22 June 2010

Workplace Privacy: Ontario Prevails on Data Audit...

Operational Risk Management professionals in corporate America have been following the Quon vs. City of Ontario case for five plus years. Now the Supreme Court of the United States has ruled 9-0 to increase the clarity on the new age of electronic privacy in the workplace. The LA Times explains:

Washington…In its first ruling on the rights of employees who send messages on the job, the Supreme Court rejected a broad right of privacy for workers Thursday and said supervisors may read through an employee's text messages if they suspect the work rules are being violated.

In a 9-0 ruling, the justices said a police chief in southern California did not violate the constitutional rights of an officer when he read the transcripts of sexually explicit text messages sent from the officer's pager.

In this case, the high court said the police chief's reading of the officer's text messages was a search, but it was also reasonable.

Police Sgt. Jeff Quon had sued the chief and the city of Ontario, California after he learned the chief had read through thousands of text messages he had sent to his wife and a girl friend. Quon won in the 9th Circuit Court of Appeals, but lost in the Supreme Court Thursday.


The scope of the investigation by the employer was not unreasonable and within the scope of determining whether the large amount of text messages was work related. What kind of corporate risk initiatives will be impacted by this ruling?

As corporations continue to battle the "Insider" risk associated with occupational fraud, workplace violence related stalking or sexting, industrial espionage, corruption and violations of acceptable use policies this case will become an example. What will continue to be the challenge for OPS Risk professionals who are responsible for internal monitoring, digital asset audits and insider investigations of potential malfeasance is the scope and reasonable nature of the case.

Get ready for a rush to the local Verizon Wireless or AT&T store for your own personal PDA or iPhone due to Justice Kennedy's ruling:

What’s more, Kennedy suggested that privacy in the modern age has more than one meaning.

“Cell phone and text message communications are so pervasive that some persons may consider them to be essential means or necessary instruments for self-expression, even self identification. That might strengthen the case for an expectation of privacy. On the other hand, the ubiquity of those devices has made them generally affordable, so one could counter that employees who need cell phones or similar devices for personal matters can purchase and pay for their own. And employer policies concerning communications will of course shape the reasonable expectations of their employees, especially to the extent that such policies are clearly communicated. “


If you are the CxO responsible for the auditing of digital assets within the enterprise, or the responsible party for insuring privacy in the workplace it's time to convene a two day workshop to review. Take a few days to bring the legal, privacy, IT and business unit deal makers to the same hotel resort country club to converge on this vital issue. The Operational Risks associated with executive communications that were previously thought to be private may be monitored and audited anytime when company assets are being utilized.

The opportunity to work through different workplace related scenarios, highlight the legal rulings and discuss the "What if's" could mean the difference between adversarial litigation and "Achieving a Defensible Standard of Care."

This is also a good time to establish the foundation for the "Corporate Intelligence Unit" within the enterprise:

Beyond the utilization of threat assessment or management teams, enterprises are going to the next level in creating a "Corporate Intelligence Unit" (CIU). The CIU is providing the "Strategic Insight" framework and assisting the organization in "Achieving a Defensible Standard of Care."

The framework elements that encompass policy, legal, privacy, governance, litigation, security, incidents and safety surround the CIU with effective processes and procedures that provides a push / pull of information flow. Application of the correct tools, software systems and controls adds to the overall milestone of what many corporate risk managers already understand.

The best way in most cases to defend against an insider attack and prevent an insider incident is to continuously help identify the source of the incident, the person(s) responsible and to correlate information on other peers that may have been impacted by the same incident or modus operandi of the subject.

14 June 2010

CyberCom: Real-time Situational Awareness...

The Operational Risks to your enterprise that are associated with your digital assets, networks and infrastructure are vast. What is your organizations exposure today?

The amount of daily "Cyber Intelligence" flowing into the organization is growing exponentially and there are few hours in the day to analyze it. You have invested hundreds of thousands if not millions on cyber security to keep your corporate systems protected and ready for any significant business disruptions. Electronic Stored Information (ESI) is continuously being discussed at the Board of Directors meetings. Data Breach Notification Laws are being amended and the congressional pipeline for privacy and cyber laws is in full swing in the United States.

