Infinistructure: Who Knew What When...

Who knew what when? This is the question of the last few months as we now embark on the path towards recovery.

The Operational Risks that have plagued our aging county, state and federal institutions are growing and the convergence factor has brought us even bigger systemic organizations "Too Big To Fail."

While many will be side tracked by the need to deal with the toxic assets still on the books or in sinking agencies the "Zero's and One's" don't lie.

The information, digital evidence and just pure data audit trails will remain for many to be caught, charged, indicted and then sent before a jury to decide their fate.

Managing risks in the enterprise today takes on many flavors and within several departmental or enterprise domains of expertise.

Whether it be the C-Suite, legal department, the IT department, Internal Audit, Security department or even the Operational Risk Management Committee the "Zero's and One's" don't lie.

Think about how much time the people behind organizational malfeasance spend on trying to cover their tracks, clean up the digital "Blood Trail" of their crimes and wrong doing all the while knowing that someday, a smart investigator or forensic examiner will connect the dots. Game over.

Regardless if you are two paid-off programmers who have been enforcing the "Business Rules" in their software by the boss or an internal threat actor does not matter.

Whether they are copying, stealing, altering or damaging the digital information within the organization does not matter; these Operational Risks still remain constant.

The resources and the money devoted to continuous due diligence, monitoring and preemptive strategy to Deter, Detect and Defend the digital assets of the enterprise need to grow dramatically to stay ahead of the curve.

The best way to figure out “What to do” and “How to do it” will require outside assistance. Moving your digital assets to be professionally managed makes sense for economic and other financially prudent reasons.

Yet this migration away from large numbers of people managing and maintaining your information technology infrastructure internally and on your payroll is just the standard "outsourcing" strategy right?

It has it's own set of 3rd party supply chain set of risks. After your next incident who will be asking: Who knew what when?

Many private sector and government enterprises who are augmenting their COOP and the economic strategy of "Cloud Computing" have realized the smart course of implementing and migrating to managed services and infrastructure suppliers.

"How can the utilization of an "Infinistructure" with the knowledge and application of a legal compliance ecosystem in your enterprise mitigate the risks associated with bad actors, unprepared personnel and the digital loss of key evidence?"

Stay tuned for more on this later. In the mean time remember this.

All of the newest technology, fastest AI computers and neural networks enabled with encryption and secured physical locations will not be enough to save your institution from Operational Risks.

It is just one more piece of the total risk management mosaic, that will still require the smartest people and the most robust policy and processes imaginable.

Who knew what when? This will continue to be the biggest question of the next decade.

operational risk

Cultural Cognition: The Velocity of our Future...

“The true sign of intelligence is not knowledge, but imagination” - Albert Einstein

In the culture that you are part of, there are Trust Decisions being made in seconds based upon rules.  Yet your particular culture has evolved over time, also because of the affinity that your culture attracts other people, just like you.

The question is, who do you really aspire to be?

“How do you make trust decisions about people, associations, tools, or their value when the information upon which you will rely is increasingly digital and intangible?

In a global culture in which digital trust is under attack and degrading, how can you build and engender old-fashioned human trust with your customers, business partners, associates, and employees?” -Jeffrey Ritter - Achieving Digital Trust - P. 21

When you enter the realm of a culture that is constantly being recorded, digitized, captured, communicated and transferred, the behaviors and thoughts of people will be studied.  They will be analyzed and they will be judged.

What are you doing today to learn and improve how you operate in a digital world?  How are you making decisions between trust, and pure risk?

Our cultures are rapidly evolving towards “Artificial Intelligence” and tool sets to assist humans in making more informed decisions, faster.  Why?

Quality and Velocity.

What made you decide to learn Mathematics?  How did you decide to become a Software Engineer?

What made you decide to learn the Law?  How did you decide to become a Lawyer?

You like rules don’t you.  You have a hard time living in a world, where the rules are being ignored or broken.

How fast will you be able to adapt to the change in the “Digital Ecosystems” that mankind has created on our Earth?

The truth is, you and your organizational culture is already in the midst of an “S” curve and you must now “Grow or Die”.

To improve and adapt in a world, that is accelerating and whose velocity is reaching light speed requires new tools and mechanisms to assist us in our “Trust Decisions”.

For those cultures and situations where trust is at stake, the utilization of technological inventions will evolve and grow as the standards for evaluating the truth.

We as humans are already at a point where we are trusting digital devices and machines, more than we trust ourselves.

The Safety, Security and Velocity of the evolution of our Digital Future is at stake.

Now is the time for our cultures to recognize, question, learn and improve how we engage with our machines, our software, our Mathematics and our Law.

It is now all about our TrustDecisions…

CIU: Corporate Intelligence Unit...

Over six years later approaching 2017, Operational Risk Management (ORM) professionals are experiencing the "New Normal."   In a 2010 CSO Magazine sponsored eCrime Digital Watch Report and survey of 535 companies there are some observations on Operational Risk Management worth examination.

This CERT report the same year was focused on the "Insider Threat" and the area of concern is still on "Digital Incidents by Insiders."  Seven years later, these numbers have only increased:

• Past 12 months the number of incidents reported increased 16%
• The per incident monetary loss (mean) was $394,700.00

Yet these two items are just the trend these days as our global work place becomes more mobile and stratified using more partners, offshore suppliers and other 3rd parties to accomplish the daily tasks and workloads. What is even more alarming are the following stats from the survey:

• 72% of the incidents were handled internally without any legal action or law enforcement.
• 29% of these incidents could not identify a subject responsible for committing a crime.
• 35% of these incidents could not proceed due to a lack of evidence.

Interpreting these numbers prompts several questions worth discovering. First, why were 28% of the incidents handled with some form of legal action or law enforcement? One of two reasons that we can surmise. The incident was exposed to the public as a result of the magnitude or harm that was caused by the incident. The organization was prepared to capture evidence, properly investigate the incident and pursue a recovery of the loss either in a civil or criminal process of law.

Second, why were 35% of the incidents unable to proceed due to a lack of evidence? The organization may be lazy or apathetic to these loss events or may have an insurance policy that covers these types of losses and was able to successfully recover the almost $400,000.00 incident average through this process.

Or, the organization is not capable of leveraging a sound "Digital Governance" and "Legal Policy" framework in order to properly investigate incidents that come from their own internal work place ecosystem of employees, partners, suppliers and other 3rd parties.

In order to gain "Strategic Insight" into these vital Operational Risk matters within the enterprise the organization must establish an intelligence-led investigation. Once the proper evidence collection and analysis is completed on the incident then members of a corporate crisis team or threat management council can make more informed decisions. That brings us to the final question. Why in 71% of the incidents was a subject not identified as being responsible?

