02 December 2008

ID Risk Management: Protective Intelligence Factors...

The root cause of the safety and security threat to corporate personnel and assets can be traced back to an identity of someone. It can be said that protective intelligence utilizing the proper Operational Risk Management framework will mitigate the impact of a successful attack. Whether the intelligence is based upon monitoring or proactive and preemptive factors to be alerted to any threat actors who wish to do us harm; you still have to have a valid identity of the "unsub."

Today as you walk into your employer, you may be happy that you are there. This is your sanctuary away from the threat at home. Your work place provides a potential "safe zone" for the next 8 to 10 hours until the work day is over and you have to return to an environment filled with physical and emotional violence. The growing workforce of women in today's corporations are faced with an increasing challenge to keep their jobs and to mask the problems on the home front.

Simultaneously, those who are the root cause of much of the domestic violence are also walking into the same corporation. Who would know that they are the same people that have never been convicted of a crime and yet are beating their wife or girl friend at home? The point is that in your corporate environment today you have a mix of both kinds of people that are the potential threats to your organizational security and safety. Workplace violence is an Operational Risk that requires a proactive protective intelligence mechanism operating on a 24/7 basis. The identities of your employees may be known upon hire, but their changing profiles over the course of their career could change dramatically. Let's illustrate the true picture with some real incidents.

The US Bureau of Labor Statistics has data on 5,488 workplace fatalities in the US in 2007. 610 were homicides, 491 of these were shootings. 22% of these homicides involved former employees yet 43% were current employees. The remaining incidents were committed by non-employees. Understanding the red flags on your current employees and those who have left the organization is the focus here. Your Operational Risk Framework should incorporate the processes, systems and tools to mitigate this relevant internal threat in the enterprise.

The implications of effective identity management go far beyond the operational risks associated with the work place. ID Management encompasses the following domains:

  • Public Safety: Identity theft, cyber crime, computer crime, organized criminal groups, document fraud and sexual predator detection
  • National Security: Cyber security and cyber defense, human trafficking and illegal immigration, terrorist tracking and financing
  • Commerce: Mortgage fraud and other financial crimes, data breaches, e-commerce fraud, insider threats and health care fraud
  • Individual Protection: Identity theft and fraud

The research and development community has been focused of late on the use of biometrics. For access controls and other ways to validate true identities; these tools and systems for authentication are vital. Yet the stolen identity to fraudulently obtain a drivers license, passport or visa comes back to our root cause issue. Dr. Gary Gordon and his team at CAIMR are on the right track:

Those challenges, aggravated by the rapid changes in our society, include identity theft and fraud, cyber crime, computer crime, travel and immigration document fraud, and data breaches. They impact individuals, public safety, commerce, government entitlement programs, and national security. As the concept of an identity (or entity) expands in the physical and digital worlds, determining if the person claiming an identity is really that person becomes critical to conducting business, providing access to services and systems, and tracking cyber criminals and terrorists. Responding to these challenges requires a collective effort by the key thought leaders from the public and private sectors, working in concert with academe.

The Center's mission is to conduct applied research in order to provide pragmatic outcomes, utilizing a multi-disciplined approach that draws on the expertise of its diverse members. The results will be specific and measurable, whether they are in the form of industry or law enforcement best practices, technologies, policy adjustments, or training and educational materials.

The Center's purpose is to convene key stakeholders and marshal their respective strengths to help solve very challenging societal problems. Our partners include organizations such as the United States Secret Service, the United States Marshals Service, LexisNexis, VISA, Cogent Systems, Indiana University, Intersections, Wells Fargo & Company, and Fair Isaac Corporation. Our government/law enforcement partners must adapt to quickly evolving identity fraud and cyber crimes. As such, they must understand current attack vectors and prepare for future ones. They need to become more proactive by improving investigations and enhancing training. Corporations are faced with many challenges, including increased fraud losses, compliance and regulatory oversight, and enhancing products and improving services to keep up with the rapidly changing environment. The academic research community is challenged with gaining access to key data sets, tight funding budgets, a limited ability to interact with corporate and government decision makers, and the need to infuse their curricula with cutting-edge research.

Establishing effective tripwires and situation awareness begins with people and may be augmented by technologies and software. CCTV, biometrics and other access controls can become the catalyst for a complacent environment and is no replacement for effective training, education and scenario exercises with personnel.

Protective Intelligence is the front line for early warning and proactive measures to interdict the loss of corporate assets. Having the correct combination of human and technology capabilities will create the most effective means for a myriad of incidents internal to the work place. Application of these these same measures of countersurveillance, monitoring of identities and the lawful use of systems will provide the red flags necessary to preempt incidents external to the institution. In the 21st century, "soft targets" in our critical infrastructure will continue to be exploited for their vulnerabilities:

India picked up intelligence in recent months that Pakistan-based terrorists were plotting attacks against Mumbai targets, an official said Tuesday, as the government demanded that Islamabad hand over suspected terrorists believed living in Pakistan.

A list of about 20 people — including India's most-wanted man — was submitted to Pakistan's high commissioner to India on Monday night, said India's foreign minister, Pranab Mukherjee.

India has already demanded Pakistan take "strong action" against those responsible for the attacks, and the U.S. has pressured Islamabad to cooperate in the investigation. America's chief diplomat, Secretary of State Condoleezza Rice, will visit India on Wednesday.

The Indian government faces widespread accusations of security and intelligence failures after suspected Muslim militants carried out a three-day attack across India's financial capital, killing 172 people and wounding 239.

No comments:

Post a Comment