Proactive Measures: Beyond the Perimeter...

Operational Risk Management requires both proactive and passive measures that encompass a comprehensive organizational strategy. Odds are that you have devoted a majority of your time and resources to this point on the passive mode of preparedness and defense. A reactive and alert oriented focus. The time has come to change the priorities and to increase the allocation of strategy on the "Active Measures." Why?

Stuxnet is and was ground zero for a new generation of digital infrastructure cyber weapons.

The attribution game is still going on with several suspects on who actually developed, tested and deployed "Stuxnet." This is not as important as the realization that sitting back and waiting for the next variant or hybrid cyber weapon to attack your critical infrastructure assets in passive mode.

"The most advanced organizations are now taking the "Proactive" stance to not only detect changes in their environment in a more real-time mode, but they are starting to hunt down the attackers."

There is a decision point where you realize that the passive mode will not buy you time nor will it redirect your attackers to other more vulnerable assets. Your organization will continue to operate with the goal of serving your clients, members or customers yet simultaneously a "SpecOPS" team of internal experts will be monitoring, measuring and exercising tactics to legally neutralize the threat before them.

Commercial and non-governmental entities are creating the means and the capabilities to deter, detect and document who is attacking their digital systems and where they can be found. This intelligence is being shared within the private sector organizations to determine fingerprints, modus operandi and other evidence that is required to effectively hunt down the attackers. The next challenge will be how to package this and make sure that the proper authorities are notified in a timely manner.

There is no longer a solution that is wide enough or in depth enough to be distributed across a whole spectrum of companies or organizations. The answers will be specific, customized to the unique environment and infrastructure that comprises a particular enterprise.

In order for that specification to be developed internally and provided to the correct people, you have to have the internal mechanisms in place to know in real-time what is changing and how fast it is changing from the normal state.

Is your view beyond your own perimeter? Are you looking for the anomalies that are over the horizon and could impact your network soon? It's one thing to look at the changes to your own perimeter but what about the intelligence on providers and ISP's somewhere on the other side of the planet? Do you know where your packets are going and how they are being routed?

"In a savvy Operational Risk Management enterprise, the "Corporate Intelligence Unit” (CIU) is alive and thriving."

A proactive intelligence-led investigation doesn't begin with a phone call from someone who say's, "My system is down" or "What does this Blue Screen mean”?

It doesn't start when your VP, Research & Development suddenly leaves the company for no apparent reason. Intelligence-led operations will continue to be the aspiration of many, yet only possessed by a few.

operational risk

Complacency: Zeros & Ones of Safety...

How might you increase your own resilience to known potential risks in your business operations or even personally this week, or this month?

We all know that growing up, Mom and Dad would teach us, “Don’t talk to strangers”. “Don’t play with matches”. “Wear your seat belt”. Why?

Even a U.S. President is famous for his quote: “Trust But Verify”.

Our life long history of financial transactions and your own personal biometric identity, has made its way online and into the Zeros and Ones digital realms of the U.S. government, Google, Amazon, Apple, Nordstroms and even Netflix.

The single phone number and the e-mail address you have retained for a decade or more, tells almost your entire life story. Where, What, When. How.

In the years past, as you were experiencing all the new mobile technologies and digital services available to you, remember that so too, are the “Nation States” and the “International Criminal Syndicates.

You, the “Human Being” operator, are the single greatest risk to your business and your family safety.

Is it possible that your own personality traits are being exploited by commercial enterprises? Yes.

Is it conceivable that every time you provide a phone number at your retail check out stand to gain rewards, that this contributes to your profiling by Artificial Intelligence (Ai) algorithms with Data Brokers? Yes.

Your business organizations safety and your own families potential vulnerabilities to a spectrum of Operational Risks, are continuously at stake.

When will you make a commitment to change your behavior and to build a discipline that endures and increases your resilience at work and at home?

So what?

If you as a Mother or Father, or Brother or Sister have ever said, “You can’t have a phone until you are 13,” then you have a personal and vital life opportunity before you.

If our own society that is visible in our own cities and geography, has evidence of rising risk and lower levels of personal safety, you might think of our vast searchable World Wide Web as just the top of the “Iceberg”. 

However, 90% as you may know, is below the surface and not visible, also known as the “Dark Web”.

"Yet most average users of corporate business networks have little insight into the growing losses from ransomware. A review of 2021 8-K filings with the U.S. Securities and Exchange Commission reveals a more complete picture of the financial damage from ransomware." CSO Online by Cynthia Brumfield

It all begins with a click in an e-mail or text message, from those behind the curtain, or below the surface, utilizing their “Social Engineering” processes across millions of users profiles, purchased somewhere on the Dark Web.

Personal Profiles built and donated as a result of your own activities and actions. Why do you think that the “Digital Forensics” industry is booming?

So what is the solution? How can the growing threat ever be minimized?

It begins here. Less complacent attitudes and behavior in the Board Room and the Family Room is our only hope. It is our only proactive solution towards true resilience.

Just Remember. Don’t play with matches or digital unknowns. Teach someone else the same...

Metadata: What, Who, Correlate...

As you scrolled through your digital feed today on your favorite Social Media App, what did your finger stop and pause upon?

Was it a particular person you were connected with, who was posting a question Poll?  Why this person?

Was it a specific topic of political interest with a headline that caught your attention? Why this topic?

Was it a picture of your favorite place in the city you live in?  Why this picture?

Maybe it was a combination of all, so you then took the time to do some more research, some background, to try to satisfy a curious state of mind that took over your thinking.

What questions did you seek answers to, in your journey to satisfy your own curiosity?

You are exactly the kind of person the state or private entity is watching and measuring.

Cookies and metadata are their tools:

 

Metadata means "data about data". Although the "meta" prefix means "after" or "beyond", it is used to mean "about" in epistemology. Metadata is defined as the data providing information about one or more aspects of the data; it is used to summarize basic information about data that can make tracking and working with specific data easier.

So what?

The person on this web page or in this rental vehicle, or this retail store has this “name associated” with the user name or mobile device they have carried within 5 feet of the digital sensor:  John Doe’s iPhone 11.

Whether he is on the browser visiting the web page or has the small radio frequency (RF) device in his pocket, it is being measured.  It is being correlated.  It is being shared.

You see, John/Jane Q. Public for the most part does not care.  He does not think about it.  She is unaware of the implications of the ip, location or metadata they are sharing in their own home, in public locations, or the workplace.

With whom?  The answer to this question depends…

Intelligence-led Investigations: DecisionAdvantage...

