25 February 2012

RSA Conference: CSO Insomnia Over Insider Risk...

Next week in the U.S. there will be thousands of risk management and security professionals invading the RSA Conference in San Francisco. The myriad of topics, education and case studies are worth examining to see what is on the mind of these thought leaders and practitioners who are also designated speakers. You can even look to the popular press to see what the vibe is on what this years biggest worries will be:

  1. Mobile Devices
  2. Advanced Persistent Threat
  3. Big Data Privacy
  4. Hacktavists

However, if you spend some time to drill down on each of these topic areas and really look at the actual presentations of the presenters, some are based upon real cases and research and others are not. The one presentation that caught our eye and continues to be what some savvy CSOs would say keeps them sleeping with one eye open each night, is their insomnia over the "Insider Threat." That person or organized group of unidentified subjects that are there to recruit vulnerable people into initiating or perpetuating crimes against the organization.

Dawn Cappelli runs the Insider Threat Center at the Software Engineering Institute and highlights these areas of concern from their research and analysis of real cases:

The CERT Top 10 List for Winning the Battle Against Insider Threats

Dawn M. Cappelli Director, CERT Insider Threat Center CERT Program, Software Engineering Institute Carnegie Mellon University

  • 10. Learn from past incidents
  • 9. Focus on protecting the crown jewels
  • 8. Use your current technologies differently
  • 7. Mitigate threats from trusted business partners
  • 6. Recognize concerning behaviors as a potential indicator
  • 5. Educate employees regarding potential recruitment
  • 4. Pay close attention at resignation / termination!
  • 3. Address employee privacy issues with General Counsel
  • 2. Work together across the organization
  • 1. Create an insider threat program NOW!


Number Three on the list is certainly on the top third and for good reason. Employees and the policy decisions on what data is owned by the company and owned by the employee is of grave concern these days in the United States. Now after so many years it looks as if this issue is going to get more heated and see the light of day from a congressional point of view. Yet the CSO must feel that the ability for the safeguards necessary to keep the organization safe and secure are not in place yet. Catherine Dunn of ALMs Corporate Counsel sheds more light on this:

According to a new White House report on consumer data privacy protection, trust is worth a lot of money to U.S. businesses—users have to know their data will be protected if the economic engine of digital innovation is to keep roaring. Ergo, the U.S. needs a privacy framework that’s “flexible” enough to accommodate industry innovation, and comprehensive enough that consumers will feel safe—and keep clicking.

But trust between consumers and companies in the U.S. is only part of the equation. There’s another important element, too: how compatible U.S. safeguards are with those of the rest of the world, and particularly Europe. This new proposal arrives a month ahead of a conference on data protection between E.U. and U.S. officials in Washington, D.C., leading to questions about whether Europe and the U.S. are any closer to getting on the same page when it comes to data privacy.

The answer not only depends on who you ask, but also what section of the White House’s report you’re looking at. The white paper lists seven principles and stresses that these principles should form the basis of voluntary codes of conduct adopted by industry. Once adopted, the Federal Trade Commission would have the power to enforce compliance to those codes. The paper also includes a call for Congress to pass legislation based on these principles, and devotes a section to “international interoperability”—which considers how data can be sent across international borders without violating laws on either side of the transaction.

This is where we need to make sure we understand the difference between what privacy issues have to do with a company employee and the privacy associated with just a U.S. consumer, who is not an employee but perhaps a member, client or customer of the organization.

If we go back to the big worries at RSA and combine this with the employees who are operating at the "Speed of Business" in your enterprise, you begin to see the difference. Actually, if you think about it some more, every employee of the organization has a duty to care for the information inside the organization, in order to better protect the assets of the enterprise but simultaneously the assets of the consumer.

The consumer assets are their "Personal Identifiable Information" (PII) and this represents in many cases what the organized criminals are after in the first place. This is where the outside recruitment threat starts to have its nexus. However, even the highly trained and state sponsored agents who are inside the enterprise to steal corporate or national security secrets are far and few these days. That may be surprising to some, but if you look at how the exfiltration of data is taking place it's almost all automated. No human intervention is required.