The answer to this question has much to do with the previous one where there was a lack of evidence. However, our hunch is that many of these insider incidents were the result of an employee error, mistake or unintended consequences. The lost or stolen laptop from the unlocked car may fill some of this category.

Why would it be in the best legal interest of an organization to have a robust evidence collection capability supported by a sound "Policy Governance and "Legal Framework"?

• Duty of Care
• Duty to Warn
• Duty to Act
• Duty to Supervise

This blog has touched upon these four vital areas of vulnerability to adversarial litigation in the past because we know that whether you ask these questions internally or the state's Attorney General and the FBI ask these questions the answers must be discovered:

1. What did you know?
2. When did you know it?
3. What are you doing about it?

While the number of loss events due to errors or omissions and many times due to a lack of proper training and awareness programs is growing, so are the incidents as a result of the insider threat from:

• Fraud
• Sabotage
• Espionage
• Trade Secrets Theft

The modern day enterprise with preemptive, robust and collaborative law enforcement mechanisms in place has accepted the reality of the threat perspectives in their workplace ecosystem:

• Some individuals who make threats ultimately pose threats.
• Many individuals who make threats do not pose threats.
• Some individuals who pose threats never make threats.

Make sure you read those a few times. As a result of the reality that the workplace ecosystem is an evolving, dynamic and rapidly changing set of human elements, behaviors and motivations the justification for creating more "Strategic Insight" is a necessary mitigation strategy. There is a growing trend today for these enlightened organizations to create and effectively provide the resources for a corporate threat management team. This team is comprised of a spectrum of members that span the digital to physical domains within the company. This includes the Chief Risk Officer, General Counsel, Internal Audit, Public Relations, Human Resources, Corporate Security and Information Technology.

In another less formal survey by Dr. Larry Barton of 630 employers the question was raised on the employee communication channel that caused the company to act on a risk. 38% were through a digital messaging medium such as e-mail, text messages and blogs or social networking sites. The ability to monitor over one third of employee communication channels remains a daunting task to this day.

Beyond the utilization of threat assessment or management teams, enterprises are going to the next level in creating a "Corporate Intelligence Unit" (CIU). The CIU is providing the "Strategic Insight" framework and assisting the organization in "Achieving a Defensible Standard of Care."

The framework elements that encompass policy, legal, privacy, governance, litigation, security, incidents and safety surround the CIU with effective processes and procedures that provides a push / pull of information flow. Application of the correct tools, software systems and controls adds to the overall milestone of what many corporate risk managers already understand.

The best way in most cases to defend against an insider attack and prevent an insider incident is to continuously help identify the source of the incident, the person(s) responsible and to correlate information on other peers that may have been impacted by the same incident or modus operandi of the subject. "Connecting The Dots" with others in the same company or with industry sector partners increases the overall resilience factor and hardens the vulnerabilities that are all too often being exploited for months if not years.

In retrospect, you can be more effective investigating and collecting evidence in your company to gain a "DecisionAdvantage". To pursue civil or criminal recovery of losses from these insider incidents, you may not go to law enforcement, but it's likely they will come to you once they get a whistle blower report, catch the attacker and/or they have the evidence that you were a victim.

What side of the incident spectrum you are on, either proactive or reactive could mean the difference on whether the attackers continue their schemes and attacks while continuously targeting those with the greatest vulnerabilities. In some cases, those attackers include the plaintiff bar and your evidence of "Duty of Care" is the bulls eye.

Digital Citizens: The Integrity of our Trust Decisions...

Operating globally in business requires travel across borders and into less than familiar places.  Operational Risk Management (ORM) is at the forefront of global commerce for good reason.  The tools we use to assist us; range from the smart phone airline App to hold your boarding pass and even the latest travel warnings from the U.S. State Departments "SmartTraveler" App.

Perhaps on your last trip abroad you ditched your regular personal smart phone for a pay-as-you-go model that you could throw away, upon your return.  Most likely a prudent strategy, especially if you are traveling into physical places that are known to be less trusted for their wireless communications infrastructure or for other questionable reasons.

Regardless, the use of a Virtual Private Network (VPN) on connecting a device in any country is worth the extra step of privacy.  OpenVPN or Golden Frog's VyprVPN can provide your iOS or Android device, with an encrypted tunnel to prevent eavesdropping on your Internet traffic.  Again, a wise step to take at all times.

However, even today that may not be enough.  Digital Trust is paramount in a mobile-centric 24x7 business world.  The integrity of communications from the CxO ranks while traveling abroad is vital when interacting with senior staff and other government collaboration partners.  Our Trusted Apps perhaps need to have a new and emerging set of new capabilities going forward.  Marc Canel writes:

"A group of security experts led by ARM, Intercede, Solacia and Symantec collaborated to create a new security protocol for smart connected products.

The companies agreed that any system would be compromised unless a system-level root of trust between all devices and services providers was established. This led to the definition of the Open Trust Protocol (OTrP), which combines a secure architecture with trusted code management, using on mobile devices proven technologies from banking and data applications.

The protocol is now available for download from the IETF website for prototyping and testing. The key objectives of OTrP are to develop:

• an open international protocol based on the Public Key Infrastructure (PKI)
• an open market for competing certificate authorities
• an ecosystem of client and server vendors around the protocol

Collaboration began in early 2015 and soon grew to 13 companies. The alliance worked with the IETF and Global Platform to get OTrP adopted as a protocol within their organizations."

The OTrP protocol adds a messaging layer on top of the PKI architecture. It is reusing the Trusted Execution Environment (TEE) concept to increase security by physically separating the regular operating system of a device from its security sensitive applications.

We have created devices we want to trust.  Our business and global commerce requires the ability to effectively communicate with integrity.  The Open Trust Protocol (OTrP) is only the beginning.

Why?

The foundations of the Internet and the future of Artificial Intelligence (AI) will soon be at a break point.  A place in the growth curve where there is a bifurcation.  If we do nothing, the system will decline and die.  As opposed to being re-engineered now to survive and adapt, to the evolving environment ahead.  A digital environment where machines are talking to machines on a more massive scale at light speed, beyond just digital switches, routers and other mobile (IoT) devices.

