27 July 2006

Critical Infrastructure Resiliency: SCADA

The SCADA and Control Systems Procurement Project provides the operational risk context and knowledge for any CISO, CIO or CTO who is procuring new software to control Critical Infrastructures. It is also a good lesson for those projects where the information assurance policies require a strict protocol for purchasing new systems and software. This project is the first of many efforts to create a more resilient infrastructure and to mitigate the risk of future attack on these vital systems in our daily public and private sector operations.

SCADA (Supervisory Control And Data Acquisition) generally refers to the systems which control our critical infrastructures -- such as electric power generators, traffic signals, dams, and other systems. Protecting our critical infrastructure and process control systems is a vital component of our nation's readiness and response efforts. The SCADA Procurement Project, established in March 2006, is a joint effort among public and private sectors focused on development of common procurement language that can be used by everyone. The goal is for federal, state and local asset owners and regulators to come together using these procurement requirements and to maximize the collective buying power to help ensure that security is integrated into SCADA systems.


This is a major step towards risk mitigation in the systems that keep our economy running on a daily basis. Without more resilient systems, our financial and healthcare sectors are at the mercy of a myriad of exploits by "Digital Adversaries".

To reduce control systems vulnerabilities, the DHS National Cyber Security Division (NCSD) established the Control Systems Security Program (CSSP) and the US-CERT Control Systems Security Center (CSSC). The CSSP coordinates efforts among federal, state, and local governments, as well as control system owners, operators, and vendors to improve control system security within and across all critical infrastructure sectors by reducing cyber security vulnerabilities and risk. The US-CERT CSSC coordinates control system incident management, provides timely situational awareness information, and manages control system vulnerability and threat reduction activities.


24 July 2006

US National Preparedness Month: September 2006...

September 2006 is US National Preparedness month and the perfect time to manage Operational Risks both at home and your business.

The U.S. Department of Homeland Security and the American Red Cross are working with a wide variety of public and private sector organizations to educate the public about the importance of emergency preparedness. Throughout September, these organizations are providing information, hosting events and sponsoring activities that disseminate emergency preparedness messages to and encourage action in their customers, members, employees, stakeholders and communities across the nation.


1SecureAudit is pleased to be coalition partners again in 2006 to help business executives better prepare their communities for “All-Hazards”. “Our goal is to provide on-going public awareness campaigns this September through our webinar series on Corporate Emergency Response Teams and Terrorism Risk Management said Peter L. Higgins, Managing Director and Chief Risk Officer at 1SecureAudit.”

The goal of the month is to increase public awareness about the importance of preparing for emergencies and to encourage individuals to take action. Throughout September, Homeland Security will work with a wide variety of organizations, including local, state and federal government agencies and the private sector, to highlight the importance of emergency preparedness and promote individual involvement through events and activities across the nation.


In order to impact preparedness on a macro level, you have to begin the process at the micro level. Business leaders start the training, awareness and readiness at home with their own family members. Reviewing the place they will all meet in an extreme emergency when they may become separated. Establishing the single point of contact out-of-state that each family member will contact in order to check-in. This step is imperative as much of the telecom networks will be unavailable on a local level for connecting phone calls. The likelihood of reaching a designated contact out of the local area is much higher.

Once the family is prepared, then move on to the business where you work. Create your own Corporate Emergency Response Team (CERT) to create readiness exercises for your community in your building, Business Park or campus. As you roll-up your business community to the local city or county level, now you can coordinate with your public community. Do you know the station number of your local fire and EMS First Responders? Do you know the name of the Captain(s) that may be on duty the day a significant event takes place in your area? If you don't, then you should.

Once the business and local community is prepared and coordinated, then move up to the metropolitan level or state level. This is where the largest catastrophes will be coordinated with the Department of Homeland Security or other federal agencies. Does your business or local community have a seat at the Emergency Operations Center (EOC)? What measures are in place for you and your team to assist and collaborate with the state or federal authorities in times of crisis?

At the end of the day, it all comes back to managing operational risks. Making the right decisions in advance to preempt threats. Secondly, and simultaneously preparing for the time when "Mother Nature" or the "Suicide Terrorist" severely impacts our lives and our economy.

19 July 2006

The Risk of Silos of Fraud Dectection...