"Whoever wishs to foresee the future must consult the past; for human events ever resemble those of preceding times. This arises from the fact that they are produced by men who ever have been, and ever shall be, animated by the same passions, and thus they necessarily have the same results." --Machiavelli

Operational Risk incidents are surrounding us on a global basis. The continuity of operations in the rescue and relief efforts in Beirut. The security of privacy information and Internet politics with Google and 3+ other global companies. A growing threat while Islam converts continuously flock from across the globe, to conflict zones. The economic integrity of global banking with new rule-sets and continuous funds transfer oversight.

All of these Operational Risk Management (ORM) challenges, require the same intelligence-led investigations, to establish the ground truth and then to enable an effective "DecisionAdvantage."

When does information that is collected, become a violation of a persons privacy or legal rights? At the point it is collected from a source or at the point in time when it is analyzed by a human?

Intelligence-led investigations today include the use of Artificial Intelligence (AI) automated Internet Bots, to troll the Internet and Open Source content (OSINT) for the collectors to find what they are looking for. This begins with a hypothesis and then the development of an algorithm, to carry out the automated mechanism for collection.

These Intelligence-led investigations also include the use of new forensically sound methods and proven procedures for collection of digital data, from a myriad of technology platforms including laptops, IoT's and cell phones.

These methods have been proven and certified in the forensic sciences for decades and follow many of the legally bound and court tested rules associated with evidence collection, preservation and presentation.

Digital Forensic tools and 21st century capabilities enable global enterprises, law enforcement and governments to not only discover what they are looking for, but to use this in a court of law to verify the truth.

The monitoring and collection of information associated with people begins various intersections with the context, relevance and legality of storing it, analyzing it and when to destroy it. What is at stake?  The ability to do this effectively inside the walls of the global enterprise corporate headquarters, the Regional Fusion Center or buildings off Rt. 123.

"DecisionAdvantage" is a term that promotes the connotation of competition, safety or defeating an adversary, yet only one will apply as you begin to understand the environment and the circumstances under which information is being utilized for one or the other.

If you are making decisions on the most safe and ideal drop points for water, food and medical triage supplies in a Middle East or an African nation, decisions are being made with information collected from satellites, humans, and perhaps the national geological scientists at CalTech.

It isn't until you take all of these elements into context and establish relevancy with human brainpower, that you will make an informed decision to give you an advantage of improved safety and security to achieve your objectives.

Investigators or Analysts are leveraging the use of 21st century software, hardware and telecommunications cloud infrastructure to more efficiently arrive at the answers,.  They utilize the hard hypothesis or questions being asked, and must improve their training, education and awareness to the associated human factors.

Predicting human behavior is difficult if not impossible.

What is more realistic is the utilization of AI systems to assist the human in trying to achieve "DecisionAdvantage".

"History, by appraising...[the students] of the past, will enable them to judge of the future." --Thomas Jefferson

TrustDecisions: Understand, Decide, Act...

From the Board Room to our modern day asymmetric battlefield, Jeffrey Ritter’s Achieving Digital Trust will open eyes. It provides us with a reference model that management and software architects have been seeking. The survival of the Internet as we know it is currently at stake. This book provides a look into the transparency of «Trust Decisions» and how ensuring digital truth will shape our global governance for decades to come.

"How do you decide to trust digital information that is intangible and cannot be lifted, opened, or flipped through?

What questions do you need to ask to conclude that trust is justified in both digital information and the sources from which you acquire the information?

How do you make trust decisions about people, associations, tools, or their value when the infor- mation upon which you will rely is increasingly digital and intangible?

In a global culture in which digital trust is under attack and degrading, how can you build and engender old-fashioned human trust with your customers, business partners, associates, and employees?

Flooded with digital information, devices, and the capacity for others to question decisions, how can you make better decisions, choose the superior alternatives, and reduce the number of decisions that “just take the risk” because of data that is missing or not proven to be reliable?

Can achieving digital trust be proven to be good business and create new wealth in a global, 24/7/365 marketplace that demands increasing velocity while also increasing the risks of living digitally?" 

  Page 21 Achieving Digital Trust:  The New Rules for Business At The Speed of Light - Jeffrey Ritter

Are you reading this on your Macbook?  iPhone?  Or on one of the dozens of variations of devices using the Android Operating System?  Why?

Think about the origin of the words you are reading.  Are they manifested from the brain of a human who is typing the words on a keyboard?  Or could it be a computer creating this digital content purely from some form of artifical intelligence?

How would you judge the trustworthiness of this digital information, if you could verify that it was written by a person vs. a machine?

All of us make split second decisions on who and what we will trust.  By the way it looks.  By the way it moves.  By the way it smells.  By the way it sounds.

Now, make a slight shift in your mind set to the mechanism we define as "Advertising".

How do you as a human, accept and process an advertisment in a cognitive way?

cog·​ni·​tive | \ ˈkäg-nə-tiv
Definition of cognitive

1 : of, relating to, being, or involving conscious intellectual activity (such as thinking, reasoning, or remembering) cognitive impairment

2 : based on or capable of being reduced to empirical factual knowledge

Why are advertisements necessary on the televsion you watch?  Do you every find yourself muting the advertisements?  Do you record all of your shows on the DVR so you can purposefully Fast Forward through the Ads?

At the same time, you may have a brand, company or person that you respect and trust.  You are loyal to that brand, company or person for several reasons.  Much of that has to do with "TrustDecisions".

When you read the words in a book by an author with their name printed on the cover, do you value and trust what they have written?  It depends on the author, right?  Who is that person and do you trust that what they have written is worth consideration.

We all have our own trusted sources of information.  Our Go-To authors.  Our news feeds.  Our verified intelligence.

Now visit this company on the Net:  Primer.ai

Now that you have reviewed the company Primer, and you see and think you understand their product solutions, the people behind the software solutions, the investors in the company, what do you think about next?

After all, a web site is just an Advertisement right?  Your Decision to Trust has all to do with words written, colors used, visual pictures and even sounds (think music).

Based upon what you have read and see, do you trust the products and services of Primer.ai?

Based upon what you have read and see or feel or hear, do you trust your Doctor, your Priest, your Lawyer, your Bank, your Airline, your Employer or your Digital VPN?

You see, most people do not even think long enough about the origins of trust or the origin of their own trust in something or someone.  Unless you are in the business of research, questioning or creating hypotheses on an hourly basis.

