30 May 2006

Reinventing Corporate Security for Business Survival...

The Reinvention of the T-Mobile security assurance functions is another example of continuing convergence strategy at global organizations.

Now, in one room sit three of the top security executives recruited to effect change at T-Mobile by creating a new asset protection division. They are: Frank Porcaro, vice president and director of the new asset protection division; Ed Telders, director of information security, policy and compliance; and Rick Roberts, senior manager of security services. With them in the room, of course, is the pink elephant.

The asset protection group—Porcaro's group—is the heart of the makeover. Asset protection will converge physical and information security and, at the same time, create two new groups, including an information security group and a full business continuity/disaster recovery group. In the past year alone, asset protection has grown from four employees to 18, with several of those new hires having CSO-level experience.

Meanwhile, as it's under construction, asset protection is also being moved to another division, risk management and assurance, to be closer to related functions like audit and investigations. In the end, T-Mobile hopes to have one department—risk management and assurance (RM&A)—through which all security functions flow.


The strategy for Business Survival begins with an understanding of how your corporate assets are being attacked, both online and offline. Both physical and digital.

Our corporate assets are under attack by a continuous barrage of new laws, new employees, new competitors and new exploits. Business survival in the next decade will require a more effective and robust risk strategy to deter, detect and defend against a myriad of new threats to the organization.

Modern day attackers include hackers, spies, terrorists, corporate raiders, professional criminals, vandals and voyeurs. Simply said, these attackers use tools to exploit vulnerabilities. They create an action on a target that produces an unauthorized result. They do this to obtain their objective.


The Mission
Deter the attacker from launching a salvo of new threats to compromise your organizations assets. You first have to understand the value of your corporate assets to determine what are the most valuable in the eyes of your adversary. You must make it increasingly more difficult for these valuable assets to be attacked or you will find yourself under the constant eye of those who wish to create a significant business disruption.

These attackers are individuals who take on these quests or objectives for several key reasons. They include financial gain, political gain, damage or the simple challenge, status or thrill. It’s your job to create deterrence for each one of these objectives.

The Take Away

In order to effectively deter potential risks to your corporate assets, first you have to understand what they are and how valuable they are in the eyes of each kind of attacker. The more valuable the target, the more deterrence it requires.

25 May 2006

OPS Risk Consultancy Growing at 10% Annually...

Bank spending on operational risk management (ORM) software and services is set to grow at a compound annual growth rate of 4.7% to reach $1.38bn by 2010, according to an annual study released by Chartis Research.

Chartis says the ORM software market - estimated to be $163m in 2006 - is set to grow at a compound annual growth rate of 7.7% to hit $219m by 2010.

Meanwhile ORM related consulting services will continue to grow at a healthy 10.2% compound annual rate. This will be fuelled by Sarbanes-Oxley, Basel II and other risk or governance regulations. As the second wave emerges, Chartis says it expects systems integrators to increase their activity in this area and derive increased revenue from it.


"One reason ORM is getting hotter is due to the fact that legal counsel and outside counsel are advising clients to error on the side of over-compliance", said Peter L. Higgins, Managing Director & Chief Risk Officer at 1SecureAudit. "Showing the auditors and investigators a trail of due care and evidence of doing the right thing in their transparency and reporting is paramount. Those who are left out can trace the root cause of their fines and operational losses from ignoring such significant issues as suspicious activity reporting (SAR)", Higgins concluded. Until now, some organizations did not realize that they too are subject to such requirements:

Financial institutions have been filing increasingly larger numbers of Suspicious Activity Report (SAR) forms since the 2001 terrorist attacks, according to statistics from the U.S. Treasury Department's Financial Crimes Enforcement Network (FinCen). Financial institutions filed more than 689,000 SAR forms in 2004, and the SAR tally for 2005 appears likely to eclipse that mark. The first half of 2005 alone saw more than 435,000 SAR forms filed. The figures for the second half of 2005 and beyond are not yet available. There are several reasons for the increase in filed reports, including an expanded definition of the types of firms that must report suspicious activity, as specified by the Patriot Act. Since January 2002, the list has been expanded to include money-order issuers, insurance companies, broker dealers, mutual funds, currency exchanges, and futures commission merchants. Another reason is that financial institutions are erring on the side of caution, filing anything remotely suspicious in order to minimize the risk of fines or regulatory hassles. "What the lawyers are telling the bankers is, when in doubt file a suspicious-activity report," explains banking consultant Bert Ely.


A recent example of ignoring the compliance laws for the Bank Secrecy Act(BSA) that include Anti-Money Laundering(AML) programs can be found at Liberty Bank of New York.