The continuous integrity and assurance of our networked infrastructure to enhance "Digital Trust" is already well on its way.  Important foundations have already been established and the transformation steps are underway beyond protocols, with the education of our most promising generation of new software engineering talent.  Here is just one example in Jeffrey Ritter's University of Oxford course, "Building Information Governance":

"To govern information now requires mastery of a diverse, often international, portfolio of legal rules, technology standards, business policies, and technology, all applied across increasingly complex, distributed systems and repositories. The increased scrutiny and requirements of official agencies and business partners impose new requirements for compliance documentation and transparency. This course introduces participants to a structured design approach that will enable strong, responsive and resilient information governance to be incorporated into the design and management of digital assets. 21st century information governance must navigate and embrace records management, privacy, electronic discovery, compliance, information security, corporate governance, and transparency of operations—all of these will be considered in this course."

The future of "Privacy Engineering" is at stake in a mobile commerce digitally trusted environment.  All of the protocols being developed for moving zeros and ones from point A to point B will not mean anything, if we have not effectively enhanced our "TrustDecisions" capabilities and outcomes.

The environment is virtual.  Just like the physical world, there are places that are safe and others that are dangerous and evil.  Since the beginning, the diversity of content and the people who are operating in the environment, are good and bad.  This is the reason the virtual environment of the Internet has rules and the engineered governance that is necessary for the integrity and safety of the global citizens who utilize it.

You have to wonder what our digital world would be like without rules or any governance.  Without the international Rule of Law.  Without the enforcement of international safe havens for people to operate with integrity and in safety.  In the physical world and on the Internet.  It would be global uncontrolled chaos.

As you ascend into the next generation of mobile and global commerce, think harder about "Digital Trust".  How will the Trust Decisions that your business or your country relies on, remain in a safe haven?  Will the confidentiality, integrity and assurance of the underlying data science continually be trusted?

"These forces are concurrently driving transformations that are now already visible in how we structure the governance of our political states, our commercial consortia, our corporate digital ecosystems, and our interactions as individual users with the digital assets of the Net.

Ultimately, the Net succeeds or fails based on the cumulative affirmative decisions of individual humans to trust the networks, systems, devices, applications, and information assets that are the blocks from which the Net is constructed.   For the Net to prosper, and to be functional as a global infrastructure, the values and consequences of building digital trust must be embraced.  That evolution is already underway"...  Jeffrey Ritter

Legal Risk: The Insider Threat from Outside Counsel...

What will the "New Normal" be for the United States in the era of increased scrutiny on privacy law, civil liberties and the continuous quest for the security of the Homeland?  Operational Risk Management (ORM) professionals are ever more focused on "Information Operations" and counterintelligence functions while simultaneously working side-by-side, with their own General Counsel.  The laws in each state are changing and being updated as the Federal legislation stalemate continues:

Connecticut Updates its Data Security Laws, Imposing Stringent New Requirements By Ellen Moskowitz on July 15th, 2015 Posted in Legislation

On June 30, 2015, the Governor of Connecticut signed into law S.B. 949, “An Act Improving Data Security and Agency Effectiveness.”[1] The new law updates Connecticut’s data security laws, including by adding a 90-day hard deadline for data breach reporting, requiring companies in some cases to offer data breach victims a year of free identify theft prevention services, imposing new and specific data security program requirements on health insurance companies and other entities subject to Insurance Department regulation, and requiring state agencies to impose certain detailed security requirements on state contractors that maintain personal information. With a near constant stream of data breaches affecting entities from health insurers to retail giants to the government, the law responds to growing fears of data security.

Under the new law, beginning October 1, 2015, a data breach will require any person or entity conducting business in Connecticut to give notice “without unreasonable delay,” but now no later than 90 days after discovery of the breach, to state residents whose personal information was breached or reasonably believed to have been breached. The Connecticut Attorney General stated in a press release that 90 days is an “outside limit” that does not diminish his discretion to take action against entities who “unduly delay” notification.[2] Importantly, the law also requires the provision of at least twelve months of free identity theft prevention and mitigation services, but only in cases where Social Security numbers are breached or reasonably believed to have been breached.

If you happen to be concerned about the "Insider Threat" within your enterprise, then you realize the importance of creating the foundations for a sound legal framework.  One that addresses the rules that must be followed and the protocols for building trust with key corporate partners.  This includes the outside counsel that your enterprise engages with on an annual basis.

So what legal duty of care do your retained outside counsel have to secure your information?  What do they have in the environments that they operate in that may cause additional legal risks for your enterprise?  Do they understand the difference between information security and confidentiality?

First tier supply chain partners such as outside counsel are no different than the cloud provider or the HVAC contractor that may have access to the corporate network.  So what is the root cause of substantial intellectual property theft and industrial espionage targeted on law firms?  Failing to understand the vast landscape of "Operational Risk."  This includes negligent conduct and intentional misconduct.  So what can you do now to improve the outcomes of managing the legal risks of "Outside Counsel"?

Start a Dialogue:  Request a commitment to review the privacy vs. security environment of the key retained firms who provide the outside legal work for the enterprise.  Provide a case example of your corporate information security structure and priorities.

Ask Questions:  The whole spectrum of information security deserves a deep dive in the dialogue on managing digital information, making effective "Trust Decisions" and addressing eDiscovery and Records Management questions.

Team Together:  What if you worked with your outside firm to create a solution that included a collaborative design, prioritized execution, insisted upon cooperative feedback and insured continuous improvement?  Get your legal teams to train together with your CISO and CIO security teams.

Revise the Engagement Letter:  The contracting language must include the nuances of information security, privacy controls and an informative strategic plan for the inevitable point in time when there is a data breach at your outside counsel.  More here:

As Willie Sutton supposedly said, he robbed banks “because that’s where the money is.”  That also explains why law firms and lawyers are increasingly the targets of cyber-intrusion, particularly phishing scams.  Apparently, phishing in legal waters can yield a full net of stolen information.

“Most likely” to take the bait
Verizon’s 2015 Data Breach Investigations Report has found that a company’s legal department is among the ones that are “far more likely to actually open [a phishing] e-mail than all other departments.”

In case you’ve been living under a rock, “phishing” is the attempt to obtain sensitive information fraudulently by means of a deceptive electronic communication that appears to come from a trustworthy source.  (Some link the term to the indie rock group Phish, but according to Computerworld magazine, the term was coined round 1996, with the obvious analogy to the sport of angling using a lure.  Under that view, the “ph” is a nod to an old form of telephone hacking known as “phone phreaking.”)

Shockingly, Verizon found that 23 percent of recipients open phishing messages, and 11 percent click on the fatal attachments.

Metadata: Evidence of Terrorism vs. Crime...

What are the enterprise risks when metadata is legally defined as property?  Operational Risk Management (ORM) professionals are on high alert these days.  The court systems within the EU and now the United States, are building new cases and establishing new arguments.

