30 November 2005

Enterprise Security Risk Convergence: The Wave of the Future...

Savvy CIO's and CSO's recognize that new threats and soaring costs are two factors driving the convergence or integration of traditional and information security functions in a growing number of global companies. Business desire for security professionals who can examine and assess the risks that organizations face as a whole is one of the driving forces behind the convergence phenomenon. Operational Risks span the continuum from the physical to the digital environment in our enterprise ecosystems.

The focus on security from an enterprise perspective has led to innovative approaches that emphasize integration;specifically, the integration of the risk side of business into the strategic planning side in a consistent and holistic manner. Strategic Convergence & Change Management solutions ensures that integrated functions within the organization work together. This growing need enables the organization to effectively deter, detect, defend and document both physical disruptions and information security incidents.


Enterprise Security Risk Convergence initiatives are underway in many global organizations today and for good reason. For too long, the silo's of information in the physical guards, gates and guns world were not on an IP network. Those days are over. The Siemens, Tyco's and Honeywells along with other physical security juggernauts have figured out that they need the information security software and hardware to provide totally "converged" solutions for their clients. Integration of information-based assets in embedded systems combined with the data bases of the INFOSEC operations can now provide that holistic view of risk that the enterprise has been thirsty for. Yet, this battle is only starting to heat up.

Prepare your organization for the day when the efficiencies and the effectiveness of having redundant safety and security responsibilities becomes a new agenda topic at the next executive retreat. Strategic Security Convergence is the "Operational Risk Management" wave of the future. How these converged entities are forming and how they will arrive at a single focal point is based on what they both have in common. Information-based assets.

And when it comes to establishing a single risk management system focused on information, there is only one international standard. ISO 27001:2005 is that set of controls and guidance that will assist in the rapid convergence of these seemingly different security domains. Once the physical security management realizes that their budgets are going to be combined with the information security budgets the feathers and fur will begin to fly in the halls of the corporate headquarters around the globe. In the end, the winners will be those organizations who realized that all the guards, gates, firewalls and intrusion prevention systems are nothing more than tools. What they support are the successful implementation of a Risk Management System focused on information. The single asset that both security organizations have in common.

28 November 2005

Operational Continuity: Top Ten

As your Board of Directors Meeting agenda is prepared for your next conference call, Operational Continuity should be near the top of the list of priorities. The risk of a significant business disruption is increasing and shareholders are increasingly asking for additional oversight by boards to make sure that executive management is on top of Operational Risk Management issues.

Here is a top ten list for your board to consider. If you can answer "Yes" to these items then you are well on your way to a high level of Operational Continuity in your organization:


1. The Board of Directors reviews and approves company-wide contingency plans annually.


2. Formal documented guidelines, policies, and procedures exist for the development and maintenance of business Continuity/Disaster Recovery, Emergency Response (evacuation and life safety) and Crisis Management plans (public relations and communications).


3. An Operational Risk Assessment that categorizes potential threats (internal and external) has been performed on all corporate facilities for both information technology and work areas.


4. There is a current (updated annually) Business Impact Analysis that determines recovery time objectives (the maximum tolerable time to recover critical business functions) and existing resources supporting each function.


5. Recovery strategies exist for the resumption of critical business processes and support services.


6. The Operational Continuity Plan and the recovery efforts are driven by the business requirements of the Business Impact Analysis.


7. A Gap Analysis has been performed to identify the differences between Business Impact Analysis (business requirements) and the current environment.


8. Business recovery strategies have been developed for all essential business functions.


9. Manual workarounds exists for processes that could be completed in the absence of automated systems.


10. Business Continuity and Disaster Recovery plans are exercised and tested bi-annually.


If you answered "No" or "Don't Know" to any of these ten, then your organization is at risk to a myriad of threats including shareholder legal actions. Catastrophic losses caused by natural disasters such as hurricanes, earthquakes, flooding, drought, tornados, fires and winter storms or man-made events such as terrorist acts are tragic and complicated, taking an awful toll in human lives and resulting in insurance claims that run into the millions or billions of dollars and, often, litigation.

24 November 2005

Avian Flu: What are the Risks?