Liberty Bank failed to implement an adequate system of internal controls to ensure compliance with the Bank Secrecy Act and manage the risks of money laundering. Liberty Bank lacked adequate written policies, procedures and controls reasonably designed to ensure the detection and reporting of suspicious transactions. Liberty Bank's policies and procedures did not clearly delineate responsibility for detecting, evaluating and reporting suspicious activity, or provide guidance and instruction on the decision and approval process for suspicious activity reporting.


The reason that ORM consutling services are growing at +10% annually is because there are still people out there who don't think they are a Money Service Business(MSB) and secondly those that realize they are, have not implemented the programs effectivley even at some of the larger institutions.

22 May 2006

Hurricane Preparedness Week: May 21-27...

"Preparation through education is less costly than learning through tragedy."
- MAX MAYFIELD, DIRECTOR
NATIONAL HURRICANE CENTER

History teaches that a lack of hurricane awareness and preparation are common threads among all major hurricane disasters. By knowing your vulnerability and what actions you should take, you can reduce the effects of a hurricane disaster. This year Hurricane Preparedness Week is May 21-27, 2006.

As NOAA will announce the 2006 Atlantic Hurricane Season Outlook at 11:00 AM EDT Monday, one can only wonder if we will have more than the 26 named storms last year. The preventive measures that have taken place are many and yet are we still as prepared as we could be? The 2005 hurricane season, the busiest and most destructive on record with 28 named storms, 15 of them hurricanes, has made many people along the Atlantic and Gulf coasts more wary as they prepare for a 2006 season. This year, researchers predict 17 named storms, including nine hurricanes.

In the 2005 Business Continuity - The Risk Management Expo survey of 251 companies raised many questions about the 30% who said they did not have a Business Continuity plan in place. The key concerns are as follows:

1. Even if there was existence of a plan in 70% of the respondents, only 27% of the key personnel are even trained on the plan.

2. Does the plan cover all hazards of just the ones that have been prioritized by the key staff?

3. How does staff communicate to their employees during the crisis?

4. How would share holders, institutional bond holders, and the board view the company when they find out that the company doesn't have or hasn't exercised their crisis management plan?


In any plan, people are the key to business recovery and survivability. And in post disaster analysis, little consideration was given to the supply-chain. The vendors, suppliers and service organizations that keep your corporate operations running each day. Many suffered tremendous delays in the recovery process because contingencies were not in place prior to the crisis event.

Communications is always the biggest failure during times of crisis. When the primary communications systems fail, that is when you will know if you have been training enough. Victims will soon find out how well you have prepared. Accurate, timely, consistent and relevant information are the foundation for any resilient framework for communications. Most city, state and federal emergency-management authorities still can't communicate by phone or radio in a crisis, because a $2 billion special outlay for so-called "interoperability" is mired in legislative wrangling or being spent without federal coordination.

15 May 2006

Preemption: An Operational Risk Perspective...

Preemption - A Knife That Cuts Both Ways by Alan M. Dershowitz should be considered for the professional Operational Risk Managers reference library:

Decisions to act preemptivley generally require a complex and dynamic assessment of multiple factors. These factors include at least the following:

1. The nature of the harm feared.
2. The likelihood that the harm will occur in the absence of preemption.
3. The source of the harm--deliberate conduct or natural occurence?
4. The possibility that the contemplated preemption will fail.
5. The costs of a successfull preemption.
6. The cost of a failed preemption.
7. The nature and quality of the information on which these decisions are based.
8. The ratio of successful preemptions to unseuccessful ones.
9. The legality, morality, and potential political consequences of the preemptive steps.
10. The incentivizing of others to act preemptively.
11. The revocability or irrevocability of the harms caused by the feared event.
12. The revocability or irrevocability of the harms caused by contemplated preemption.
13. Many other factors, including the inevitability of unanticipated outcomes (the law of unintended consequences).


Regardless of the agreement or bias of the reader, this book makes you think upside down and sideways about decisions you have made, and will make. While Mr. Dershowitz takes time to make his own opinions known, his mastery of building the foundation for transformation is unequaled on such a topic; controlling dangerous and destructive human behavior and how to confront terrorism, crime and warfare.

During the course of a single day in the life of the Operational Risk Manager there are dozens if not hundreds of preemptive or preventive decisions to be made. Private Sector vs. Public Sector is not so much the issue here. Whether you are the Chief Compliance Officer at a major banking institution or the Commander in the local Emergency Operations Center you both have the same dilemma. A decision must be made quickly and you must be able to live with the implications of either decision.

12 May 2006

Workplace Violence: Maximize Dialogue and Anonymity...

