements.The design, operation, use and management of information systems may be subject to statutory, regulatory and contractual security requirements.Advice on specific legal requirements should be sought from the organization’s legal advisers, or suitably qualified legal practitioners. Legislative requirements vary from country to country and for information created in one country that is transmitted to another country (i.e. trans-border data flow).

Strategic Impact: An important concept that binds the above process attributes is the strategic impact of the outsourced process. It is likely that a strategically important business process shares strong interdependencies with other business processes in the firm and is marked by relatively higher volatility and specificity. A process of strategic importance enables the company to provide a "fundamental customer benefit" and make a contribution to perceived customer value. Such processes in the firm are substantially superior to those of competitors and help the firm create new products, services and process improvements in the future. The risks associated with such information- and knowledge-intensive business processes include information poaching and loss of competitive advantage. This is especially pronounced if the provider services other clients in the same business domain as the outsourcing firm.

04 April 2005

US National Preparedness: TOPOFF 3

Now that DHS has reemphasized the need for the National Preparedness Goal in the U.S., it must be time for the TOPOFF-3 exercise.

The U.S. Department of Homeland Security announced April 1 2005 the publication of the Interim National Preparedness Goal (“Goal”). The Goal will guide federal departments and agencies, state, territorial, local and tribal officials, the private sector, non-government organizations and the public in determining how to most effectively and efficiently strengthen preparedness for terrorist attacks, major disasters, and other emergencies.

“In our complex free society, there is no perfect solution to address every security concern,” said Secretary of Homeland Security Michael Chertoff. “But by working together collectively to analyze threats, understand our capabilities, and apply resources intelligently, we can manage risk. The National Preparedness Goal will help us meet this objective.”


The Top Officials exercise (TOPOFF) will be comprised of local, state and national personnel estimated at around 10,000 people. The price around $16M. will produce real-time scenarios in New Jersey and Connecticut. One will be a biohazard and the other a chemical related incident.

The drills will be monitored by top U.S. Homeland Security officials from a command center in Washington, as well as regional centers in New Jersey and Connecticut.

Although no real weapons or bio-agents will be used, officials will respond as if it's the real thing: flooding the area with investigators and first responders in haz-mat suits, dispatching fleets of ambulances to hospitals across the state, and dealing with throngs of "victims" piling up outside emergency rooms.


The lessons learned will be many. The large businesses in the areas of the drill will soon realize that "Shelter-in-Place" may be a reality soon and should take this time to practice themselves. Remember, it may be hours or days before you can leave your office safely. Now is the time to replenish your supplies, food, water and emergency first aid kits.

Do you think you're spending too much time with your team planning? You haven't. Success in your organization doesn't happen because everything goes according to the plan. It happens because you were prepared when things go wrong. The organizations whose team has planned for every possible scenario and trained together in live simulations will become the most successful. Their missions will be accomplished on time and within budget.

Incidents of different severity and frequency are happening around you and your organization every day. Would your employees know what an incident looks like let alone know what to do next to mitigate the risk to them and the organization?

01 April 2005

Is Today April Fools Day?

Now that Corillian is merging with InteliData you can be assured that more banks will see their sales reps. They have also recently partnered with Quova to assist in a more comprehensive and integrated offering for anti-phishing solutions.

As banks continue to try and tackle the ID Theft and Phishing threats to operations, the technology is only a part of the puzzle.

The strategy for monitoring, detection and enforcement must be mult-faceted and involve a combination of technologies. More importantly, you must do as Microsoft has done to find out who is behind these crimes. Let's assume you have very deep pockets.

Microsoft has filed 117 civil lawsuits against alleged phishers trying to scam Microsoft customers out of personal information such as credit card numbers.

The lawsuits, filed in Washington, identify large-scale scam operations and seek damages from so-called phishing operations. Phishers typically send out spam e-mail, made to look like official e-mail from a real e-commerce company, asking recipients to click on a link and update their personal information. The link takes consumers to a website that mimics the look of the real company, but collects personal information for ID thieves to use.

The new lawsuits - Microsoft has previously gone after two other phishing schemes - target unnamed defendants who sent spam e-mail and put up websites targeting Microsoft services such as MSN and Hotmail.

Through them, Microsoft will issue subpoenas and attempt to uncover the names of the people behind them, as well as identify support operations such as Web hosting services and mass e-mail services, said Microsoft lawyer Aaron Kornblum.



Is today April Fools Day? Forget about Phishing. It's time to worry about Pharming.