As a steward of data and providing oversight on the transparency of how information is tagged, sorted, stored and archived, the ORM professional is right in the middle of the debate.  Metadata relevance is known to those who have been practicing the science and art of digital forensics for years.

Does your organization issue corporate devices for use in the workplace or on the job?  What transparency was provided when the digital device was issued on the use and ownership of the data associated with the device?  How many pages is the "Acceptable Use Policy" at your organization?

These policies on Mobile Device Management (MDM) or Bring Your Own Device (BYOD) are not new, yet they are still evolving.  This is because the technology innovation is so far advanced than the current legal precedence or court rulings.  The law will always catch up to technology and now the law is getting to an important milestone.

This however does not change how our adversaries are operating.  The current environment over the relevance of data, or who owns the metadata on our mobile devices, will not change the appetite for those who seek the data or exploit systems to cause failure or destruction.  If all of the laws in our land would stop crime or malicious intent in its tracks, then we could eliminate the entire legal enforcement structure.

The General Counsel and the outside legal teams at your organization are already working to reduce the risk of adverse litigation by employees, partners and customers.  The Chief Privacy Officers (CPO) and Chief Information Security Officers (CISO) are working 24/7 in tandem to operate legally and to insure the confidentiality, integrity and assurance of metadata across the globe.  Unfortunately they operate in an environment that involves humans, using digital devices.

The legal frameworks are quickly responding to the rising digital crime rate across the globe.  They are weary of the "Asymmetric Warfare" being waged by nation states.  Plaintiff lawyers are now preparing their new privacy and data breach cases on a weekly basis.  Organizations are seeking avenues of "Safe Harbor" by using certain products inside their infrastructure.  Yet will this all stem the tide of what weapons the adversaries are deploying, to perpetuate their business or espionage models?

This brings us to a prediction.  We predict the rise of metadata evidence that proves that organizations are the victims of cyber-terrorism, not cyber-crime.  Terrorism not fraud.  And now the courts and the jury pools will now decide what metadata is evidence and what the definition is of "Terrorism" in the cyber realm.  Marketing is a powerful engine to influence buyers.  Buyer beware:

"Last week, the Department of Homeland Security (DHS) certified FireEye under the SAFETY Act, providing their customers protection from lawsuits or claims alleging that the products failed to prevent an act of cyber-terrorism.
The news of the certification was reported by FireEye in a press release, and stipulates that FireEye’s Multi-Vector Virtual Execution engine and Dynamic Threat Intelligence platform are the two products now on the SAFETY Act approved technologies list."

"The core of this is something we’ve been debating for a while: the definition of terrorism, and whether or not it can apply to cyber-stuffs. The end result looks like a legal get-out-of-jail-free card for businesses that use FireEye, but for that to actually happen, it seems like we’d need a computer-related incident or breach to actually be declared an official 'Act of Terrorism' by the US government."

Information Leaks: Risk Of The Data Supply Chain...

There is a well known threat that has been talked about with the Board of Directors behind closed doors for years. This threat is not new to most Operational Risk Management (ORM) professionals and yet executive management is still in denial that it could happen to us. Have you or someone in your C-Suite ever awakened one morning and wondered how the companies new plans for a merger are now in the published press? What about that new research and development breakthrough that ends up with another company with a similar process being patented a week or a month ahead of you?

What is the threat? Call it competitive intelligence, economic espionage, press leaks, loose lips or advanced persistent threat (APT), it does not really matter. The threat remains from all those people, rivals, industry peers, countries, states, allies and enemies that are working 24 x 7 x 365 to copy your valuable information and use it for their own advantage. What advantage depends on who obtains the valuable information and how they will eventually use it or sell it.

What is even more fascinating to most subject matter experts, is the amount of information that is still created and allowed to be compromised in some way that is false, fake and designed to confuse the adversary. So what is it, that much of executive management still does not understand about all of this? 

The "source" of the vulnerability that is leaking or allowing the secret or confidential information to be compromised. They still to this day are naive to the potential source. This source is not even inside their own company or organization in many cases. It is within the organizations data supply chain somewhere, but where is it exactly?

The answer is only possible to narrow down, if you absolutely know where your data and secret or confidential information is collected, transported and stored, in the hands of trusted third parties, outside the four walls of your business. That is the remedial first step. Creating a definitive map of who has custody of your data through some kind of third party agreement. The agreement could be with any number of key business partners in your data supply chain:

• Banker
• Venture Capitalist
• Accountant
• Attorney
• Insurer
• Internet Service Provider
• Utility
• Data Telecom Provider
• Wireless Telecom Provider
• Payments Processor
• Document Custodian or Shredder

This short list is a good place to begin your quest for better understanding where the source of your information leak may be. Now think about this list and ask yourself who might have the most robust set of staff, resources and technology savvy people to keep your data safe. Regardless of the service level agreements or engagement letters in place, who is the most vulnerable on this list?

Even more important may be the question of which one of your data supply chain business partners, has the least amount of resources, people and state-of-the-art detection systems for the APT, Zeus, and other mechanisms that are ex-filtrating your data to another country. When was the last time you asked any of your business partners to walk you into their IT department for a look around with your CIO or CTO?

Believe us when we say that if you get that "Deer in the Headlights" look on your business partners face, you are in trouble. You can bet that the attackers are not attacking you, as much as they are attacking your data supply chain. As an example, if you say in public or on your public filings that you have your primary outside counsel firm as "Red, White and Blue," you can be assured that your adversaries will take notice.

You see, just because your organization has spent millions or billions on new data centers with the most sophisticated technologies available to counter your cyber adversaries, how can you be sure that your business data supply chain has done the same? There is only one way to do that and it is in person and on site. You may consider this level of due diligence before handing over your business for the merger and acquisition project or the development of a vital new component for your new patented product. A model "Request for Information" (RFI) on the business partners controls and capabilities for securing your sensitive, confidential and secret information shall be a first step requirement.

The second step shall be to get an inventory of what systems your data supply chain partner has in place to mitigate the risk of a data breach. At the top of that list, should be the management system that governs all the other hardware and software systems. So even if your business partner says they are using RSA NetWitness or ScoutVision on their corporate networks and Good MDM for their mobile devices, that is not going to be enough.  More from Europol:

A decline of traditional hierarchical criminal groups and networks will be accompanied
by the expansion of a virtual criminal underground made up of individual criminal entrepreneurs, which come together on a project-basis and lend their knowledge, expe- rience and expertise as part of a crime-as-a- service business model.