Avian influenza, or bird flu, is a contagious viral disease caused by certain types of influenza viruses that occur naturally among birds. Usually, these viruses do not infect humans, but several cases of human infection with bird flu viruses have been reported recently.

Why could this become an Operational Risk for your organization? Currently, these viruses are circulating in bird populations in Asia, and have resulted in severe illness and death in humans. Since the recent outbreaks of this strain began in 2004, more than 120 people have been confirmed as infected and more than 60 have died. Most human cases are thought to have occurred through contact with infected poultry or contaminated surfaces. However, some scientists worry that if the virus were able to mutate and be able both to infect people and then to spread easily from person to person in a sustained fashion, a global "influenza pandemic" (worldwide outbreak of the disease) could begin.

This WHO Avian Flu Fact Sheet can provide some of the answers on the disease.

21 November 2005

Simulation & Analysis: COOP on Steroids...

All of the planning tools that have automated the process of developing BCCM and COOP documentation have addressed only a small piece of the total mosaic for operational risk management. There is however a new "kid" on the block that is worth keeping your eye on. This is because they have created the tools for doing critical simulation and analysis of the impact of significant business disruptions to our critical infrastructures.

FortiusOne’s target market encompasses both the public and private sector. The former includes federal, state, local and international segments, with primary emphasis on Homeland Security, National Defense, Intelligence and Emergency Management for critical infrastructure vulnerability assessments and consequence management. FortiusOne’s private sector market addresses risk analysis for the Banking/Financial Services, Transportation, Energy, Telecommunications, Insurance and general Supply Chain segments with primary emphasis on business continuity planning, business optimization and disaster recovery. Market size exceeds $40B and is upward trending in both public and private sectors. Recent events and consequences related to hurricane Katrina, terrorist threats and attacks, and corporate management/mis-management events have created intense interest in FortiusOnes’s products and services. The Company’s revenue model for both public and private sectors includes fixed price product pricing for basic assessments with additional high valued consultation for detailed analysis of specific client defined scenarios.


While we have all the confidence that there is a market for tools like these, the largest challenge still remains. Human Factors.

All of the scenario planning and simulation is important to create new contingency procedures or the application of new methods for mitigating the impact of such scenarios. However, the human factors are and will remain unknown until you actually exercise and effectively test that scenario. Only testing will tell you what people did or didn't do or why they reacted the way they did. The psychological and physiological unknowns are what throw the planners and simulation operators for a loop every time.

We hope that FortiusOne also gives their clients the insight they require to create the most realistic and optimal tests to determine what the real outcomes will look like before and after a natural disaster or terrorist event.


17 November 2005

ISO 27001 : Information Security Management...

What Is ISO 27001?

ISO 27001, titled "Information Security Management - Specification With Guidance for Use", is the replacement for BS7799-2. It is intended to provide the foundation for third party audit, and is 'harmonized' with other management standards, such as ISO 9001 and ISO 14001.

The basic objective of the standard is to help establish and maintain an effective information management system, using a continual improvement approach. It implements OECD (Organization for Economic Cooperation and Development) principles, governing security of information and network systems.


This particular standard defines and specifies an 'Information Security Management System', known as an ISMS. It compliments the existing ISO 17799 security standard, and specifies a general framework for the creation and maintenance of the security process within an organization.

These two standards (ISO 17799 and ISO 27001) are closely related, and although their scope is wide, they have very distinct roles.

ISO 27001 defines the overall requirements for the security management system itself, the focus being on management. It is this standard, rather than ISO 17799, against which certification is offered. It was based upon an earlier standard, known as BS7799-2, but has been more closely aligned with other quality management standards.

11 November 2005

Strategic Organizational Resilience & Survivability...

According to the best practices from several sources, the Board of Directors is responsible for the "Strategic Resilience and Survivability" of an organization. Let’s take a look at what the highly influential Basel Committee says about one principle as it pertains to Business Crisis and Continuity Management (BCCM):

Review and Testing of Business Continuity Plans – Basel Principle 13

“It is the responsibility of the organization's Internal Audit and Business Continuity functions to ensure that all of the organization's business continuity plans are tested and reviewed on a periodic basis to spot incorrect assumptions, oversights or changes to equipment, and employees and to identify any changes in business requirements not reflected in specific plans. Any undocumented requirements must immediately be documented. In addition, appropriate information owners and users must be informed of updates to plans.”