Workplace Safety is a key component of operational risk management in almost any business. When the Forensic Psychologist is asked about this important issue, Dr. Park Dietz has this to say:

The most important component is that someone in authority understands why this matters to the organization and that it's not simply a question of how to prevent an occasional mass murder of this sort—that the value of a good workplace violence program is to save the company wear and tear and money every single day. It takes a long time and many, many errors before someone reaches the stage of making overt threats. Today a lot of companies have something to handle threats when they emerge, but that's too late because it's more expensive and actually riskier once a threat has emerged. On the average, the cases we deal with that reach the threat stage should have been recognized seven years earlier as problem employees who should have been separated.


Proactive vs. Reactive. The argument goes on in many departments when it comes to budgeting for preparedness vs. response. How do you detect the next employee "Gone Postal" as they say? What is the early warning indicator that tell you that you need to train employees on the detection of "abnormal behavior" or out of context business transactions?

If we are to continue the path of handling disruptions in business and emergencies with personnel with the idea of mitigating the risk post incident, then increase the number in the budget for the line items under outside counsel, litigation and insurance. However, the idea that a corresponding increase in the line items in the budget under the heading compliance, security and training will decrease risks prior to an incident is prudent thinking.

In the battle for finite dollars to be spent across the enterprise in all categories that have significant risks, there will always be an argument on where the investment of resources will have the biggest payoff or return on investment. Yet, how will you ever know whether this is the year of the earthquake, the tornado or the employee who becomes hostile or potentially lethal? The point is, you will never know, for certain.

This is why an investment in enterprise risk management dialogue requires that every department and each process factor in additional costs for mitigating risks. Each person who is closest to the work being done knows where the greatest potential is for a loss event. The place that is most vulnerable. Just ask the HR specialist what employee they have hired over the past year represents the most lethal threat to the company. Just ask the IT Security Engineer what system or application is on the verge of a melt down and they can tell you. Or just ask the executive who they think the middle manager is that is getting ready to move to the competition with all the latest R & D secrets. They can tell you.

Being proactive in managing operational risks sometimes means that you have to ask your employees risk related questions on a continuous basis. You have to document and collect the answers and feedback so that you can detect trends in behavior or potential eruptions in behavior. Finally, you need to figure out how to do all of this using new tools and processes to protect privacy and anonymity. Get started!

10 May 2006

Flu Pandemic: NIMS to the Rescue...

An operational risk benchmarking survey conducted by The Risk Management Association in April 2006 indicates that many financial institutions are preparing for a possible flu pandemic.

Key findings are:
-- Large North American institutions with asset sizes greater than $10 billion are taking the threat seriously. Least concerned are banks with assets of less than $500 million.
-- Most banks expect disruptions to last three to nine months.
-- Two-thirds expect 30% or more of their key workers to be absent during peak periods of disruption.
-- More than 60% have identified someone to lead the planning, but less than a third have rolled out plans and begun regular testing.
-- Only about a third of banks are well along in establishing policies for such things as employee compensation, evacuations, and reducing workplace transmission of risk.

Participants in RMA's "How Serious Is the Threat of a Pandemic and What Are Bankers Doing about It" included 190 financial institutions. Of those, 168 are from North America, 14 from Europe, and eight from Asia, Australia, and Africa. The results are broken out by geographic area and asset size, with respondents' asset sizes ranging from under $500 million to over $500 billion.


Continuity of Operations and Business Crisis Conintuity Management experts are prepared to handle the requirements from the two thirds of the banks who still HAVE NOT begun regular testing. Along with the typical exercises where a third of the work force stays home for a day to see how the IT assets handle the load, there is much to do with the testing of your third party suppliers and critical supply chain vendors.

Make sure that the people you trust to get you through the tests, exercises and consulting advice are NIMS compliant. The National Incident Management System (NIMS) in the US is the standard for a comprehensive, national approach to incident management that is applicable to a full spectrum of potential incidents. This includes a myriad of hazard scenarios, regardless of size or complexity.

All corporate officers who plan on being part of the Unified or Area Command must have the tools and the training far in advance to accomplish COOP or BCP goals. Here is the scenario:

"An outbreak of a suspicious flu-like virus has broken out throughout the State. So far, victims seem to have contracted the virus through personal contact, but public health officials cannot trace the source of the virus to naturally occurring outbreak. Because the contamination area is spreading, the entire region has been placed on alert. This incident should be managed by an Area Command."