The overarching "Management System" is not about technology. It is not about your favorite eDiscovery or computer forensics guru. It is about the way your business partner trains and educates it's people. It is about how those people use relevant business controls to secure your secrets, confidential data and records. Look at their behavior around this topic of "Achieving A Defensible Standard of Care" and you will soon discover whether you have found the most ideal banker, accountant or attorney to entrust to your digital supply chain.

HSI Governance: Equilibrium of Privacy and Security...

When people are faced with increasing Operational Risk Management (ORM) uncertainty in their organization, our inherent DNA makes us gravitate towards avoiding new risk at all costs. What any new bold policy shift requires to succeed for the masses is to face risk squarely in the eye and to manage it effectively. This is exactly how many private sector intelligence organizations have evolved and continue to thrive in a vast universe of "Open Source" and Electronically Stored Information (ESI).

The U.S. government "Homeland Security Intelligence" (HSI) enterprise has the same opportunity to embrace risk and simultaneously manage it more efficiently and effectively. Over the course of the past decade the U.S. Patriot Act has several controversial provisions that have been implemented, tested and refined. Several of these include Sec. 203(b) and (d) that allow information from criminal probes to be shared with intelligence agencies and other parts of the U.S. government. Another is Sec. 206 that allows one wiretap authorization to cover multiple devices, eliminating the need for separate court authorizations for a suspect's cell phone, PC and Blackberry, for example. The civil liberties debate on Sec. 215 known as the "libraries provision" allows access to records such as what books were checked out at the library or purchased from a bookstore, as long as the records are sought "in connection with" a terror investigation.

The governance of information by the private sector may have either accelerated or detained HSI enterprises in terrorism investigations. One example are the policies private sector Internet Service Providers utilize for records management and "Electronically Stored Information" (ESI) readiness. Electronic discovery amendments to the Federal Rules of Civil Procedure (FRCP) have created the requirement for private sector companies to be more prudent in "Achieving a Defensible Standard of Care."

The risk associated with non-compliance of the Federal Rules of Civil Procedure (FRCP) is a major facet of Operational Risk Management. The fusion of the Corporate Governance Strategy Execution comes together with a dedicated internal "Task Force" inside the enterprise. Comprised of the General Counsel, CIO, CISO and VP of Human Resources, this team provides the mechanism for effective policy implementation and operations accountability. The mission is to carry out the fiduciary duty to create a culture of legal compliance within the organization.

The evidence obtained for Homeland Security Intelligence (HSI) investigations may only be as accessible and obtainable as the effectiveness of a private sector companies ESI policies. How often do they purge their e-mail from databases? How much data storage does the enterprise allow for each person's mailbox? Are there people circumventing the information governance policies in the private or public workplace in order to get their daily business accomplished?

The collection of information for HSI has a parallel path with the collection of evidence and it must be done according to the civil liberties and privacy laws of the United States. It is this balance and equilibrium between the governance of information and the legality of obtaining it for the purpose of a terrorism related investigation that brings us to a potential digital paradox.

Where action against a person or organization involves the law, either civil or criminal, the evidence presented shall conform to the rules for evidence laid down in the relevant law or in the rules of the specific court in which the case will be heard. This shall include compliance with any published standard or code of practice for the production of admissible evidence.

In Joshua Cooper Ramo's book "The Age of the Unthinkable","Why the New World Disorder Constantly Surprises Us and What We Can Do About It" the author discusses the concept of Deep Security. His analogy of how to think about "Deep Security" is the biological immune system. "A reactive instinct for identifying dangers, adapting to deal with them, and then moving to control and contain the risk they present."

The key word in Ramo's writing is "Adapt". Being Adaptive. However, prior to this there are two other very vital words that we feel are even more imperative. Instinct. Identifying. In other words, Proactive Intuition.

Ask any savvy law enforcement investigator or intelligence analyst on how she solved the case and you may hear just that, "I had a hunch." Talk with a Chief Privacy Officer in any Global 500 company and you might get them to admit they have a sense that their organization will be the target of a data breach incident in the coming year or two. The complexity of IT systems, data networks and the hundreds of laptops circling the globe with company executives is enough to predict that a major breach will occur.

Being adaptive and having proactive intuition in the modern Homeland Security Intelligence enterprise or private sector company does not come natural. You have to work at it and it requires a substantial investment in time and resources to make it work effectively. Once you realize that all of the legal controls, technology and physical security are not going to keep you out of harms way, you are well on your way to reaching the clairvoyance of "The Age of the Unthinkable."

operational risk

eDiscovery Risk: The Marketing of Privacy...

Operational Risk Management (ORM) professionals from London to Paris, Berlin to Brasilia and Silicon Valley to Washington, DC are quietly smiling these days.  It is ironic, that now privacy is the new vogue marketing strategy.  After so many years of trying to explain to executives the risks that exist around confidentiality, integrity and assurance of data--now a rogue U.S. citizen charged with espionage, finally has convinced some senior business executives of the value of marketing increased privacy of their technology products and services.  Chris Strohm explains:

While Google, Yahoo, Microsoft and Facebook Inc. provide data to the government under court orders, they are trying to prevent the NSA from gaining unauthorized access to information flowing between computer servers by using encryption. That scrambles data using a mathematical formula that can be decoded only with a special digital key. 

The NSA has tapped fiber-optic cables abroad to siphon data from Google and Yahoo, circumvented or cracked encryption, and covertly introduced weaknesses and back doors into coding, according to reports in the Washington Post, the New York Times and the U.K.’s Guardian newspaper based on Snowden documents. He is now in Russia under temporary asylum.

Mitigating the risks of being hacked by a group of criminals stealing personal identifiable information from consumers on a transnational basis has not motivated these same executives to move towards investing in more effective data and information assurance strategies.  Yet now that the adversary has been described by the mainstream media as the U.S. Government, industry executives have started to listen.  Go figure...

What are the industry executives motivation for now improving the confidentiality, integrity and assurance of customers information?  Improved market share and presence.  The payback will be rapid and those organizations that have been in denial that customers expect and demand more systems and tools to protect their information, are now doing an about face.

As we quickly approach Cyber Monday and the commerce of the Internet is at a peak of annual transaction volume, some servers will be talking to each other on encrypted networks for the first time. All seamless to the end user and consumer, yet not to the adversary.  So who really is the adversary these days; the criminal organizations or the U.S. Government?  The strategists mitigating risks at commercial private organizations unfortunately in many cases, see both in the same category.  This is a real mistake and one that should be evaluated, discussed and agreed upon.