Unless these can also mean the life or death of another person and/or the factual truth of something not present to the naked eye, your hearing or your taste or smell.

hy·​poth·​e·​sis | \ hī-ˈpä-thə-səs
\
plural hypotheses\ hī-​ˈpä-​thə-​ˌsēz
\
Definition of hypothesis

1a : an assumption or concession made for the sake of argument
b : an interpretation of a practical situation or condition taken as the ground for action

2 : a tentative assumption made in order to draw out and test its logical or empirical consequences

3 : the antecedent clause of a conditional statement

When you encounter the conscience world before you, whether it be Face-to-Face with another human, with written words by an author, by the spoken words of an advertisement or news broadcaster, think more deeply about this.

• "Every transaction creating wealth first requires an affirmative decision to trust.
• Building trust creates new wealth. Sustaining trust creates recurring wealth.
• Achieving trust superior to your competition achieves market dominance.
• Leadership rises (or falls) based on trust (or the absence of trust)."

 Page 35-36 Achieving Digital Trust:  The New Rules for Business At The Speed of Light - Jeffrey Ritter

Now that you Understand, it is time to Decide.  Then you must Act... 

Red Zone: Behavioral Analysis Interviews...

Industrial Espionage and the theft of trade secrets is continuously on every Operational Risk Management (ORM) executives mind these days.  The names Chelsea Manning and Julian Assange have been headline news for years.

In addition, the 2009 conviction under the Economic Espionage Act of 1996 in the United States, is a stark reminder of the accelerated requirements for an "Insider Threat Program" (InTP), by the counter intelligence and OPSEC units of major public and private organizations.  Flashback to a decade ago:

"A former Rockwell and Boeing engineer from Orange County, CA was remanded into custody this morning after a federal judge convicted him of charges of economic espionage and acting as an agent of the People’s Republic of China, for whom he stole restricted technology and Boeing trade secrets, including information related to the Space Shuttle program and Delta IV rocket."

How 250,000 pages of classified, proprietary and otherwise sensitive information was found under this employees house is a good question? What might be an even more interesting question is pertaining to the controls for OPSEC and INFOSEC at Boeing in Orange County, CA a decade ago.

Information Operations (IO) or Information Security controls are only as good as the creativity and the will of the individual human being, that exploits the vulnerabilities in the design, configuration or implementation of your layers of defense.

This is why the counter intelligence and OPSEC capabilities within the enterprise must be ever vigilant and continuously adapting to the changing personnel within the organization.

In collaboratin with the Information Technology organization, the Digital Operational Risks that the OPSEC team is focused on these days, has to do with Data Loss Prevention (DLP)  software platforms and proactive data exfiltration detection capabilities.

As companies such as Boeing and other Defense Industrial Base (DIB) institutions utilize the latest software, hardware and other technology to assist in the "insider" detection and prevention of stealing, changing or deleting sensitive information, there still remains the risk of human factors and social engineering.

Sometimes the low tech or human designed detection systems that work on behavioral sciences, can be just as effective as the newest software running on the fastest computer box.

One example is "The Reid Technique" in the context of doing routine interviews and investigations with a set of "Red Zone" employees. Who are the red zone employees?

Those individuals who have certain access to systems or information, leave the organization for involuntary reasons or people that may be 3rd party suppliers to the key people in the red zone. So how does the Reid Technique help?

"The Reid Technique is a method of meeting, conferring with, and evaluating, the subjects of an investigation. It involves three different components — factual analysis, interviewing, and interrogation. While each of these are separate and distinct procedures, they are interrelated in the sense that each serves to help eliminate innocent suspects during an investigation."

The "Integrity Interview" is a highly structured interview with a job applicant. The purpose for the interview is to develop factual information about the applicant's past behavioral patterns.

The philosophy behind the interview is very straightforward. The most accurate indicator of an individual's future behavior, is their recent past behavior.

The same technique can be used on a departing employee with the emphasis on adherence to all "Acceptable Use" policies, regarding digital assets and cyberspace access to organizational data repositories.

Individuals who have the characteristics associated with deception, could be the target of a further investigation to determine whether any unauthorized information has been sent to an encrypted webmail account or if a 2 TB Thumb Drive happened to be plugged into a corporate laptop, the night before the last day on the job.

This low tech method may still be one of the most effective means for industrial espionage. Old school methods with 21st century technologies. All of the detection hardware and software, CCTV cameras, tagged files or RFID countermeasure, will not be able to thwart a diligent, patient and trusted insider.

Utilizing "Behavioral Interview Analysis" can make the difference between early detection or late reaction.

And while the OPSEC group is working on the "Lone Wolf" insider, there are swarms of non-state attackers initiating their asymmetric information operations strategy on the corporations and governments worldwide.

Economic espionage and attacks on nations states critical infrastructures, requires a substantial shift in policy and taxonomy, if we are ever going to be effective in protecting our IP and trade secrets.

While the CEO's and the General's are being briefed on the latest facets of "Weaponizing Malware," we can only hope that OPSEC is still conducting the behavioral analysis exit interview.

A face to face encounter, with someone who may just be that one person, who has your most valuable intellectual property or trade secrets in the purse or backpack at their feet...

Trust Decisions: Never Stop Questioning...

"Learn from yesterday, live for today, hope for tomorrow.  The important thing is not to stop questioning."  --Albert Einstein

What sources are influencing your "Trust Decisions" today?

The front page of the "Washington Post."  The e-mail from a parent.  The text message from a loved one.  A phone call from your commander or a work supervisor.

What does your future look like next week?  Next month.  Or next year.  You might think you have it all planned out and on your calendar.  Or maybe you have not even thought about it yet.

Which person are you?

One certainty is, that you will experience the unexpected and you will simultaneously be required to adapt, to adjust and to be agile, in order to respond to the changes in your day, your plan and in your life.

As a true leader in your business, in your agency, in your tribe or in your family, is there anyone you know, that asks questions all the time?  Here is a question.  Why does this bother you?

How will you achieve your latest objectives?  Most likely because you have a continuous passion for asking questions.  Then you truly listen.  You take the time to think.  You now make your "Trust Decisions" to act.

Albert Einstein was correct...

Learn from yesterday, live for today, hope for tomorrow. The important thing is not to stop questioning.
Read more at: https://www.brainyquote.com/topics/hope

In Search of the Truth: How you make Judgements or Conclusions...

"Intelligence analysts should be self-conscious about their reasoning processes. They should think about how they make judgments and reach conclusions, not just about the judgments and conclusions themselves." --Richards J. Heuer, Jr.

What is truth and how can we know it?  Alternative hypotheses need to be carefully considered--especially those that cannot be disproved on the basis of available information.

