29 March 2007

DRP: Document Retention Policy...

Corporate Fraud is nothing new and seems to be going in cycles. Now we are back to the days of the real estate financing and mortgage lending wrong doing but this time it might be a larger issue than the past. When this issue gets on the docket over at the Daily Caveat, you can bet this is not going to be a trivial matter.

Atlanta-based Beazer Homes USA is facing scrutiny from the FBI over allegedly fraudulent practices in the company's mortgage lending business. Beazer, a public company, operates as a home builder in 21 states.

The bureau's report said mortgage fraud comes in two broad varieties: "fraud for profit," which is largely committed by industry insiders and involves practices such as falsely inflating property values, and "fraud for housing," which is committed by borrowers and involves actions such as acquiring a house under false pretenses.

The bureau said it is cooperating with trade associations representing mortgage bankers and the government-sponsored companies that purchase mortgages, Fannie Mae and Freddie Mac, to raise awareness of mortgage fraud.

Whenever you have boom times, you can bet that the opportunities and the malfeasance will be higher and that the investigations won't gear up until well after the peak. Even if the situation has equalized and the market place is doing all the right things to adjust, you still need to put a light on those who are prone to bad behavior.

Operational Risk is all about internal and external fraud mitigation. The tools, cues and clues that an OPS Risk professional utilizes are all after the truth and for the future good of all impacted by these serious loss events.


A risk difficult to model is fraud. Booms tend to induce fraud, misrepresentation and scandals. To quote Bagehot again:

"The good times of too high price almost always engender much fraud."

Or the great economic historian, Charles Kindleberger:

"The propensity to swindle grows parallel with the propensity to speculate during a boom. The implosion of an asset price bubble always leads to the discovery of fraud and swindles."

And now the search begins for evidence. The evaluation of the Document Retention Policy (DRP) at Beazer Homes will no doubt be a subject of discussion today and for weeks to come. If they are like most prudent organizations who have completed their DRP and have employees educated on day one of their employment, it should be crystal clear:

Here is some sample language from a standard DRP:
Our records include virtually all of the records you produce as an ABC Corporation employee. Such records can be in electronic or paper form. Thus, items that you may not consider important, such as interoffice emails, desktop calendars and printed memoranda are records that are considered important under this policy. If you are ever uncertain as to any procedures set forth in this policy (e.g., what records to retain or destroy, when to do so, or how) it is your responsibility to seek answers from ABC Corporation’s DRP Manager.

The goals of this DRP are to:

  • Retain important documents for reference and future use;
  • Delete documents that are no longer necessary for the proper functioning of ABC Corporation;
  • Organize important documents for efficient retrieval; and
  • Ensure that you, as an ABC Corporation employee, know what documents should be retained, the length of their retention, means of storage, and when and how they should be destroyed.
Yes, a policy about destruction of documents. This is where many organizations fail to mitigate the risk of data theft or even eDiscovery of data that could become relevant in a future investigation. However, these days, everybody is saving everything and for what looks like could be a very long time.

"If a lawsuit is filed or imminent, or a legal document request has been made upon ABC Corporation, ALL RECORD DESTRUCTION MUST CEASE IMMEDIATELY.

"ABC Corporation’s DRP Manager may suspend this DRP to require that documents relating to the lawsuit or potential legal issue(s) be retained and organized. A critical understanding of this section is imperative. Should you fail to follow this protocol, you and/or ABC Corporation may be subject to fines and penalties, among other sanctions."

The phone has just got to be ringing off the hook over at Stratify!

23 March 2007

Global Risk: Resilience & Interdependencies...

It's no surprise that spending will be up in 2007 on Operational Risk Management. In a recent AMR Research study, OPS Risk will increase dramatically:

The study reveals 46% of firms surveyed plan to implement or evaluate technologies for risk management in the next one to two years.

The emergence of risk management as a critical practice is based on the business need for global sourcing strategies, increasingly complex contract manufacturing relationships, and the greater number of natural and political events that can disrupt the supply chain, according to AMR.

Supplier failure and continuity of supply is the Number 1 risk factor for 28% of firms, the survey says. Events such as the Enron scandal, 9/11, health scares such as SARS and avian flu threats, the Asian tsunami and Hurricanes Katrina and Rita have forced companies to re-evaluate their preparations for catastrophes and unplanned events.