You see, U.S. based companies must have an effective symbiosis with it's legal system and rule of law. What does that mean?  Operational Risk encompasses the risks to the institution from a legal perspective.  That means that the process of processing, storing, archiving and retrieving information is subject to the laws of electronic discovery and forensic evidence.  It means that as an organization, having an effective way to encrypt information to stay ahead of the criminal organizations simultaneously requires that your organization is also adaptive to current legal statutes.  Tomorrow, you may need to identify, decrypt and produce evidence to the U.S. Government or as a result of another legal order.

As organization executives embark on the "new new" trend of marketing privacy to their customers, they should also be working along side the legal staff.  The risk management and information technology professionals should be briefing both corporate executives on the implications of being responsive to their consumers and non-responsive to plaintiff lawyers, or the U.S. Attorney or State Attorney General:

Fearful of adverse consequences if they inadvertently discard electronic documents that are deemed to be relevant in litigation, some of the biggest companies in the U.S. are simply saving all documents, including email sent via employees' electronic devices. 

A minority of federal courts say companies can be sanctioned even if they discard documents without intending to. All allow sanctions, which can mean the loss of a big case, when documents are intentionally destroyed. So companies including Exxon Mobil Corp. and Microsoft Corp. are asking the federal Judicial Conference to recommend a new rule that would provide uniform standards for document retention and allow sanctions only when documents are destroyed willfully or in bad faith, reports the Wall Street Journal(sub. req.).

So this is where the marketeers and the legal staff need to get their heads together.  The privacy vs. government legal requests space is still not widely understood inside corporations let alone the average John Q. Citizen, who has never even heard of eDiscovery:

Microsoft General Counsel Brad Smith said yesterday that there are "significant inaccuracies" in last week's news reports. He added in a blog post, referring to Outlook.com: "When we are legally obligated to comply with demands, we pull the specified content from our servers where it sits in an unencrypted state, and then we provide it to the government agency."

operational risk

Legal Risk: Over-The-Horizon Digital Radar...

Operational Risk Management is a primary responsibility with an organizations General Counsel. Why?

"The definition includes Legal risk, which is the risk of loss resulting from failure to comply with laws as well as prudent ethical standards and contractual obligations. It also includes the exposure to litigation from all aspects of an institution’s activities."

So if you are a General Counsel or the Chief Legal Officer, your radar is consistently tuned to the "Over -The-Horizon" (OTH) risks that may impact your company, right?  The fact is that managing risk from the General Counsels office may be significantly different than what managing risk means from the CIOs office.

Loss events associated with peoples workplace behavior are many times treated differently than those events associated with a computer "intrusion" or a data breach, that was also caused by human behavior.  The law is a battleground that continues to keep an entire industry busy with offensive and defensive activities and the transfer of risks from one party to another.

What is the legal risk difference between the diversion of company funds to pay bribes in a foreign country and the theft of company trade secrets?  You see, the laws associated with these loss events have different statutes, penalties and legal risk:

On December 17, 2012, Germany-based insurance and asset management company Allianz SE paid more than $12.4 million to settle with the SEC over violations of the books and records and internal control provisions of the FCPA. The activity in question concerned improper payments to government officials in Indonesia. Following common FCPA procedure, Allianz did not deny or admit the SEC’s inquiry. The company disgorged $5.3 million in profits, paid a penalty of $5.3 million, with $1.8 million in prejudgment interest. 

The SEC stated that it uncovered 295 insurance contracts on government projects that were obtained or kept by improper payments totaling $650,626. The payments were made by Allianz’s Indonesian subsidiary. 

The conduct occurred from 2001 to 2008, at which time Allianz was considered an “issuer” under the FCPA because of its activity on the New York Stock Exchange. Even though it was not listed on the exchange, the presence of its bonds and shares on the market made it an issuer and subjecting it to the jurisdiction of the FCPA. The investigation was initiated internally using outside counsel after a whistleblower complaint in 2009.

On December 28, 2012, President Obama signed the Theft of Trade Secrets Clarification Act. S. 3642 (112th). The Clarification Act is a direct response to the Second Circuit’s decision in U.S. v. Aleynikov, 676 F.3d 71 (2nd Cir. 2012). (See details below.) In Aleynikov, the Second Circuit overturned a criminal conviction under the Economic Espionage Act 18 U.S.C. § 1831, et seq., after the court determined that the stolen source code was only used internally for a high-frequency trading system and was not “related to or included in a product that is produced for or placed in interstate or foreign commerce.” The Clarification Act expands Section 1832(a) to cover internal trade secrets “related to a product or service used in or intended for use in” commerce. In addition to the source code at issue in Aleynikov, this expansion could include internal processes of doing business or gathering information that may not qualify for traditional patent protection. More broadly, the quick reaction shows the importance that Congress attaches to this area of the law and puts individuals and companies on notice that increased indictments may occur down the line.

The ethics, compliance and legal components of Operational Risk Management comes down to "Achieving a Defensible Standard of Care" in your organization.  The risk exposures that face your organization will also occur from a more immediate impact, due to a loss of reputation and potential loss of market value.  On all fronts, the stakes remain high.

The modern day legal enterprise is still reactive and slow to respond to the changing environment around it.  The daily battle with legal risk is slow, compared with other risk management fronts within the institution.  The speed of response and the focus on preventive, preemptive or proactive actions is what sets apart the mental states of all of your security risk professionals.  Some people have seconds or minutes to decide and act, others have the luxury of days, months and years.

Unfortunately, for most the costs associated with legal risk are high, no matter who prevails in an incident or case. This fact alone, is why the introduction of a new generation of automated tools and the memory of computer-based evidence is so important.  Decision Advantage.  The law and the law industry is quickly playing catch up.  Practitioners from the technology and legal industry are now even more integrated, while the courts interpret the implications of their rulings on an accelerating mobile digital global society.

You and your team have a tremendous amount of new knowledge to gain, or your enterprise will be consumed by the volume of new Operational Risks unfolding before it.  How complex could this be?

From 'WarGames' to Aaron Swartz: How U.S. anti-hacking law went astray

The 1983 movie "WarGames" led to an anti-hacking law with felony penalties aimed at deterring intrusions into NORAD. Over time, it became broad and vague enough to ensnare the late Aaron Swartz.

operational risk

LEO: The Economics of Remote Digital Forensics...