When was the last time you worked on a challenge to disconfirm or disprove a hypothesis?   Our analysts do not have enough time out of their building.  They must start and end the process for "sense making" with using all of their senses, in front of and immersed in the hypotheses they are trying to disprove.

The data-driven mosaics before the people who are looking "Over-The-Horizon" (OTH) are vast.  In many cases, they do not need more aerial imagery, RF data, or more forensic information.  They just need more context and they must spend more quality time actually seeing, smelling, tasting or feeling the environments that they are or will be analyzing.

Who makes the best analysts?  Some would say those who have been there and done that.  Others would say, it is better to have people that are not biased and have never done that, yet have the opportunity to experience the environment being analyzed, long enough and close enough, to be able to create valid competing hypotheses.

So what?

false positive noun

Definition of false positive

: a result that shows something is present when it really is not

The test produced too many false positives to be reliable.  This is our greatest vulnerability and our search for the truth, must do all that we can do, to eliminate the possibility of false positives.

The mounting challenges and problem-sets before us, as "Operational Risk Management" (ORM) professionals is substantial.  Still to this day the gaps in fundamental knowledge on topics such as "Digital Forensics" are increasing.

The mobile sensors that we carry around in our pockets and purses have become the problem.  Now we have embarked on the mission to call upon the data from the Apple and Samsung devices for a search for the truth.  Are we seeking intelligence or looking for evidence?  There is an incredible difference.

And where does all of this data live?  Have you backed up your iPhone to iCloud lately?  Or perhaps you have an online account with your particular Internet Service Provider (ISP) where you archive your data for safekeeping.  Or maybe you have backed up our data to the multi-terabyte portable drive sitting on your desk.  The possibilities are endless.

In our search of the truth, how do you make judgements and reach conclusions...

The 3rd Planet: On The Edge of a Digital Precipice...

After reading the Washington Post on February 3, 2018, there is little debate in our world capitals, that we are on the edge of a digital precipice.

Mobile devices in the hands of humans, has exponentially changed the transnational landscape for our communications forever.  Yet this digital precipice is just inches away from a tremendous chasm in our cultural, social and legal way of life.

Every organization, now has substantial Operational Risks to manage, within the context of their group, company, enterprise, government and even family.  This alone is not a revelation.  However, if you are a Mother, Father, Brother or Sister, you are constantly challenged by the kinds of risks that plague anyone who dares to explore and utilize the benefits of the modern day Internet.

Our children are growing up faster, as they are exposed to the dark side of life, the evil that is present in our world.  They witness violence, revenge and all of the other negative attributes of society faster than ever before.

The outcomes of mother nature and our natural disasters are always front and center.  The digital controls and censors of broadcast television are no longer pervasive across the content and web sites available, to those who know how to navigate our IP-based digital oceans.

Operational Risk Management (ORM) is now each persons responsibility.  It is no longer in the hands of a few people, in a few departments at your organization.  It is not the role of a single person in your household, to make sure the family router is configured correctly.

If you are holding your latest "Digital Device" in your hand, or tapping away on the keyboard of your new lap top it is your decision to "Give" or to "Take."

Over a year ago, Adam Grant wrote his book.  To get some context in 13 minutes, you can watch this YouTube of his Ted Talk.

We have for years been exposed to the concepts of "Pay It Forward" or even other concepts of reciprocity.  The real question is:  Are you a "Giver or a Taker?"  You might be surprised to learn what Adam Grant's research uncovers.

So what?

The ethics and morals that are embedded in you at an early stage of your life, will most likely continue.  The influence your Mother and/or Father or early childhood caregiver provided you may have made a difference.  Maybe it was an old book they read to you, or someone asked you to read.

We all know that the words, content, pictures, videos and ideas on the other side of that tiny digital screen in your hand, is nothing more than a mirror, of our own human behavior.  Good or deleterious.

How will you use this iPhone tool today, to be a "Giver or a Taker?"  There might even be another option.  Turn it off and put it in a drawer.  At least for a few hours...but could you for a whole day?

When was the last time you donated your time, expertise, abilities or resources?  What will you do right now, to make a difference on the third planet from the Sun...

Trust Decisions: Beyond RSA and Our Digital Future...

Trust Decisions are being made every few seconds as we navigate our way across the Internet oceans. After attending the RSA Conference 2015 in San Francisco this past week, there are many unanswered questions for the end users and the industry.  CIO's, CPO's and CISO's across the globe must be in awe of what we have created, to try to secure and govern the data flowing through the Internet.

The Operational Risk Management (ORM) landscape at RSA included analytics and forensics, cloud, C-Suite view, data security & privacy, governance risk & compliance, law, mobile security, policy and government and many others.  Walking the North and South Expo Halls at Moscone Center, was an immersion into the complexity and the duplicity of the current state of the information security and privacy ecosystem.

The pursuit of "Digital Trust" is a quest that the human brain is incapable of precise understanding, without the use and aide of our modern computers.  The rulebases are too large and the speed of transactions are too fast, for the human brain to process all of the rules simultaneously.  We know why we designed these tools and machines, to augment our human information processing capabilities.

The trust decisions we make to click on a link or download a new app is based upon many factors.  The evolution of the Internet and the trust we have placed in the links across the World Wide Web are now more scrutinized.  The threat of clicking on the wrong link or downloading a malicious file can cost our enterprise hundreds of millions of dollars in losses.

The RSA Conference is more evidence of our continued digital governance failure.  It is also necessary to achieve future progress.  Is it the manifestation of our inability as humans to establish and maintain the trustworthiness of systems and of standards?  The dawn of a new era for making digital "Trust Decisions" is upon us.  How shall we proceed to enable the next generation of the Internet and why?  Over a decade ago, researchers at the USC Information Sciences Institute were on to something:

Traditional trust management solutions [2] do not adequately address dynamic aspects of trust. The pre-configured, coarse and static specification of trust in conventional systems is not consistent with human intuitions of trust [11], an individual’s opinion of another entity that can evolve based on available evidence. Thus, trust relationships evolve over time and require monitoring and reevaluation. The dynamic and temporal nature of VOs (Virtual Organizations) present additional trust management challenges: 

• temporary, as opposed to long lived, relationships present a major obstacle for trust development, since short term relationships promote “take and run” behavior; 
• parties may not have pre-existing knowledge about one another, or any prior interactions with one another.

In our massive systems-of-systems and the growing dynamic of virtual environments, "Trust Decisions" are being made at light speed.  The rulebases that are known and the identities and attributions associated with them are constantly changing.