Using Incident Command System (ICS) protocols in combination with the NIMS framework allows the organization to become more resilient to the risks associated with a major disruption in business operations. This may include denial of service, both online and offline, lack of key personnel, or quarantine of company facilities. For more information and answers to how to get your company NIMS compliant and ready for the next tornado, hurricane, earthquake or terrorsit incident, see WashingtonDC FIRST.

08 May 2006

Criminal Intent: Digital Surveillance Dominates Q1...

Seventy percent of malware detected during the first quarter of 2006 was related to cyber crime and more specifically, to generating financial returns. This is one of the conclusions of the newly published PandaLabs report, which offers a global vision of malware activity over the first three months of the year. Similarly, the report offers a day by day analysis of the most important events in this area. This report can be downloaded from Panda.


This report confirms the trend of criminal intent of the developers of malicious code to steal information for financial gain. Most successful are the bots and spyware code that lives silently on your corporate executives lap top after spending a week away traveling. Since the tendency for using "Free WiFi" exists in many hotels and other travel zones, the lap top becomes vulnerable to an infection. And when that lap top is reconnected to the docking station back at HQ, the real threat begins.

Digital Surveillance using malicious code is not new. The art is now a science. Ask any 19 or 20 year old in the Engineering or Computer Science Department at a major university. The use of spam and other techniques for spreading the use of the malicious code makes it imperative that your detection and defense strategies are sound and operating on a daily if not hourly basis. Organizations are under a barrage of attacks that are random and sophisticated, and are deployed with a multifaceted approach to gain the required exploit results. These new blended threats include a salvo of virus and worm technology into an smart and yet elusive attack vehicle.

According to FBI studies, more attacks are propagated and launched internally than externally. Companies are deploying internal intrusion detection systems that place monitors or agents on multiple department segments, and e-mail anti-virus systems that prevent viruses from moving.


Many organizations are exploring new devices that IDC has coined Unified Threat Management(UTM) appliances: Effective UTM requires:

* Low total cost of ownership. Total system costs must be less than the expected loss if there are security breaches due to lack of control. The solution must decrease the time to protection and ongoing overhead to achieve a lower total cost of ownership. Security threats are constantly changing, and the system must adapt to these changes on a constant basis with little to no user intervention.

* Coordination. Security breaches can occur between mismatched technologies, so whenever possible layer the security approach. Since many threats have multiple attack signatures, one layer prevents a certain portion of an attack while another layer catches the rest. The network’s security posture must adapt in unison for comprehensive protection.

* Reduced complexity. To achieve maximum security, solutions must be easy to implement, and the components must work well together; if not, incident detection (and resolution) becomes difficult if not impossible. Vital considerations include time-to-response and automation of appropriate protection.

Consider an evaluation of SonicWall to find all three advantages in your enterprise.

03 May 2006

The Risk of External Supply-Chain Interdependencies...

In what countries do you operate? Do you source raw materials from politically unstable regions of the globe for your end products? Are you subject to a myriad of taxes, tariffs and duties including new security measures in our ports? How complex is your sales and distribution channels? At the end of the day the big question is: What is my financial, operational and economic risk exposure in the event of a disruption in our external supply-chain?

The risk of external supply-chain interdependencies has been talked about for many years. Monte Carlo simulations, scenario analysis and other methods have been effective in the determination of what the magnitude of a loss event may look like. Once the dollar analysis is done and you know that your exposure is $XXM. or $XB., then what do you do with that information?

Much of the outcome of this exercise may go into the next strategic planning phase on who you need to partner with or create an alliance with in order to satisfy certain future contingencies. Once you realize that you need more than one source for a raw material or a key service to run your business, then the real analysis begins. Who and where do I find the best alternatives for this vital component in my global supply-chain?

If you begin your due diligence now on the top 10 vital components in your supply-chain contingency planning exercise you might have these all completed, through the legal department and signed within a few months time. If you are lucky. Then you must really test the new supplier or source for your product or service to determine how smooth they operate when you pick up the phone or send the "Alert".

The ultimate architecture requires an "Adaptive Supply-Chain" that will provide cross-border agreements and resilient mutual-aid partners to assist in times of crisis. Just shifting production from one country to another may not be enough to mitigate the disruption in a vital component of the manufacturing process or delivery of services. Having a reflexive and responsive supply-chain is only one of many contingencies in a robust Business Crisis and Continuity Management plan.

When was the last time you reviewed your key suppliers and sourcers plans for continuous operations and their record for testing these plans? This will be the place you find your greatest weakness in external supply-chain management. In the US, it is now less than 30 days away from the next hurricane season. Gasoline prices and fuel costs are impacting every sector of the economy. One thing is for sure. You are in complete control of your readiness factor. And your readiness factor is directly proportional to your interdependencies in your supply-chain.