The Silo's of Detection are under scrutiny in many financial institutions who are plagued with fraud.

Mission-critical data and consumer-specific information often are the target for savvy thieves who prey on the financial services industry. Further, as consumers, employees and external business partners demand -- and are given -- greater access to sensitive data, banks are more susceptible than ever to internal security breaches.

Clearly, fraud is a costly fact of doing business. Approximately 3 million adults said they were victims of ATM or debit card abuse in 2005, according to a survey by Stamford, Conn.-based Gartner that focused on the global IT industry. These incidents resulted in $2.75 billion in losses, with an average loss of more than $900 per incident, Gartner reports. Another 1.9 million online financial services users were victims of illegal checking account transfers, the study adds. These hijacked accounts resulted in nearly $3.5 billion in losses -- an average of roughly $1,800 per incident. Banks absorbed most of these losses, Gartner points out.


Operational Risks are being tracked and counted. More processes are in place to try and get a grasp of the data and the trends to create new procedures. Transfer of risk is creating even more issues. Is any of this working as quickly or effectively as management would like?

If fraud is at the heart of operational risk, then human behavior is no doubt at the center of fraud. To understand how to minimize fraud, you must have a more substantial grasp on the human motives for fraud. And to better understand those human behaviors, a risk manager must know the clues and cues for detecting what people are exploiting the organization with deception and new tactics for achieving their goals across business boundaries. The USA Patriot Act is one tool that has targeted the center of this human behavior.

"These and other regulations are forcing companies to look at all customer activity, even across silos," says Rosenoer. That is where the CRO comes in. "The role of the CRO -- or chief risk officer -- is to ensure the bank is compliant across these regulations," he explains. "Further, the CRO bridges business continuity in the event of fraudulent events. Again, this is not just an online problem. CROs are evaluating money laundering rings, compromised internal systems or anything that is threatening the enterprise."


14 July 2006

e-Discovery: A "Perfect Storm" for Corporate Chaos...

The FBI Task Force on "Backdating" options is in full swing in the Silicon Valley.

The U.S. attorney's office here has launched a stock options backdating task force to investigate allegations that Silicon Valley companies and individuals defrauded shareholders by retroactively changed grant dates for stock options.

The task force is currently investigating several Bay Area companies to determine the extent of alleged efforts to defraud shareholders in the dating and awarding of stock option grants, according to a statement released by the U.S. Attorney's Office. The task force includes members of the U.S. Attorney's Office and the FBI, the statement said.

If you are a company who is under scrutiny, then you should make your Document Retention Policy Team and on staff e-Disovery staff familiar with the new rules going into effect for electronic discovery.

New rules for electronic discovery of documents in civil cases go into effect in December -- and they could cost users millions or even billions of dollars if they fail to comply.

Last September, the Judicial Conference of the U.S. Supreme Court's Committee on Rules of Practice and Procedure recommended changes that force companies involved in a civil lawsuit to sit down and hammer out what records are fair game for electronic discovery. In general, the resulting 300-plus page document describing the new e-discovery criteria says that companies involved in civil litigation must meet within the first 30 days of a case's filing to discuss how to handle electronic data. The discussion must encompass retention practices, the types of records required and their electronic format, as well as what is considered "accessible" data, said John Bace, an analyst at Gartner Inc. in Stamford, Conn. Failure to comply with the new rules could be costly.


"Falsification or backdating of financial documents may call the integrity of companies' financial statements into question, can constitute fraud on the company, shareholders, and the market, and may give rise to tax violations," said U.S. Attorney Kevin V. Ryan, who is heading the task force.


Operational Risks associated with document retention, legal discovery and liability is a "Hot" topic for most Chief Risk Officers. More so, a continuing challenge for the CIO on how much money to budget for storage, back-up and archiving. However, if the companies policy and procedures are already up to date on the Business Crisis and Continuity Plan then most if not all of the organizations concerns on e-discovery issues should be trivial.

Unknown to the General Counsel and the Director of Business Continuity is where policies overlap and where there might be gaps. This is the place where risk exposure is extensive and the likelihood of an incident is high. A "Perfect Storm" of corporate chaos in the making.



13 July 2006

Avian Flu: The Risk of Pharma Divergence...