In the next decade and beyond, bringing order to chaos is the ultimate challenge for our industry and our global persistence.  The necessity for nation states to trade and exchange funds in a digital world is paramount.  The barriers to human communication and pervasive language translation are enabled by our digital creativity.  The ability to detect threats and defend ourselves utilizing sophisticated sensors on land and in space, will continue to help preserve our existence.

There are Operational Risk Management (ORM) inventions and new solutions yet undiscovered, that will provide the model and the global standards for making more precise and effective digital trust decisions.  The future is bright...

Information Leaks: Risk Of The Data Supply Chain...

There is a well known threat that has been talked about with the Board of Directors behind closed doors for years. This threat is not new to most Operational Risk Management (ORM) professionals and yet executive management is still in denial that it could happen to us. Have you or someone in your C-Suite ever awakened one morning and wondered how the companies new plans for a merger are now in the published press? What about that new research and development breakthrough that ends up with another company with a similar process being patented a week or a month ahead of you?

What is the threat? Call it competitive intelligence, economic espionage, press leaks, loose lips or advanced persistent threat (APT), it does not really matter. The threat remains from all those people, rivals, industry peers, countries, states, allies and enemies that are working 24 x 7 x 365 to copy your valuable information and use it for their own advantage. What advantage depends on who obtains the valuable information and how they will eventually use it or sell it.

What is even more fascinating to most subject matter experts, is the amount of information that is still created and allowed to be compromised in some way that is false, fake and designed to confuse the adversary. So what is it, that much of executive management still does not understand about all of this? 

The "source" of the vulnerability that is leaking or allowing the secret or confidential information to be compromised. They still to this day are naive to the potential source. This source is not even inside their own company or organization in many cases. It is within the organizations data supply chain somewhere, but where is it exactly?

The answer is only possible to narrow down, if you absolutely know where your data and secret or confidential information is collected, transported and stored, in the hands of trusted third parties, outside the four walls of your business. That is the remedial first step. Creating a definitive map of who has custody of your data through some kind of third party agreement. The agreement could be with any number of key business partners in your data supply chain:

• Banker
• Venture Capitalist
• Accountant
• Attorney
• Insurer
• Internet Service Provider
• Utility
• Data Telecom Provider
• Wireless Telecom Provider
• Payments Processor
• Document Custodian or Shredder

This short list is a good place to begin your quest for better understanding where the source of your information leak may be. Now think about this list and ask yourself who might have the most robust set of staff, resources and technology savvy people to keep your data safe. Regardless of the service level agreements or engagement letters in place, who is the most vulnerable on this list?

Even more important may be the question of which one of your data supply chain business partners, has the least amount of resources, people and state-of-the-art detection systems for the APT, Zeus, and other mechanisms that are ex-filtrating your data to another country. When was the last time you asked any of your business partners to walk you into their IT department for a look around with your CIO or CTO?

Believe us when we say that if you get that "Deer in the Headlights" look on your business partners face, you are in trouble. You can bet that the attackers are not attacking you, as much as they are attacking your data supply chain. As an example, if you say in public or on your public filings that you have your primary outside counsel firm as "Red, White and Blue," you can be assured that your adversaries will take notice.

You see, just because your organization has spent millions or billions on new data centers with the most sophisticated technologies available to counter your cyber adversaries, how can you be sure that your business data supply chain has done the same? There is only one way to do that and it is in person and on site. You may consider this level of due diligence before handing over your business for the merger and acquisition project or the development of a vital new component for your new patented product. A model "Request for Information" (RFI) on the business partners controls and capabilities for securing your sensitive, confidential and secret information shall be a first step requirement.

The second step shall be to get an inventory of what systems your data supply chain partner has in place to mitigate the risk of a data breach. At the top of that list, should be the management system that governs all the other hardware and software systems. So even if your business partner says they are using RSA NetWitness or ScoutVision on their corporate networks and Good MDM for their mobile devices, that is not going to be enough.  More from Europol:

A decline of traditional hierarchical criminal groups and networks will be accompanied
by the expansion of a virtual criminal underground made up of individual criminal entrepreneurs, which come together on a project-basis and lend their knowledge, expe- rience and expertise as part of a crime-as-a- service business model.

The overarching "Management System" is not about technology. It is not about your favorite eDiscovery or computer forensics guru. It is about the way your business partner trains and educates it's people. It is about how those people use relevant business controls to secure your secrets, confidential data and records. Look at their behavior around this topic of "Achieving A Defensible Standard of Care" and you will soon discover whether you have found the most ideal banker, accountant or attorney to entrust to your digital supply chain.

Evidence: True or False On Privacy Apps...

What is a Chief Legal Counsel to do these days about new messenger focused Apps such as Wickr, Silent Circle, or now even Confide?  Operational Risk Management (ORM) is a constant chess match.

The ranks of the deal makers and the Executive Suite who are more concerned about so called eDiscovery and evidence coming back to haunt them, are using these new found "Privacy Apps."  Buyer beware and the CxO's should be on the look out for this new "Operational Risk" trend within the enterprise.

Regardless of whether employees are potentially circumventing corporate communication networks, or using their own personal devices, these new apps are indeed collecting potential discoverable data:

Confide, Inc. (“Confide”) is pleased to offer you the ability to send and receive encrypted messages (“Messages”) that will self-destruct after a pre-set period of time (the “Service”). We make the Service available to you through a variety of Internet-enabled devices, including smart phones and tablets (collectively, “Devices”). Portions of the Service may also be available to you through our website at getconfide.com (the “Website”).

We provide our Service to you subject to the following Terms of Use, which may be updated by us from time to time without notice to you. By accessing and using the Website or the Service, you acknowledge that you have read, understood, and agree to be legally bound by the terms and conditions of these Terms of Use and the terms and conditions of our Privacy Policy, which is hereby incorporated by reference (collectively, this “Agreement”). If you do not agree to any of these terms, then please do not access or use the Website or the Service.

And this little item in the "Privacy Policy" caught our eye:

5. Geolocational Information
Certain features and functionalities of the Service may be based on your location. In order to provide these features and functionalities, we may – with your consent – collect geolocational information from your mobile Device or wireless carrier and/or certain third-party service providers. Such information is collectively called the “Geolocational Information.” Collection of such Geolocational Information occurs only when the Service is running on your mobile Device.

So since the message is not stored on the corporate server, and it disappears from the App after it is read on the device, does that mean digital forensics on the device are useless?  The answer is, "That depends."

It depends on what you are trying to collect.  It will depend on many aspects of the Operating System (iOS/Android) and whether there is a "forensic wipe" capability for use on the device.  There are dozens of dependencies here. However, is that really the issue at hand?