If that is the case, then what is Dawn Cappelli and the Insider Threat Team at CERT so concerned about from their research insights:

Criminal enterprises mask their fraud by involving multiple insiders who often work in different areas of the organization and who know how to bypass critical processes and remain undetected. In several cases, management is involved in the fraud. Those insiders affiliated with organized crime are either selling information to these groups for further exploitation or are directly employed by them. Ties to organized crime appear in only 24 cases in the CERT insider threat database and are characterized by multiple insiders and/or outsiders committing long-term fraud.
All of the insiders involved with organized crime attacked the organization for financial gain. The insiders usually were employed in lower level positions in the organization, were motivated by financial gain, and were recruited by outsiders to commit their crimes. The average damages in these cases exceed $3M, with some cases resulting in $50M in losses.


Now you know why your CSO is headed to the RSA Conference this week and why they are sleeping with one eye open these days.

18 February 2012

Security Governance: Rededication...

Security Governance is a discipline that all of us need to revisit and rededicate ourselves to. The policies and codes we stand by to protect our critical assets should not be compromised for any reasons. More importantly, security governance frameworks must make sure that the management of a business or government entity be held accountable for their respective performance. The stakeholders must be able to intervene in the operations of management when these security ethics or policies are violated. Security Governance is the way that corporations or governments are directed and controlled. A new element that has only recently been discovered is the role of risk management in Security Governance.

Security Governance, like Corporate Governance requires the oversight of key individuals on the board of directors. In the public sector, the board of directors may come from a coalition of people from the executive, judicial and legislative branches. The basic responsibility of management, whether in government or the corporate enterprise is to protect the assets of the organization or entity. Risk and the enterprise are inseparable. Therefore, you need a robust management system approach to Security Governance.

If a corporation is to continue to survive and prosper, it must take security risks. A nation is no different. However, when the management systems do not have the correct controls in place to monitor and audit enterprise security risk management, then we are exposing precious assets to the threats that seek to undermine, damage or destroy our livelihood.

An organization’s top management must identify, assess, decide, implement, audit and supervise their strategic risks. There should be a strategic policy at the board level to focus on managing risk for security governance. The security governance policy should mirror the deeply felt emotions of the organization or nation, to its shareholders and citizens. It should be a positive and trusting culture capable of making certain that strategic adverse risks are identified, removed, minimized, controlled or transferred.

An enterprise is subject to a category of risk that can’t be foreseen with any degree of certainty. These risks are based upon events that “Might Happen”, but haven’t been considered by the organization. Stakeholders can’t be expected to be told about these risks because there is not enough information to validate or invalidate them. However, what the stakeholders can demand, is a management system for Security Governance that is comprehensive, proactive and relevant. The management system includes organizational structure, policies, planning activities, responsibilities, practices, procedures, processes, and resources.


It is this Security Governance management system that which we all should be concerned and which we seek from our executives, board members and oversight committees to provide. There should be a top management strategic policy to focus on managing risk for security governance.

This risk management system should establish the foundation for ensuring that all strategic risks are identified and effectively managed. The policy should reflect the characteristics of the organization, enterprise or entity; it’s location, assets and purpose. The policy should:

1. Include a framework for governance and objectives
2. Take into account the legal, regulatory and contractual obligations
3. Establish the context for maintenance of the management system
4. Establish the criteria against what risk will be evaluated and risk assessment will be defined

A process should be established for risk assessment that takes into consideration:

  • Impact, should the risk event be realized
  • Exposure to the risk on a spectrum from rare to continuous
  • Probability based upon the current state of management controls in place

The strategic security risks that the organization encounters will be dynamic. The management system is the mechanism by which the executives identify and assess these risks and the strategy for dealing with them. It is this system which we are concerned about and which we seek to provide in order to achieve our Security Governance.

11 February 2012

Homeland Resilience: Operational Risks in the Supply Chain...

The U.S. Homeland Security Intelligence (HSI) priorities are good indicators of what the private sector can expect for government intelligence coordination, cooperation and collaboration in the next few years. Operational Risks to business operations in the United States are ever more so complex and increasingly tied to the security of the homeland.