The Basel Accord for large global money center institutions says you have to test all of your suppliers and their plans so that you don’t have any service interruptions. The question is how often is enough? When is the last time you knocked on the door of your Power Company, Phone Company, and Water Company and said I’m here to audit your BCCM plans. And in every country you operate critical information processing and personnel centers.

Having survived several large quakes in Southern California in years past, I’m not sure that all of the testing in the world can prepare people for human behaviors that come from within. People literally lose all sense of common sense when you are on the 42nd of the 50+ skyscraper and without any warning it physically sways a couple feet to the left and a few more feet to the right. Believe me, the issue is not the testing itself, it’s how to create a real enough scenario that you get similar behaviors out of unsuspecting people.

Certainly the largest organizations realize that the threats are taking on different forms than the standard fire, flood, earthquake and twister scenarios. These large catastrophic external loss events have been insured against and the premiums are substantial. What it is less easy to analyze from a threat perspective are the constantly changing landscapes and continuity postures of the many facets of the organization having to do with people, processes and systems.

The many sources of significant loss events are changing as we speak. Here are a few that should not be overlooked:
· Public perception
· Unethical dealings
· Regulatory or civil action
· Failure to respond to market changes
· Failure to control industrial espionage
· Failure to take account of widespread disease or illness among the workforce
· Fraud
· Exploitation of the 3rd party suppliers
· Failure to establish a positive culture
· Failure in post employment process to quarantine information assets upon termination of employees

Frankly, corporate directors have their hands full managing risk and continuity on behalf of the shareholders. The risk management process will someday have as big an impact on the enterprise as other key functions because shareholders will be asking more questions about the changing landscape of managing risk for corporate governance.

In summation, the following six factors are the critical aspects of effective and strategic organizational resilience and survivability:

1. Business continuity planning will be conducted on an enterprise-wide basis 24/7.
2. A thorough and continuous business impact analysis and risk assessment is the foundation of an effective BCCM.
3. Business continuity planning is more than the recovery of the technology; it is the recovery of the business.
4. The effectiveness of a BCCM can only be validated through continuous and thorough testing.
5. The BCCM and test results will be subjected to continuous independent audit.
6. A BCCM will be continuously updated to reflect and respond to changes in the organization.

09 November 2005

The Risk of 4GW: It's Here to Stay...

In today's OSAC 20th Annual Briefing at the U.S. State Department Bureau of Diplomatic Security we witnessed some excellent briefs from corporate CSO's and keynotes from Sandy Weill, COB of Citigroup and Dr. Condoleeza Rice, U.S. Secretary of State.

All had the theme of the day, the valuable and lasting public private partnership established twenty years ago by former U.S. Secretary of State George P. Shultz. There was much talk of the current risk of Fourth Generation Warfare (4GW), the same method of guerilla warfare described in The Sling and the Stone. In the middle of the presentations, many of our PDA's and phones began their vibrations and buzzing. Within a few minutes, the podium was announcing the latest attack on our own corporate assets in the capital of Jordan.

At least 57 people were killed and more than 100 injured when suicide bombers blew themselves up at three hotels in Amman, the capital of Jordan.

The hotels were popular with foreigners and many of the guests were involved in work in Iraq. The attacks destroyed the fragile calm that Jordan has enjoyed despite its proximity to Iraq and the support of its ruler, King Abdullah, for American and British policy in Iraq.

Major Bashir al-Da'aja, a police spokesman, said: "There were three terrorist attacks on the Grand Hyatt, Radisson SAS and Days Inn hotels and it is believed that the blasts were suicide bombings." Said Darwazeh, the health minister, said there were more than 50 dead but the toll could rise.


The Overseas Security Advisory Council (OSAC) now claims over 3,000 U.S. companies, educational institutions, religious groups, and non-governmental organizations as members known as constituents. Although OSAC is rarely in the limelight, the ways in which it helps American businesses fight terrorism abroad is unparalleled.