Other survey results include:

* 33% of firms have dedicated budget line items for supply chain risk management activities.

* 54% of firms plan to increase their budgets for risk management over the next 12 months.

* The top areas of application spending to support supply chain risk management are sales and operations planning, inventory optimization, business intelligence and supply chain visibility and event management applications.

After all, risk managers have figured out that a holistic Enterprise Risk Management approach with a firm discipline in Operational Risk is paying off. The strict focus on just compliance with SOX or Basel II is myopic.

Cristiana Báez-Safa, Managing Director in Marsh's FINPRO (Financial and Professional Services) Practice, noted: "Many large European financial institutions have changed the direction of their operational risk projects as often as two or three times since starting their compliance efforts."

"From simply taking a narrow view, 'what can I do to comply with Sarbanes-Oxley and Basel II?', for example, risk managers in the financial services sector are now asking themselves how they can help improve business process efficiency, reduce operating costs and mitigate the risks that concern the Board most."

She also indicated that "the longer-term trends in operational risk management are greater penetration and coordination of risk management across all facets of the business; more detailed scenario planning in key areas of potential exposure; and tailored risk transfer solutions for operational risk."

Local risks can become global risks depending on the severity and connectedness to other interdependencies. We have already witnessed the impact of such events as hurricanes on gas refining operations in the US Gulf Coast Region and the impact on transportation costs. Under regulation of sub-prime mortgages by the federal agencies may have a long-term effect on capital liquidity accross the globe.

And there are many others according to the World Economic Forum 2007 Global Risks Report, :
• Oil price shock/energy supply interruptions
• US current account deficit/fall in US$
• Chinese economic hard landing
• Fiscal crises caused by demographic shift
• Blow up in asset prices/excessive indebtedness

• Climate change
• Loss of freshwater services
• Natural catastrophe: Tropical storms
• Natural catastrophe: Earthquakes
• Natural catastrophe: Inland flooding

• International terrorism
• Proliferation of weapons of mass destruction (WMD)
• Interstate and civil wars
• Failed and failing states
• Transnational crime and corruption
• Retrenchment from globalization
• Middle East instability

• Pandemics
• Infectious diseases in the developing world
• Chronic disease in the developed world
• Liability regimes

• Breakdown of critical information infrastructure (CII)
• Emergence of risks associated with nanotechnology

These risks over the next ten years are the global in nature and have significant interdependencies. The breakdown of CII and Transnational Crime and Corruption are far more likely to occur than a Pandemic however not quite as costly in US loss exposure.

With all the talk about prioritization and upstream mitigation, how do you know that you spending your resources in the right place? When will the next incident occur? Finally, what interdependencies will come into play?

One approach is to improve resilience, allowing the system to cope with a range of unexpected manifestations. Such “downstream mitigation” recognizes that not all events can be predicted and prevented.

Enabling Global Business Resilience is the name of the game and those organizations who understand it and can implement effectively will be our next generations survivors.

18 March 2007

Corporate Fraud: Revenue vs. Risk...

It's been over five years now since the "Black Monday" at Enron. Volatility in the markets over the sub-prime mortgage industry has investors a little nervous. Operational Risk Executives are hoping that this is not a deja vu moment.

Though the main Enron characters have received their prison sentences, there's no closure for corporate fraud. Sherron Watkins, Enron's sentinel, describes the debacle's details and warns that it could happen again.

Dec. 3, 2001. Black Monday. The day that Enron declared bankruptcy. CEO Ken Lay had left a voice mail on the phones of all Enron employees asking they come into the office regardless. Nearly 5,000 were called to a massive meeting and told that the paychecks that they had recently received would be their last. Three weeks before Christmas.

In August of that year, Sherron Watkins, an Enron vice president, had sent an anonymous memo to Lay that read, "I am incredibly nervous that we will implode in a wave of accounting scandals."