Off the record communications take place on a daily basis, from "Party A" to "Party B".  Typically this is done verbally.  Now there are a myriad of new phone Apps, that are trying to mimic this same practice using encryption and self-destruct modes.  These provide secure and private communications from digital device-to-device.  What this really is about, is called evidence.

Evidence: 

Law. data presented to a court or jury in proof of the facts in issue and which may include the testimony of witnesses, records, documents, or objects.

It may be time for the CxO to educate the enterprise about the use of these new Apps as it pertains to corporate "Off-The-Record" conversations.  The formal or informal method for doing so should include:

1.  A review of the risk of using untested, unauthorized apps for corporate communications.

2.  A dialogue on what is evidence.

3.  A set of "Use Cases" that will illustrate to the potential end users why these apps do not circumvent eDiscovery.

Some may argue that when a subpoena is presented, that there is nothing to hand over.  Are you sure about that?

The cautionary tale that many reference is the case of Hushmail, an encrypted mail service that used to claim that "not even a Hushmail employee with access to our servers can read your encrypted email, since each message is uniquely encoded before it leaves your computer" — words that echo Wickr's own proclamations. Sell tells Mashable that Wickr's "architecture eliminates backdoors; if someone was to come to us with a subpoena, we have nothing to give them." 

As it turned out, Hushmail wasn't so impenetrable. In 2007 it was revealed that, actually, Hushmail could eavesdrop on its users communications when presented with a court order.

operational risk

Intelligence Analysis: Robust and Resilient...

Operational Risks are on the rise for Top Secret America. Now that the "Super Committee" has thrown in the towel, there are several companies beginning to ask what it will mean in the next few years. Intelligence Analysis has been a tremendous windfall for large and small businesses especially in the National Capital Region of the United States.

The analysis of information, from open sources (e.g., information that appears in the news media or on the Internet) to the most sensitive information collected or gleaned from human and technical sources. Since 9/11, there has been an explosion of the amount of information obtained via technical means, particularly imagery and communications intercepts, necessitating new analytic methods of sorting and exploiting incoming information, as well as data mining to discover patterns of information and intelligence contained within huge quantities of data. Document exploitation (DOCEX) and forensic methods are also growing areas of intelligence analysis for captured materials and site exploitation.

39 government organizations and 358 companies are at the nexus of "Intelligence Analysis" according to the work by Dana Priest and William Arkin of the Washington Post. The next 24 months will tell us how this vital discipline begins to morph from agency to agency and company to company based upon who is deemed most essential and what information is most highly valued.

40 large companies, 57 medium companies and 261 small companies, comprise the majority of the firms who are the supply chain to many of the core intelligence apparatus of the U.S. Government. When these supply chains are impacted by the quantity and potential quality of intel, the opportunity for operational risks will increase. If you can imagine a pipeline of information coming from the street and keyboard level, all the way up to the Presidential Daily Brief (PDB) 365 days a year, this is what is at stake.

So what could you expect to happen in the next few years when it comes to the "Intelligence Analysis" pipeline and the rate and quality of information that is flowing to provide "Decision Advantage"? It's going to increase and for good reason. The traditional nation states and the threat of an attack from conventional means is diminishing. The new threats are morphing into the new normal. The asymmetric methods of warfare in the digital domain:

Congress will pay the FBI an additional $18.6 million to better investigate computer hacking cases, following a federal study that found a third of bureau agents probing breaches significant to national security lacked the necessary networking and counterintelligence skills.

A spending package passed Nov. 17 to fund many federal agencies through September 2012 includes President Obama's full request for $166.5 million to tackle computer crimes, an 11.2 percent increase over last year's appropriations. The bureau must use the money to hire an additional 42 computer security professionals, including 14 special agents, according to a report accompanying the legislation.

The new funds will also assist in the continuous analysis of information, to ascertain the origin and the legitimacy of attacks agains U.S. Critical Infrastructure, the next frontier for insider threats and cyber terrorists:

An ongoing investigation into the possible hack of a U.S. water plant should trigger a methodical analysis of the security of the nation's industrial systems to avoid jumping to the wrong conclusions, former federal cybersecurity officials say.

The Homeland Security Department's cyber response team and the FBI are gathering facts about a report of a water pump failure in Springfield, Ill., according to DHS officials. Their actions follow a state fusion center alert, first reported by noted security specialist Joe Weiss and later publicized by media outlets, that apparently suggests intruders may have lingered in the system for weeks. Some security experts familiar with the report are attributing the malfunction to a targeted attack originating from a Russian network access point, or IP address. If the report bears truth, then this incident represents the first known intentional intrusion into a U.S. industrial control system.

But some experts caution that many organizations don't have the computer forensics expertise to pinpoint the cause of suspicious network events, let alone the identities of perpetrators.

Intelligence Analysis is alive and well and the education and quality of the analysis will not be disrupted regardless of what law makers may fail to do behind closed doors. Operational Risk Management in the 358 companies is on high alert, yet diligently working to ensure the supply chain is robust and resilient for a long time to come.

operational risk

LEO: The Economics of Remote Digital Forensics...

At the speed of the modern global enterprise, cyber incidents are a growing component of operational risk, according to 1SecureAudit Managing Director and Chief Risk Officer Peter L. Higgins. Digital forensics intelligence provides analysts, investigators and management the ability to make more informed decisions regarding a prudent course of action. Utilizing digital evidence can mean the timely detection of unethical behavior by an employee or the intelligence nexus with kidnapping, child pornography, industrial espionage or terrorism. The legal process in a specific state or country and the preservation of evidence, chain of custody and even early case assessment are now a converging area of concern with local and state law enforcement, prosecutors and defense law firms.

"The 1SecureAudit Digital Forensics Practice capitalizes on the Digital Forensic POD powered by Evidence Talks Ltd. Our systems enable our team of subject matter experts to work on clients cases across the country or across the world," said Higgins. "Our certified professionals using the Digital Forensics POD gives a client quick access to resources that can help with an investigation without the high cost of flying people across the country or the globe."

"A good lesson learned from my first-hand experience in Afghanistan is that we depend on support back home from subject matter experts to help our soldiers remotely without the need to be in the actual combat zone," said Cristian Balan (CISSP, CHFI) of NY Computer Networks.

"We recognized that many police agencies, as well as law firms, needed an affordable solution to help clear up their digital forensics back log," said Craig Cantwell, SVDFL Forensics Laboratory Director. "By teaming up with 1SecureAudit and Cristian Balan and using our remote digital forensics POD systems, we are able to offer more clients a better economy of scale and service at a price that they can justify."