Is that a "Predator" taking off?

Mission

The MQ-1 Predator is a medium-altitude, long-endurance, remotely piloted aircraft. The MQ-1's primary mission is interdiction and conducting armed reconnaissance against critical, perishable targets. The MQ-1 Predator carries the Multi-spectral Targeting System with inherent AGM-114 Hellfire missile targeting capability and integrates electro-optical, infrared, laser designator and laser illuminator into a single sensor package. The aircraft can employ two laser-guided Hellfire anti-tank missiles with the MTS ball.


Tomorrow, in our second day of the OSAC briefing the room will be missing many of the constituent members as they begin the investigations and deploy new resources in the pursuit of justice.

06 November 2005

The Risk of A Blueprint For Action: Hero's Yet Undiscovered...

Tom Barnett's new book was finished on the airplane last night. What an inspiring read and journey it was. And now the journey begins to find the "heroes yet discovered". What the author means is this. Along the path through an uncertain and new worldview, we are going to encounter people who are hero's in the implementation of the bold concepts described in this important book. Mr. Barnett gives us a few descriptions of who to look out for:

The four-star military police general:

Japan's first combat casualty since World war II:

The "Martin Luther King" of Islamic Europe:

The "Serpico" who blows the lid off human rights abuses in the global war on terrorism:

China's "JFK"

India's "Bill Gates":

The first female leader of an Arab state:


His unreasonable ideas that sound at first to be far fetched are by design, to make us think deeper about the impact of globalization and the future. In fact, they are upon us today.

"All things being equal, no one chooses the informal economy over the formal economy. Because the efficiency and security of the latter are undeniably a better deal." Page 262

"In the end, the Gap (non-core countries outside the G-20) is plagued no so much by bad governments as by simply the lack of good ones. Our goal in shrinking the Gap must entail, therefore, increasing the number of good governments there, governments that extend the rule of law, develop the human capital of all citizens (and especially that of young females), and ---most specifically---foster entrepreneurial opportunities by recognizing property rights and expanding contract case law." Page 262


The real risk of "A Blueprint For Action" is that our world leaders don't converge on this remarkable book and discuss it over their next dinner together. If they do, then we will be on our way to a future worth creating.

01 November 2005

Online Pharmaceutical Counterfeiting: The Digital Threat...

Pharma healthcare companies all over the globe are working hard to identify counterfeit drugs and to put these criminals out of business. This operational risk strategy saves countless lives each year. The first article in a series on counterfeiting at CSO Online misses a key focus on the Internet Channel of Distribution. In order to pursue this growing threat, organizations must consider the use of real professionals to deter, detect, defend and document effectively in order to have a comprehensive anti-counterfeiting program.

The continuing growth of the Internet provides counterfeiters with ready access to unsuspecting consumers. Since goods purchased via the Internet are normally delivered through the conventional mail system, they frequently by-pass national regulations for the distribution of controlled goods.

The use of intelligent Internet surveillance with proprietary software, enables the detection of illicit distribution, trademark abuse, objectionable association and counterfeit activities, which can then be countered in a highly focused manner.

Authentix identifies client products on sale from suspect counterfeit sources, retrieves them anonymously and tests them for authenticity. In cases of minor misdemeanors they issue Cease & Desist letters for clients and monitor compliance. Where counterfeit or diverted product is retrieved, they support our clients through legal remediation by maintaining a documented chain of evidence.


All of the forensic markers and post testing due diligence will not stem the tide of bogus pharma web sites selling counterfeit drugs. An effective corporate risk intelligence process combines both the low tech (HUMINT) sources and the high tech methods (DIGITAL SURVEILLANCE) from a single entity. Only then will the data fusion and correlation of information allow for a legal, competent and rapid interdiction of this lethal threat.

Counterfeit medicines are a global scourge. The World Health Organization (WHO) estimates that as much as 10 percent of the half-trillion-dollar pharmaceutical market is counterfeit. In some developing countries, more than half of the drug supply may be fake. Every year, thousands die from ingesting fake medicines, many of which have been produced in squalid conditions using ingredients such as boric acid and highway paint.