Of course, that's exactly what happened. After the company's demise, the investigating U.S. Congress discovered Watkins' memos to Lay and other top executives. (After sending the memos, she had met with Lay with no results.) Watkins was soon lauded as an "internal whistle-blower," brought before Congressional and Senate hearings to testify against her former bosses, and heralded by TIME magazine as a "Person of the Year," with WorldCom's Cynthia Cooper and the FBI's Coleen Rowley.

With the chaos going on in sub-prime lending in the United States, the concern is that suddenly the liquidity that fueled this past boom is about to "Go South". Will there be any issues that surface about the fraud imposed upon consumers over the terms and conditions of the loans they signed to become part of the American Dream? Are there any "Sherron Watkins" sitting there in their offices today wondering how they can become the next "Whistleblower" to make it to the cover of Time Magazine?

Only time will tell whether any of the volatility in these companies has a ripple effect in markets for the long term. Yet the culture that exists today inside those organizations must be tense and certainly there are a handful who wish there was a way they could make it all go away. So what advice would Sherron have for anyone feeling this way at their institution in a role of Operational Risk Management?

If you ever were to go back to a corporate executive position, what kinds of things would you ensure would be set in place before you took the job?

In addition to the zero tolerance policy I've already mentioned for ethically challenged employees, I'd be sure that the company had a mechanism for bad news to get to the top and had effective policies and procedures for dealing with that bad news. I would also verify that the company's control and risk personnel had autonomy and equal power with top revenue executives. I would want to see that top management values the control and risk management function. I would want to make sure they recognize that control and risk personnel will not be the most popular and that the problems the company avoids as a result of the work of these groups will never be quantified.

Think about what she is saying here. Control and risk personnel need to have equal power with the executives who are bringing in the revenue. This means that the powerbase of the sales and marketing team would need to be on par with the Internal Audit and Risk Management executives. This culture shift is harder to achieve than one would think. The ego's aside, the people who make it their job to worry about losses and to mitigate risks day in and day out are just not used to waving the big black flag of doom. Everybody loves to hear that the business has been won, the competition defeated and the company just closed the biggest "Deal" in it's history. Let the spin doctors in Marcom get the Press Releases flying!

It has been said before, the tone starts at the top. The CEO and Board of Directors who are cognizant of the neccesity for effective risk management objectives must also create a balanced powerbase at the top to balance the "revenue generators" with the "loss mitigators." So who are some of these people who deserve a greater exposure to this new born culture shift:

  • Director of Information Security promoted to CISO. (Chief Information Security Officer)
  • Director of Corporate Facilities to CSO. (Chief Security Officer)
  • Director of Regulatory Affairs to CCO. (Chief Compliance Officer)
  • Director of Privacy to CPO. (Chief Privacy Officer)
  • Director of Human Resources to CHO. (Chief Humanity Officer)
If the CEO thinks that this is too many chiefs in the "C" Suite, then what about the idea of creating the Executive Office of Operational Risk Management (ORM). This would be on par with the Chief Financial Officer and might even include the Chief Information Officer. The top ORM officer would be on par with the EVP of Sales or Marketing and unlike the Chief Operations Officer (COO) would be focused on the effectiveness of risk controls and not so much on the efficiency or uptime of corporate processes. What does Sherron think the moral is?

You've been asked this one numerous times, I'm sure, but what's the moral of the story?

Being an ethical person is more than knowing right from wrong. It is having the fortitude to do right even when there is much at stake.

14 March 2007

OSINT 2: When is it time?

In our last post we were exploring the "Open Source Intelligence" discussion. We said that we were going to continue the arguments. We wonder why some companies don't have a more proactive OSINT operation in their own institution looking at potential threat intel. While there are very expensive services that can package up exactly what you are looking for, sometimes it just takes a little more time and the right "Sources." Take Michael Sutton's Blog for instance:
Phree Phishing
I recently blogged about the phishing pages that I found during a Tour of the Google Blacklist . In that posting I noted how I was surprised to find that Yahoo! was actually hosting phishing sites designed to phish Yahoo! credentials. Not surprisingly, Read More...