AT&T vs. Apple is now gaining momentum in the news media. Exposing cyber security vulnerabilities without a prudent legal process is starting a healthy dialogue. Andrew Dowell at WSJ explains:

AT&T Inc., reaching out to iPad users Sunday to explain why their email addresses were released last week, blamed the incident on "computer hackers" who "maliciously exploited" an attempt by the carrier to speed the process of logging in to its website.

The comments were the harshest yet by the carrier, which apologized for the security lapse and said it would cooperate with any efforts to investigate or prosecute the breach.

"AT&T takes your privacy seriously and does not tolerate unauthorized access to its customers' information or company websites," the company said.

A group of computer experts calling itself Goatse Security uncovered the flaw and then turned the results over to Gawker Media LLC to be made public last week. Escher Auernheimer, a member of the group, said in a blog post overnight that it acted to protect users and chided AT&T for taking several days to inform customers after becoming aware of the security breach.

"If not for our firm talking about the exploit to third parties who subsequently notified them, they would have never fixed it," Mr. Auernheimer said. "We know what we did was right."

AT&T sent the comments in an email to the roughly 114,000 users of the iPad 3G it determined were affected by the incident. The carrier said only users' email addresses and numbers that identify their devices to AT&T's network were exposed, and that no other personal or account information was at risk.


What AT&T and the Fortune 500 are going to find out is that they are already paying for hackers to test their online and data security. The only way to continuously determine the effectiveness of risk management controls is to continuously test them in a lab or scenario environment. The "Red Cell" approach to attacking the corporate assets from the "inside out" or the "outside in" provides the intelligence necessary to close the gaps and vulnerabilities.

These penetration or vulnerability tests are necessary and the ecosystem of companies and source and methods is expansive. AT&T and Apple may currently subscribe to annual services that provide the intelligence that gives them an alert of a "Red Flag" in their security landscape. The company that provides the intelligence is paying a substantial fee to a network of sophisticated professionals to exploit the vulnerabilities in software coding. Namely, the design, configuration or implementation of a complex set of technologies to determine where and how these vulnerabilities may pose a threat to your assets.

It's possible that AT&T had the intelligence about it's vulnerability and was working on the patch when the whole thing went public in the media. There is a high likelihood that Microsoft, Adobe, Cisco, Juniper and hundreds of others are working on the updates and fixes to flaws that have been identified in the current versions of their software. The public and the consumer are becoming used to the fact that the challenge continues to be an iterative process and worthy of some levels of patience.

Operational Risk Management is not about eliminating all threats to the enterprise. It is about the speed and accuracy of understanding the current levels and threat vectors so you can effectively deter, detect, defend and document. This "4D" approach to risk management in the rapidly changing, digitally mobile organization of 2010 and beyond is a shift away from pure information security thinking that is housed within the Information Technology Department.

The model for Enterprise OPS Risk Management in the most savvy and enlightened critical infrastructure dependent organizations realize that cyber security is not a department or a unit at the company. It remains a horizontal platform on which all business units and the departments of the organization rest and it's pervasive mechanisms for the security and safety of people, processes, systems and external events must operate 24 X 7 X 365.

Just ask the team at CyberCom about the Cyber Holy Grail ahead:

U.S. Cyber Command, a subdivision of U.S. Strategic Command launched last month to help shield the Defense Department against cyberattacks, has a big job in the months ahead. The command has to protect the entirety of the military’s computer systems, which consists of more than 7 million machines, 15,000 networks, 21 satellite gateways and 20,000 commercial circuits. Unauthorized users probe these systems over 6 million times a day. And now Army Gen. Keith Alexander, CyberCom's chief and director of the National Security Agency, has admitted that the command has a long way to go before it can adequately defend against attacks on military networks.

National Defense Magazine reports that CyberCom currently lacks the ability to view the DoD's digital domain in real time--a weakness that prevents the command from preventing attacks before they happen.