In many cases, the private sector has the answers that can pave the way for improved relevancy and accuracy of information for the government. This translates to greater operational risk management insight that would not previously be known or enhances the clarity of the insights already known by the Homeland Security Intelligence mechanisms. Here are a few of the top of mind categories that the private sector and the public sector could be forging new partnerships together:
  • Global Maritime Shipping
  • International Banking & Finance
  • New and Developing E-Commerce Technologies
  • Application and Use of Social Media - Charting Cultural Topography
  • Modeling Human Behavior - Patterns and Applications of Usage
  • Nanotechnology
  • Robotics and Automation - New and Developing Technologies and Uses
  • Drug Flow Modeling - Legitimate North and Southbound Shipping Routes and Vulnerabilities along the SW Border

Why should the private sector be working on these and sharing what they know with the appropriate channels in the U.S. Government? For one, to reduce your own Operational Risks, as you run your business operations across the country and as you operate on a more global basis. Overall, Homeland Security is reliant on a resilient "Global Supply Chain".

International trade has been and continues to be a powerful engine of United States and global economic growth. In recent years, communications technology advances and trade barrier and production cost reductions have contributed to global capital market expansion and new economic opportunity. The global supply chain system that supports this trade is essential to the United States’ economy and is a critical global asset.

Through the National Strategy for Global Supply Chain Security (the Strategy), we articulate the United States Government’s policy to strengthen the global supply chain in order to protect the welfare and interests of the American people and secure our Nation’s economic prosperity. Our focus in this Strategy is the worldwide network of transportation, postal, and shipping pathways, assets, and infrastructures by which goods are moved from the point of manufacture until they reach an end consumer, as well as supporting communications infrastructure and systems. The Strategy includes two goals:

  • Goal 1: Promote the Efficient and Secure Movement of Goods – The first goal of the Strategy is to promote the timely, efficient flow of legitimate commerce while protecting and securing the supply chain from exploitation, and reducing its vulnerability to disruption.
  • Goal 2: Foster a Resilient Supply Chain – The second goal of the Strategy is to foster a global supply chain system that is prepared for, and can withstand, evolving threats and hazards and can recover rapidly from disruptions.


One of the vital linchpins for these goals to occur will be a converged and globally accepted management system for supply chain resilience. This blog has discussed ISO 28000 in the past and now that the White House has published the policy direction we need to revisit why this is a private sector imperative:


ISO 28002 Standard for Resilience in the Supply Chain approved by ISO

The latest member of the ISO 28000 series, the ISO 28002 Standard for Resilience in the Supply Chain, has been unanimously approved for publication by the International Organization for Standardization (ISO).

Based on the ANSI/ASIS Organizational Resilience Standard (ANSI/ASIS.SPC.1), the ISO 28002 provides a basis for an organization to evaluate both its organizational and supply chain risks and to develop a comprehensive strategy to manage the risks that may disrupt its operations.

The ISO 28000 series of standards seamlessly integrate with the ISO 31000 risk management standard, thereby allowing organizations to develop a cost effective holistic approach to managing risk.

With ratification of the ISO 28002, the ASIS/ANSI.SPC.1 Standard becomes the only US Department of Homeland Security Private Sector Preparedness (PS-Prep) standard with a ratified ISO counterpart.


For those private sector organizations that are for some reason not familiar with the DHS PS-Prep program, you should be. It is the path towards creating a more resilient private sector that will have the lions share of responsibility for keeping the supply chain operating after any significant disruption, whether physical, cyber or both.

So what? So what does all of this mean for the Operational Risk Management Professional of a U.S. business? It means that you have to take it up a notch. Gather the heads of your risk silos from finance, IT, corporate security, human resources and your crisis or continuity of operations section. Look at ISO 28002 as a team and begin the process of digesting what it means to your organization. How could you internalize and even operationalize together to increase your level of resilience from 36 hours to 72 hours?

What does DP World understand about its importance that you might not?

Tarragona, Spain / Dubai, United Arab Emirates, January 15, 2012:- Global marine terminal operator DP World has achieved a major security milestone with DP World Tarragona achieving ISO 28000 certification – the 40th DP World facility to receive the independently audited award.