Filed under

A Tour of the Google Blacklist
[Update 01.10.07: In response to some of the queries that I've been receiving, I've published a follow up blog to discuss the structure/decryption algorithm of Google's Encoded/Hashed Blacklist .] I recently decided to devote a day to walking Read More...
Posted 04 January 07 12:48 by msutton

Filed under , ,

You could get a service from Michael's X-Lab, at iDefense or even a more wide range of collection capabilities from the likes of Cyveillance to assist the in-house OSINT operation. Throw in some Stratfor, OSAC and one or two variations of Symantec or Qualys and you have it mostly covered. Except for one thing. Plenty of "Gray Matter."

We might agree that there is more information out there than anyone could possibly imagine accessible with a few clicks and keystrokes. Yet the easy part is the collection and the filtering or storage. Making any sense of it all with the relevance you seek is the "Holy Grail" for you, today. But that might change tomorrow.

It's the consistent development of a new hypothesis and testing it that determines who will get the next new piece of information ready for OSINT. And still the question remains. Will this be better kept secret, or out in the "Wild"? The argument usually isn't whether the results of the test should be published, it's more about when.

Open Source Intelligence is going to be around for some time to come. The tools are getting even better to find and process information. The only real impediment will continue to be those who want to wait and hold on to it a little longer. And remember this:

OSINT: If Intelligence were a baseball game...

09 March 2007

OSINT: If Intelligence were a baseball game...

What is Open Source Intelligence (OSINT)? Why is it important to your security and safety? How can you really understand how it is the same or different than other types of intelligence? Let's use this clever baseball analogy from Robert Steele:

If Intelligence were a baseball game....

IMINT takes a pciture every day or so, trying to discern whose winning from sporadic snap-shots at different times of day, different angles of look.

SIGINT trys to bug the dug-out and discern how the game is going from comments by the players

HUMINT tries to recruit the batter, find out where he thinks he is going to hit the ball, and send a spy out to catch it if it ends up there.

MASINT tries to smell the player's armpits and the arc of the ball from leather secretly treated beforehand.

OSINT gives everyone in the audience a baseball glove, and counts the ball out if anyone in the stands catches the ball.

What's the point? OSINT is not a substitute for spies, satellites, or secrecy. It simply takes all the low-hanging fruit off the table so the secret sources and methods can focus. Put simply, OSINT changes the rules of the game--eliminates all the "home runs" by the enemy that need not occur if we harness the distributed intelligence of the audience--and allows the secret sources and methods to focus more carefully on what's left inside the playing field.

So what? Open source intelligence is available to everyone at the touch of a button, Google and others. Intelligent bots troll the net in search of its target. Looking for the answer to the algorithim created to answer the question posed by it's designer. When it finds what it is looking for it brings it home to the clandestine machine with Petabytes of RAID.

The people behind the question look for a pattern. The question or hypothesis is there to accomplish an important task. To find some relevance in a vast sea of zeros and ones beyond the human brains capability to grasp. No one person owns it and has the ability to keep it secret, forever. Somehow, someone will put this information into the open. Then it becomes OSINT.

The race isn't about keeping information safe from being stolen or revealed to others. It's about something else:

Jeff Jonas, the chief scientist and distinguished engineer at IBM’s entity analytic solutions group, has developed a means of sharing corporate data without revealing what that data contains.

This technology, called anonymization, effectively "shreds" information, making it possible for companies to share information about their customers with governments or other companies without giving away any personal data. Over time, Jonas believes companies will increasingly use anonymization to defend their data, and corporate well-being, from competitors and identity thieves.

This story to be continued.

06 March 2007

A Glitch: NYSE Minor Malfunction...

AS SHAREMARKETS plunged around the world, anxious investors, big and small, sat glued to their computer screens. But the lesson learned from yesterday's market correction was that computer systems just aren't up to scratch when investor panic sets in.

The first malfunction came in New York, where a glitch triggered a sudden plunge in the Dow Jones Industrial Average. Brokers, already spooked by morning falls, could do little but watch on as, at 2pm local time, the Dow fell 200 points in seconds.

Dow Jones said its computer system couldn't handle the vast volume of trades — about 4.5 billion, double the daily average — at the New York Stock Exchange.

If you have been reading Richard A. Clarke's new "Fiction" novel, Breakpoint, the so called "Glitch" had some of us wondering:

The global village--an intricately intertwined network of technology that binds together the world's economies, governments, and communication systems. So large, so vital--and so fragile. Now a sophisticated group is seeking to "disconnect the globe"--destroying computer grids, communications satellites, Internet cable centers, biotech firms. Hard to do? If only that were so.

