06 April 2007

Ethics: The Tone at the Top...

Have you had your annual check-up? Is the health of your organization improving or on the way to a potential loss of reputation?

The Board of Director's are consistently talking about how they can create the correct "Tone at the Top" when it comes to ethics and compliance. Global corporations realize the importance of these issues in order to create a focus on competitive advantage and other new "Carrots" rather than the old motivators of fear, uncertainty and doubt (FUD Factor). Employees who are "Beaten with a Stick" in order to comply with federal laws and state rules of conduct are looking for new vision and new methods to improve the health of organizational ethics. An interview with Perry Minnis, Alcoa's Director of Ethics and Compliance highlights this point:

Organizations have always confronted ethics problems, but it seems that only in the last 25 years or so that ethics has grown from an academic discipline into a mandatory department at most corporations. How has this happened?

I believe the heightened awareness can be attributed to several factors: the defense contracting scandals during the Reagan Administration; the issuance, in the early 1990s, of the Federal Sentencing Guidelines, which established criteria for assessing the completeness of ethics and compliance programs; the emergence of high profile scandals - Enron, Tyco, WorldCom, etc.; and the passage of the U.S. Sarbanes-Oxley Act and the associated provisions of the New York Stock Exchange and SEC requirements. Plus companies now have a general sense that a reputation for ethical behavior is a competitive advantage. It engenders customer loyalty and employee allegiance.

Mr. Minnis and other officers like him who are charged with creating the right "Tone at the Top" must cooperate with a multitude of players within the enterprise to address this cultural awareness. Part of this strategy should include the check-up for fraud and the signs that it may be present in certain business units or processes within the organization.

In this Fraud Prevention Check-up tool we are especially pleased to see question number 7:

To what extent has the entity established a process to detect, investigate and resolve potentially significant fraud? Such a process should typically include proactive fraud detection tests that are specifically designed to detect the significant potential frauds identified in the entity’s fraud risk assessment. Other measures can include audit “hooks” embedded in the entity’s transaction processing systems that can flag suspicious transactions for investigation and/or approval prior to completion of processing. Leading edge fraud detection methods include computerized e-mail monitoring (where legally permitted) to identify use of certain phrases that might indicate planned or ongoing wrongdoing.

The use of automated tools to help prevent fraud from occuring will continue to be just that, a tool. It's imperative that anyone utilizing such mechanisms for early warning remember the taxonomy for an "Incident:"

"Attackers use tools to exploit vulnerabilities to create an action on a target that produces an unauthorized result to obtain their objective."

While the ethics and compliance department teams up with the IT and Security departments to create the policies and implement the tools to deter, detect and defend against fraud, the opposing force is also gaining ground. Hackers, spies, terrorists, corporate raiders, professional criminals, vandals and voyeurs are using their own tools to test and to exploit your vulnerabilities.

The three areas that you need to focus on continue to be:

  • Design
  • Implementation
  • Configuration
Whether it is through physical attack, information exchange, user commands, scripts, programs, autonomous agents, toolkits or data taps you can be assured that these tools are being utilized to exploit you. They are being directed at the design, implementation or configuration of your "Controls" in order to achieve the action they desire:

  • Probe
  • Scan
  • Flood
  • Authenticate
  • Bypass
  • Spoof
  • Read
  • Copy
  • Steal
  • Modify
  • Delete
All of these actions are directed at their target. Accounts, people, processes, data, components, computers, networks or internetworks. They are looking for and unauthorized result:

  • Increased Access
  • Disclosure of Information
  • Corruption of Information
  • Denial of Service
  • Theft of Resources
And sadly, when you boil it down to the reasons or objectives they seek to achieve; it usually falls into one of four categories:

  • Challenge, Status, Thrill
  • Political Gain
  • Financial Gain
  • Damage
Once you understand the entire taxonomy of an "Incident" you are far better equipped to prevent and preempt attacks on your valuable corporate assets. Equally as important is the "Tone at the Top" to set the foundation for an environment that employees embrace and will protect at all costs.

No comments:

Post a Comment