At the speed of the modern global enterprise, cyber incidents are a growing component of operational risk, according to 1SecureAudit Managing Director and Chief Risk Officer Peter L. Higgins. Digital forensics intelligence provides analysts, investigators and management the ability to make more informed decisions regarding a prudent course of action. Utilizing digital evidence can mean the timely detection of unethical behavior by an employee or the intelligence nexus with kidnapping, child pornography, industrial espionage or terrorism. The legal process in a specific state or country and the preservation of evidence, chain of custody and even early case assessment are now a converging area of concern with local and state law enforcement, prosecutors and defense law firms.

"The 1SecureAudit Digital Forensics Practice capitalizes on the Digital Forensic POD powered by Evidence Talks Ltd. Our systems enable our team of subject matter experts to work on clients cases across the country or across the world," said Higgins. "Our certified professionals using the Digital Forensics POD gives a client quick access to resources that can help with an investigation without the high cost of flying people across the country or the globe."

"A good lesson learned from my first-hand experience in Afghanistan is that we depend on support back home from subject matter experts to help our soldiers remotely without the need to be in the actual combat zone," said Cristian Balan (CISSP, CHFI) of NY Computer Networks.

"We recognized that many police agencies, as well as law firms, needed an affordable solution to help clear up their digital forensics back log," said Craig Cantwell, SVDFL Forensics Laboratory Director. "By teaming up with 1SecureAudit and Cristian Balan and using our remote digital forensics POD systems, we are able to offer more clients a better economy of scale and service at a price that they can justify."

Counselors initial conferences and additional motions for discovery during litigation results in the need for additional digital forensics capacity. The Digital Forensics POD assists with case backlog especially as court dates approach rapidly or many cases at the same time. "We are excited to be working with Peter Higgins and the team at 1SecureAudit, as well as Cristian Balan of NY Computer Networks who brings his full Digital Forensic and Incident Response capabilities to the team," said Cantwell.

1SecureAudit has assembled a team of professionals that are ready to work on clients cases for a secure and timely response. With the advent of Remote Digital Forensics powered by Evidence Talks, the level of service and responsiveness that first responders can provide has increased tenfold. The firm's MetaLogic early case assessment services will ensure both civil and criminal cases are ready for an initial meeting with the legal teams. FlexResponse professional services ensures that client have the additional expertise available on demand as a case unfolds. The law enforcement organization, state or county prosecutors and private law practice now has access to experts across the country or the world at a moment's notice.

For more information visit RemoteForensics.us (http://www.RemoteForensics.us) or e-mail Dispatch@RemoteForensics.us.

operational risk

Crisis Management: ORM & Public Relations Convergence...

Operational Risk Management Executives will be tuning into CBS 60 Minutes Sunday night. If you are a Bank of America stakeholder and your stock dropped 3% on November 30, 2010 because of a WikiLeaks document release, this episode should be on your mind:

(Reuters) - WikiLeaks founder Julian Assange says he enjoys making banks squirm thinking they might be the next targets of his website which has published U.S. diplomatic and military secrets.

"I think it's great. We have all these banks squirming, thinking maybe it's them," Assange told the CBS television program "60 Minutes" in an interview.

CBS released a partial transcript on Friday ahead of Sunday's broadcast of the full segment.

Bank of America Corp shares fell more than 3 percent on November 30 on investor fears that the largest U.S. bank by assets would be the subject of a document release.

Interviewer Steve Kroft asked Assange whether he had acquired a five-gigabyte hard drive belonging to one of the bank's executives, as Assange had previously asserted.

"I won't make any comment in relation to that upcoming publication," said Assange, who is under a form of modified house arrest in England, awaiting an extradition hearing to Sweden for questioning over alleged sex offences that he denies.

WikiLeaks will not be the last whistleblower web site to provide the dirty laundry on what a government agency or public company may or may not be doing as it does it's daily business. The CBS or TMZ media mechanisms remain the outlet for an information economy that fuels the behaviors of modern day paparazzi or contributors to WikiLeaks and it's future competitors.

What are Operational Risk Managers thinking about when these loss events happen? Another lost or stolen laptop by one of the thousands of corporate executives is now a major incident, not one to be taken lightly, perhaps as it has in years past. This is also why these same managers are working in a diligent strategy to emphasize the use of products that will encrypt the whole hard drive on the mobile systems that are being toted around in taxi cabs and on airplanes. The thought of a loss of these tools will be less of an issue as these programs are implemented and every bit of every data on these mobile devices is now encrypted.

The External Affairs, Public Relations and Corporate Communications strategy for a Fortune 500 company is extensive. With Social Media becoming a major component of the Web 2.0 integration and the booming number of PDA's, iPhones and other mobile devices, "Crisis Management" and "Operational Risk" will continue to be two disciplines that need each other more than ever.

Bank of America will survive just as others have before it once the information is released and people have a chance to determine how damaging it could be or not worth the hype to pay attention to it. What will perpetuate beyond the latest PR crisis is the fact that the speed of data, videos, Tweets and Blogs continues to pile up on the hard disks, Jump Drives, IronKeys and servers in "The Enterprise Cloud." How you manage it, secure it and dispose of data is an Operational Risk that will not diminish any time soon.

Who has seen the light when it comes to the utilization of Cloud Computing, and effective document encryption in transit with embedded information security compliance standards? Uncle Sam for one.

WASHINGTON – The U.S. General Services Administration announced today that federal, state, local, and tribal governments will soon have access to cloud-based Infrastructure as a Service (IaaS) offerings through the government’s cloud-based services storefront, Apps.gov. GSA’s IaaS contract award allows vendors to provide government entities with cloud storage, virtual machines, and Web hosting services to support a continued expansion of governments’ IT capabilities into cloud computing environments.

“Offering IaaS on Apps.gov makes sense for the federal government and for the American people. Cloud computing services help to deliver on this Administration’s commitment to provide better value for the American taxpayer by making government more efficient,” said federal Chief Information Officer Vivek Kundra. “Cloud solutions not only help to lower the cost of government operations, they also drive innovation across government.”

The use of new technologies or platforms such as these only provides the Operational Risk Professional with new found ways to mitigate risks, not eliminate them. Therefore, whether you are the CIO at B of A or part of the Federal CIO Council in the United States the fact remains that people will continue to use lost or leaked information to their advantage. This is a threat to the enterprise no different than the loss of power, catastrophic fire or natural disaster. When you have a known threat out there such as WikiLeaks, then you now realize that this must be addressed in your vulnerability assessments and your risk management planning.