What is a glitch anyway? Didn't we hear that as an excuse from Virgil Gus Grissom in the "The Right Stuff".? He was pilot of Mercury-Redstone 4 ("Liberty Bell 7"), the second American (suborbital) spaceflight. Following the splashdown of "Liberty Bell 7", the hatch, which had explosive bolts, blew off prematurely, letting water into the capsule and into Grissom's suit. Grissom nearly drowned but was rescued by helicopter, while the spacecraft sank in deep water. Grissom maintained he did nothing to set off the explosives to blow the hatch. "It was a glitch!" Later evidence proved him right.

Whenever you hear the word "Glitch", what are you thinking? Human error. Or Computer error.
  1. A minor malfunction, mishap, or technical problem; a snag: a computer glitch; a navigational glitch; a glitch in the negotiations.
  2. A false or spurious electronic signal caused by a brief, unwanted surge of electric power.
  3. Astronomy A sudden change in the period of rotation of a neutron star.
In the case of the New York Stock Exchange and Liberty Bell 7 we are talking about something that could not be predicted. Maybe not something that had ever been seen before during testing or simulations. Therefore, the only answer could be a glitch. If you are a computer programmer you know exactly what happened. You know where the orders were piling up in the database ready to be tabulated when the systems processes started up again. Being down for an hour with those kind of trading volumes can pile up a few orders in the queue.

Operational Risk Management is about anticipating those occasional "Glitches" and preparing for them in advance. While you may not see the exact variant everytime you create and exercise a scenario, you recognize something similar. You get a feeling that you have seen this before, even if it was in a bad dream. As a Quiet Professional, working to mitigate risks, create a safe haven and achieve your mission, you expect that you will see a glitch today. And if you do, then you will act with confidence and speed to remedy the situation as it unfolds before you.

So you want a look into the crystal ball? As Richard Clarke says, "Sometimes you can tell more truth through fiction." Or is it?

02 March 2007

Insider Threat: Reputation is #1 Concern...

A recent EIU Survey on Business Resilience has some reinforcing stats, yet nothing so shocking.

Forty-seven percent of the risk managers questioned for a new Economist Intelligence Unit survey into business resilience said that unplanned downtime of information technology systems lasting 24 hours or more could jeopardise the survival of their entire business.

The severity of the threat from disruption to IT systems is one of several factors prompting companies to increase the attention they devote to risks associated with their operations.

75 percent say that operational risk management is an increased focus as their reputation remains their highest concern overall. And today, UBS, Bear Stearns, Morgan Stanley and others are cooperating on an SEC investigation into insider trading:

Employees of some of Wall Street's top banks were among more than a dozen people charged on Thursday in what authorities called one of the most pervasive insider trading rings since the 1980s, accused of using leaked information and even blackmail to make millions of dollars.

U.S. prosecutors filed criminal charges against 13 people and the Securities and Exchange Commission filed civil charges against 11 in an investigation that has spanned more than a year and is ongoing. One person named in the SEC's complaint does not face criminal charges.

Authorities said some of those of those accused in the cases used clandestine meetings, disposable cell phones, secret codes and cash kickbacks to elude detection and avoid suspicion.

It was "one of the most pervasive Wall Street insider trading rings since the days of Ivan Boesky and Dennis Levine," Linda Thomsen, director of enforcement with the SEC, said at a joint news conference with the U.S. Attorney and the FBI.

Electronic Discovery strategy today focuses on providing the least amount of data required to satisfy legal requirements. Litigators are careful asking for data as they will no doubt be required to reciprocate with the same amount of actionable data. However, amendments to the Federal Rules of Civil Procedure (FRCP) that went into effect on December 1 require that organizations be prepared to locate and produce information in electronic format- including emails, files, and database data-during legal litigation.

The eDiscovery war has started and these firms will be delivering Terabytes of electronic information to satisfy the ongoing process for criminal and civil litigation. These operational and reputational challenges would stress any organization who is not prepared for such demanding and extensive requests for electronic records. Expensive too, at an average of $1,800. per gigabyte.