07 June 2010

FCPA Readiness: Training Corporate Aviators...

Operational Risk Management is a topic that rarely comes up at a social event, unless you happen to be talking with a "Naval Aviator". In just a few minutes of explaining the focus of this writers subject matter expertise, the dialogue took on a whole new level. Mike M. immediately began to talk about the many facets of Operational Risk in the context of flying his missions across the globe. He sipped his drink in the back yard under flaming torches as the backyard BBQ buzz was in high gear.

As we continued the conversation on the OPS Risk "All Hazards" point of view and the vulnerability of false or failed information he was clear about one thing. When all fails in the face of pre-planning, contingency exercises and the dawn of a new twist in your mission objectives becomes apparent, your training instinct is what takes over. This may be a true statement when it comes to the military worldview and their obsession with continuous training exercises yet it remains a lofty and sometimes elusive goal in the ranks of the private sector and Fortune 1000 companies.

The private sector company is still eons away from the level of readiness and the ability to call their employees in top shape as it pertains to corporate fundamentals. The Corporate 101 of ethics, compliance and legal risk is typically an hour orientation on the first week of the job. The training associated with protecting company assets and personnel is left to a few people in the Facilities Security Office. Providing the awareness of online threats, phishing and data leakage or privacy is often an online web "Flash" based learning module you must answer to correctly if you want access to the corporate e-mail server.

The serious nature of Operational Risk on the deck of the aircraft carrier operating in the Arabian Sea is light years away from the mind set of the Board of Directors at the latest Quarterly Meeting after a round of golf. You have to ask yourself why there is a difference?

The topic of Risk Management in the context of the corporate enterprise in many cases comes down to lawyers and insurance companies. The perception is that these two devices for risk management will be able to solve any problem that arises or any incident that could eventually occur. This mindset by corporate management is in many cases what causes their eventual downfall.

Investing in the education, training and awareness building of your company employees will in the long run provide tremendous business resilience and longevity. Exercising special diligence in the implementation of the proactive controls for early warning and effective detection will at some point pay off. Just ask companies such as HP or Avon:

Fitch Ratings says there could be rating implications to U.S. corporate issuers with modest free-cash flow or liquidity for violating the Foreign Corrupt Practices Act (FCPA). This is in addition to management distraction, reputational risk and added compliance costs according to a new special report issued today.

In April 2010 alone, three corporations rated by Fitch were the subject of news stories related to the FCPA, including Avon Products Inc. (Avon), Hewlett-Packard Co., and BHP Billiton, Plc. Violation of the FCPA is a criminal offense and average fines have started to increase. Mere indictment can trigger onerous reporting requirements, civil lawsuits and business losses. More important, enforcement activity is set to increase with a primary focus on the pharmaceutical industry.

In the U.S., proposed financial reform legislation in the House and Senate includes rewards for whistleblowers which provide added impetus for corporations to self-report violations. The cost of investigating violations on a worldwide basis can be relatively high, as noted in Avon's recent disclosure that the cost of its current FCPA investigation is expected to be in the $85 million to $95 million range during 2010 after being $35 million in 2009. The $85 million would represent approximately 55% of Avon's 2009 free cash flow. However, Avon maintains substantial cash balances which can easily fund these FCPA investigatory costs.


The Operational Risk associated with corruption on the front-line of business operations is growing. The reason is because of the continued pressure that is being put on the deal-makers and the "Rain Makers" to increase revenue. Companies that must fill the product pipeline with new inventory and the best pricing will continue to operate in risky waters, especially if they are selling their goods and services on a global scale.

As we finished our smoked beef BBQ, corn bread and baked beans "Naval Aviator Mike" came to the bottom line. "When the mission plan goes haywire or the equipment begins to fail, there is only one thing you have left. Your instinct. That instinct is directly hard wired to your training."

We agree and will continue our advocacy of the direct link between an organizations dedication and investment in Business Resilience, Training and Exercises and their ability to survive in today's hostile corporate environment.