This McKinsey article on Avian Flu has some valid points:

• To counter the threat of a global flu pandemic, policy makers, health care organizations, and the pharmaceutical industry must collaborate to develop a market-based approach to expand vaccine production capacity.

• The most effective way of doing so would be to stimulate demand for the annual winter flu vaccine, finance research into the development of pandemic vaccines, and reach an agreement on the amount of additional capacity required around the world.

• Simultaneously, pharmaceutical companies must develop a fourth strain, targeting H5N1 and other avian-influenza strains, and seek regulatory approval to add it to the existing annual winter flu shot.

• Although these shots would not include the eventual pandemic strain—which cannot be known until it appears—people immunized with them would develop antibodies against a potentially deadly virus.


07 July 2006

General Counsel: Directors Top 10 Mistakes...

In the July/August issue of Corporate Board Member Magazine there are ten insightful and reinforcing items of interest.

General Counsel to Directors: Your 10 Most Common Mistakes


The in-house lawyers think that you've got a lot to learn about risk, trust, and reward. And when there's trouble, you too often fail to follow the Boy Scout creed: Be Prepared. By Randy Myers

1. Not Asking Questions
2. Failing to Understand the Company and the Risks it Faces
3. Failing to Lead on Ethics and Compliance
4. Not Insisting on a Crisis-Management Plan
5. Speaking out in a Crisis Before the Facts are in
6. Relying on the Wrong Outside Counsel
7. Failing to Understand Attorney-Client Privilege
8. Underestimating Regulators
9. Giving too Much Leeway to Rainmakers
10. Getting Caught Up in the dilemma of False Options


And as Randy so clearly states: "Serving on a corporate board isn't easy. Avoiding these common mistakes should be."

We can't accept that No. 4 even is on this list. No. 2 and No. 3 is ever so common place. And No. 7 is not a surprise. But what continues to amaze even those professionals associated with consulting to the Board of Directors is No. 8.

The Chief Risk Officer (CRO) is the independent keeper of oversight in the corporate enterprise. Should any organization be the subject of an investigation by the SEC, FTC or any other government regulator, they need to look to the CRO. It's the job of any CRO to keep regulator awareness at a high level and to let the business be in charge of risk management. Whenever you see a CRO getting involved in managing the risks of the business, then the independence and clarity of oversight has been extinguished.

The General Counsel and the Chief Risk Officer must work hand-in-hand to follow the Boy Scout creed:

Be Prepared.


03 July 2006

Crisis, Command and Control Training in Large Global Enterprises...

1SecureAudit Launches Operational Risk Solution for Crisis, Command and Control Training in Large Global Enterprises

Lessons learned from large-scale disasters and new blended threats require an adaptive Incident Command System (ICS) for training executives; crisis managers and emergency operations center staff


1SecureAudit, an emerging leader in Operational Risk Management Solutions for the Financial and Healthcare Services Sectors, and its strategic partner Innovative Management Concepts (IMC), today announced an Internet Web-Services Solution designed for an organizations executives and crisis staff to better prepare for wide area emergencies and global incidents.

“The challenges and concepts of network-centric warfare (NCW) are now being applied to post 9/11 scenarios as CxO’s, Incident Commanders and Emergency Operations Centers (EOC) are learning new standards and skills to be more resilient in a new “All-Hazards” worldview,” said Peter L. Higgins, Managing Director of 1SecureAudit.

The 1SecureAudit Crisis, Command & Control Training Management System (C3TMS) powered by IMC is a Network-Centric Web Services solution. It was designed and is currently deployed for Command and Control (C2) rehearsals in the US Air Force.

The US National Incident Management System (NIMS) is applicable across a full spectrum of potential commercial incidents and hazard scenarios, regardless of size or complexity. Clients will utilize C3TMS to make rehearsals more practical, less time consuming and at a significantly lower cost to produce. This means more exercises and tests in a safe and secure setting. It provides the continuity of operations team with real-time, realistic scenario simulations configured “On-The-Fly” to provide executives with the assurance to carry out their crisis missions with confidence and clarity.

1SecureAudit Crisis, Command & Control Training Management System is available immediately for organizations that require compliance with new regulatory and legal standards for business resiliency, emergency preparedness and continuity of operations planning.