Counselors initial conferences and additional motions for discovery during litigation results in the need for additional digital forensics capacity. The Digital Forensics POD assists with case backlog especially as court dates approach rapidly or many cases at the same time. "We are excited to be working with Peter Higgins and the team at 1SecureAudit, as well as Cristian Balan of NY Computer Networks who brings his full Digital Forensic and Incident Response capabilities to the team," said Cantwell.

1SecureAudit has assembled a team of professionals that are ready to work on clients cases for a secure and timely response. With the advent of Remote Digital Forensics powered by Evidence Talks, the level of service and responsiveness that first responders can provide has increased tenfold. The firm's MetaLogic early case assessment services will ensure both civil and criminal cases are ready for an initial meeting with the legal teams. FlexResponse professional services ensures that client have the additional expertise available on demand as a case unfolds. The law enforcement organization, state or county prosecutors and private law practice now has access to experts across the country or the world at a moment's notice.

For more information visit RemoteForensics.us (http://www.RemoteForensics.us) or e-mail Dispatch@RemoteForensics.us.

operational risk

Remote Digital Forensics: OPSEC Continuous Monitoring...

What do Operational Risk Management, continuous monitoring and "Remote Digital Forensics" Intelligence have in common? The digital age is challenging the global enterprise and the speed and depth of new found transnational threats requires bold outside-of-the-box thinking. Strategic decisions to prevent incidents of data leakage, theft of trade secrets or corporate espionage are on the minds of CEO’s and the Office of the General Counsel.

An organizations ability to proactively deter, detect and defend it’s vital corporate assets requires a focused lens to view the vast digital complexities and simultaneously gain deeper insights. Effective risk management in Global 500 companies encompasses the collection, analysis and action on relevant information. Is the relevant information stored on a mobile laptop, network attached desktop or mobile PDA? Could there be a copy of the document on the server in the form of an e-mail attachment? The objective seems obvious. Think a few steps ahead in order to mitigate the quantity and size of potential loss events where and when they will happen.

In order to achieve a “Game Changing” strategy to stay one step ahead of today’s digitally equipped adversary demands an adaptive process, tools and very smart people. Timely and accurate intelligence-led investigations have historically proven to save many organizations from catastrophic impact to their reputation. That is precisely why Digital Forensics Intelligence (DFI) has been gaining tremendous momentum with the Chief Risk Officer, Chief Security Officer, Chief Information Officer and the General Counsel. One example, is the ability for an organization to add forensic intelligence to almost any investigation, to provide additional dimensions of insight and to ascertain whether an employee is a true insider threat or just in non-compliance with your latest “Acceptable Use Policy.”

Corporate Digital Forensics Intelligence provides the corporate first responders with the potential evidence required by analysts, investigators and decision makers to make more informed decisions. The ability to more effectively determine a prudent course of action, can mean the difference between detecting a simple Internet policy violation or the beginning of a prolonged investigation with a corporate espionage nexus. The legal process in your state or country and the preservation of evidence, chain of custody and even early case assessment are now a converging area of concern with the office of the General Counsel and outside retained law firms.

“Achieving A Defensible Standard of Care” in your organization requires a digital risk governance framework that will withstand the tests of local law enforcement and judicial systems, inspector generals and global federal investigations. Remote and SPEKTOR Digital Forensics Triage has been gaining momentum with corporate enterprise, law enforcement and military investigators for years.

The reason is that certain kinds of investigations can't wait for days, weeks or a month to gain insight and evidence on the digital data stored on a suspects laptop, desktop or PDA. With the legal corporate policy in place or search warrants the fast Digital Forensics Triage process allows First Responders to quickly examine and determine what digital assets need to be seized and those that do not have any major "Red Flags". This keeps the corporate Digital Forensics Lab or RCFL from being overburdened with devices that hold no relevancy to a particular case and therefore minimizes the mountain of unexamined digital evidence.

The use of both Digital Forensic Triage and Real-Time Network Forensics solutions directly addresses the compliance requirements in the US Government for "Continuous Monitoring."

How can organizations address advanced persistent cyber threats?

To address the advanced persistent cyber threat requires a multi‐pronged effort by organizations. First, it requires a major change in strategic thinking to understand that this class of threat cannot always be kept outside of the defensive perimeter of an organization. Rather, this is a threat that in all likelihood, has achieved a foothold within the organization. This situation requires that organizations employ methods to constrain such threats in order to ensure the resiliency of organizational missions and business processes. Second, it requires the development and deployment of security controls that are intended to address the new tactics, techniques and procedures (TTPs) employed by adversaries (e.g., supply chain attacks, attacks by insiders, attacks targeting critical personnel). NIST Special Publication 800‐53, Revision 3, includes many new security controls and enhancements (most not selected in any of the control baselines) that are specifically intended to address some of these TTPs. Finally, to enable cyber preparedness against the advanced persistent cyber threat, organizations must enhance risk management and information security governance in several areas.

These include, but are not limited to: (i) development of an organizational risk management and information security strategy; (ii) integration of information security requirements into the organization’s core missions and business processes, enterprise architecture, and system development life cycle processes; (iii) allocation of management, operational, and technical security controls to organizational information systems and environments of operation based on an enterprise security architecture; (iv) implementation of a robust continuous monitoring program to understand the ongoing security state of organizational information systems; and (v) development of a strategy and capability for the organization to operate while under attack, conducting critical missions and operations, if necessary, in a degraded or limited mode.

Operational Risk Management calls for a robust and smart Information Governance Framework whether you are a Global Enterprise or a National Government. As the international WikiLeaks aftermath unfolds it will finally unveil the facts about "How" this incident could have happened. What is certain today is that the answer does not lie with new technology or tools. Human Factors and social engineering will always have the upper hand.

operational risk

Legal Risk: Forensic Intel for Investigations...

A wide spectrum of Operational Risk incidents are in the news. Executive Management in the private sector, law enforcement and the military are investigating cases of identity fraud, cyber hacking and insider digital sabotage, transnational economic crime, intellectual property theft, ACH cyber robbery, counterfeiting, workplace violence and industrial espionage. Government agencies and regulatory authorities are increasing oversight, compliance and reporting requirements with the private sector and federal contractors. Inspector Generals and Internal Affairs are addressing whistleblower claims and internal corruption. Homeland security and "Connecting the Dots" are on almost every Americans mind.

All of these Operational Risk Management (ORM) challenges require comprehensive, efficient and legally compliant intelligence-led investigations to establish the ground truth and then to enable a "DecisionAdvantage." The legal framework that establishes your organizations ability to provide a "Duty to Care", "Duty to Warn", "Duty to Act" and "Duty to Supervise" is imperative.

When does information that is collected become a violation of a persons privacy or legal rights? At the point it is collected from a source or how and when it is analyzed by a human? These questions and more will be discussed as the dialogue pursues the latest challenges in Forensic Intelligence, a fast and forensically sound data acquisition, analysis and review solution for front line officers from the corporate investigations, law enforcement and government communities.

These Intelligence-led investigations also leverage the use of new forensically sound methods and proven legal procedures for collection of digital data from a myriad of technology platforms including laptops, PDA's and cell phones and more. These methods have been tested and certified in the forensic sciences for decades and follow many of the legally bound and court tested rules associated with evidence collection, preservation and presentation. Digital Forensic tools and 21st century capabilities enable global enterprises, law enforcement and governments to not only discover what they are looking for and when to use this in a court of law to find the truth.

operational risk

Legal Doctrine: Intelligence - led Threat Assessment...

Corporate Threat Assessment is gaining new momentum as "Operational Risk Management" professionals utilize new business processes and tools to preempt human malfeasance. Whether it is the disgruntled employee who has just been separated from the company or the college student who acts against his math teacher for grades; the question remains: How could this have been prevented?

The Washington Post reports:

A disgruntled 20-year-old student walked into a classroom at the Northern Virginia Community College campus in Woodbridge on Tuesday afternoon and fired at least two shots from a high-powered rifle at his math teacher, authorities said.

The teacher saw the gun, yelled for her 25 students to duck and then hit the floor.

"We heard a boom," one of the students said later. "I thought to myself, did a computer explode?"

The student's shots missed. He put the gun down, sat on a chair in a fourth-floor hallway and calmly waited for police.

Jason M. Hamilton of Baneberry Circle in the Manassas area was charged with attempted murder and discharging a firearm in school zone. He was being held without bail, and police officers said they wanted to question him about a motive.

The legal machine is at work to determine the multitude of reasons why this incident occurred and to collect the evidence in the case. The investigation into "Who Knew What When" will be spinning up almost simultaneously as the plaintiff lawyers determine what opportunities might exist for a law suit. Several areas of questioning for Northern Virginia Community College (NOVA) will include:

1. What evidence is there of a Duty to Care: Did NOVA provide training for professors to alert an internal "Threat Assessment Team" whenever they witnessed or found evidence of specific pre-incident indicators?

2. What evidence is there of a Duty to Warn: Did NOVA warn fellow employees to keep an eye out for any students carrying long slender bags into campus buildings or to monitor parking lots for suspicious activity?

3. What evidence is there of a Duty to Act: Did NOVA provide notice to security employees on the student who was absent during the term for over three weeks ?

4. What evidence is there of a Duty to Supervise: Did NOVA professors report any strange behavior, statements, or even the fact that the student had been absent almost a month?

Human behavioral studies regarding workplace safety suggest, that one in five people come to the institution every day with a serious problem going on in their personal life. This has a dramatic effect not only on workplace performance but also the potential for bad behavior. This bad behavior could be acted out physically or quietly and in stealth mode. In either case, the company, it's employees and the reputation of the institution are at stake. What is your Corporate Threat Assessment Team working on today to preempt the next incident?

As the investigators evaluate the digital evidence in the case such as e-mails, Facebook Wall postings or other information found on a PDA, laptop or home computer the "Smoking Gun" may be uncovered. And when it becomes public, the game changing events will begin to unfold. Many companies feel that having a formal internal "Threat Assessment Team" sends the wrong message to the employees that "Big Brother" is watching. This could not be further from the true state of mind by many employees today. Knowing that a team is proactively addressing the one in five employees everyday in the workplace should provide more peace of mind than the thought of an invasion of privacy.

So what are the typical channels that an employee will use to communicate their grievance or threat?

• Letter - 2%
• Phone message - 5%
• Social Networking site - 7%
• Text message - 9%
• e-Mail - 22%
• Verbal threat - 46%

Source: Laurence Barton, Ph.D. - Current Study to be completed in February, 2010

If this trend continues then over half of the communicated threat will be via a digitally based medium. What is your organization doing today to monitor communications for specific threats to your employees, suppliers or partners? The modification of Acceptable Use Policy and the other legal policy regarding the workplace monitoring of e-mail is not a new phenomenon in many organizations, notably those in the Defense Industrial Base (DIB.)

Recent changes in the privacy settings of Facebook makes much of the information placed in these 350 million profiles public information and therefore, capable of being viewed and analyzed by a proactive threat management team. Here is the analysis from the EFF:

The Ugly: Information That You Used to Control Is Now Treated as "Publicly Available," and You Can't Opt Out of The "Sharing" of Your Information with Facebook Apps

Looking even closer at the new Facebook privacy changes, things get downright ugly when it comes to controlling who gets to see personal information such as your list of friends. Under the new regime, Facebook treats that information — along with your name, profile picture, current city, gender, networks, and the pages that you are a "fan" of — as "publicly available information" or "PAI." Before, users were allowed to restrict access to much of that information. Now, however, those privacy options have been eliminated. For example, although you used to have the ability to prevent everyone but your friends from seeing your friends list, that old privacy setting — shown below — has now been removed completely from the privacy settings page.

There are legal cases pending and there will be more to come about whether the mining of public data for profiling people is against the law. In most cases, it will be dependent on who is doing the collecting and for what reasons. Yet the most sophisticated systems for doing analytics or the latest matrix or mosaic methodology will not be able to provide a fail safe for the corporate enterprise. This is precisely why the earlier mentioned employer "Duties" are so vital to day to day operational risk management. The actions you take before, during and after an incident will be the most vital to your legal and reputations survival.

TWO computer programmers who worked for convicted fraudster Bernie Madoff were charged with bribery by the US Securities and Exchange Commission today.

Jerome O'Hara and George Perez allegedly took bribes to create false documents and trading records for Bernard L Madoff Investment Securities LLC for more than 15 years, according to the SEC's complaint.

"Without the help of O'Hara and Perez, the Madoff fraud would not have been possible," George S Canellos, director of the SEC's New York regional office, said.

"They used their special computer skills to create sophisticated, credible and entirely phony trading records that were critical to the success of Madoff's scheme for so many years."

Operational Risk Management requires a vigilance of monitoring digital information inside and outside the workplace. Those institutions who combine the correct legal doctrine, business processes and technology will prevail in the vast chaos of litigation and human threats within the workplace.

operational risk