Google Apps is now FISMA Certified. Whether the number of incidents increases or diminishes will still remain with the behavior of people and the ability for OPS Risk management to continue to be part of the executive conversation on the risks of data getting into the wrong hands. With this being an inevitable situation, the convergence of crisis management, PR and media communications will increasingly become part of the Enterprise Risk Management team. Let's just hope they keep a seat for the 28 year old IT staffer who supports the implementation of their enterprise apps and the exponential growth of their information cloud.

operational risk

Legal Doctrine: Intelligence - led Threat Assessment...

Corporate Threat Assessment is gaining new momentum as "Operational Risk Management" professionals utilize new business processes and tools to preempt human malfeasance. Whether it is the disgruntled employee who has just been separated from the company or the college student who acts against his math teacher for grades; the question remains: How could this have been prevented?

The Washington Post reports:

A disgruntled 20-year-old student walked into a classroom at the Northern Virginia Community College campus in Woodbridge on Tuesday afternoon and fired at least two shots from a high-powered rifle at his math teacher, authorities said.

The teacher saw the gun, yelled for her 25 students to duck and then hit the floor.

"We heard a boom," one of the students said later. "I thought to myself, did a computer explode?"

The student's shots missed. He put the gun down, sat on a chair in a fourth-floor hallway and calmly waited for police.

Jason M. Hamilton of Baneberry Circle in the Manassas area was charged with attempted murder and discharging a firearm in school zone. He was being held without bail, and police officers said they wanted to question him about a motive.

The legal machine is at work to determine the multitude of reasons why this incident occurred and to collect the evidence in the case. The investigation into "Who Knew What When" will be spinning up almost simultaneously as the plaintiff lawyers determine what opportunities might exist for a law suit. Several areas of questioning for Northern Virginia Community College (NOVA) will include:

1. What evidence is there of a Duty to Care: Did NOVA provide training for professors to alert an internal "Threat Assessment Team" whenever they witnessed or found evidence of specific pre-incident indicators?

2. What evidence is there of a Duty to Warn: Did NOVA warn fellow employees to keep an eye out for any students carrying long slender bags into campus buildings or to monitor parking lots for suspicious activity?

3. What evidence is there of a Duty to Act: Did NOVA provide notice to security employees on the student who was absent during the term for over three weeks ?

4. What evidence is there of a Duty to Supervise: Did NOVA professors report any strange behavior, statements, or even the fact that the student had been absent almost a month?

Human behavioral studies regarding workplace safety suggest, that one in five people come to the institution every day with a serious problem going on in their personal life. This has a dramatic effect not only on workplace performance but also the potential for bad behavior. This bad behavior could be acted out physically or quietly and in stealth mode. In either case, the company, it's employees and the reputation of the institution are at stake. What is your Corporate Threat Assessment Team working on today to preempt the next incident?

As the investigators evaluate the digital evidence in the case such as e-mails, Facebook Wall postings or other information found on a PDA, laptop or home computer the "Smoking Gun" may be uncovered. And when it becomes public, the game changing events will begin to unfold. Many companies feel that having a formal internal "Threat Assessment Team" sends the wrong message to the employees that "Big Brother" is watching. This could not be further from the true state of mind by many employees today. Knowing that a team is proactively addressing the one in five employees everyday in the workplace should provide more peace of mind than the thought of an invasion of privacy.

So what are the typical channels that an employee will use to communicate their grievance or threat?

• Letter - 2%
• Phone message - 5%
• Social Networking site - 7%
• Text message - 9%
• e-Mail - 22%
• Verbal threat - 46%

Source: Laurence Barton, Ph.D. - Current Study to be completed in February, 2010

If this trend continues then over half of the communicated threat will be via a digitally based medium. What is your organization doing today to monitor communications for specific threats to your employees, suppliers or partners? The modification of Acceptable Use Policy and the other legal policy regarding the workplace monitoring of e-mail is not a new phenomenon in many organizations, notably those in the Defense Industrial Base (DIB.)

Recent changes in the privacy settings of Facebook makes much of the information placed in these 350 million profiles public information and therefore, capable of being viewed and analyzed by a proactive threat management team. Here is the analysis from the EFF:

The Ugly: Information That You Used to Control Is Now Treated as "Publicly Available," and You Can't Opt Out of The "Sharing" of Your Information with Facebook Apps

Looking even closer at the new Facebook privacy changes, things get downright ugly when it comes to controlling who gets to see personal information such as your list of friends. Under the new regime, Facebook treats that information — along with your name, profile picture, current city, gender, networks, and the pages that you are a "fan" of — as "publicly available information" or "PAI." Before, users were allowed to restrict access to much of that information. Now, however, those privacy options have been eliminated. For example, although you used to have the ability to prevent everyone but your friends from seeing your friends list, that old privacy setting — shown below — has now been removed completely from the privacy settings page.

There are legal cases pending and there will be more to come about whether the mining of public data for profiling people is against the law. In most cases, it will be dependent on who is doing the collecting and for what reasons. Yet the most sophisticated systems for doing analytics or the latest matrix or mosaic methodology will not be able to provide a fail safe for the corporate enterprise. This is precisely why the earlier mentioned employer "Duties" are so vital to day to day operational risk management. The actions you take before, during and after an incident will be the most vital to your legal and reputations survival.

TWO computer programmers who worked for convicted fraudster Bernie Madoff were charged with bribery by the US Securities and Exchange Commission today.

Jerome O'Hara and George Perez allegedly took bribes to create false documents and trading records for Bernard L Madoff Investment Securities LLC for more than 15 years, according to the SEC's complaint.

"Without the help of O'Hara and Perez, the Madoff fraud would not have been possible," George S Canellos, director of the SEC's New York regional office, said.

"They used their special computer skills to create sophisticated, credible and entirely phony trading records that were critical to the success of Madoff's scheme for so many years."

Operational Risk Management requires a vigilance of monitoring digital information inside and outside the workplace. Those institutions who combine the correct legal doctrine, business processes and technology will prevail in the vast chaos of litigation and human threats within the workplace.

operational risk

Digital Forensics: Right to Question CSI's...

The US Supreme Courts ruling in MELENDEZ-DIAZ v. MASSACHUSETTS will have significant impact on Digital Forensics expert practitioners. Legal cases utilizing the examination of computers and other digital assets containing relevant information will have more testimony by CSI analyst experts. The New York Times report by Adam Liptak says:

Crime laboratory reports may not be used against criminal defendants at trial unless the analysts responsible for creating them give testimony and subject themselves to cross-examination, the Supreme Court ruled Thursday in a 5-to-4 decision.

Noting that 500 employees of the Federal Bureau of Investigation laboratory in Quantico, Va., conduct more than a million scientific tests each year, Justice Kennedy wrote, “The court’s decision means that before any of those million tests reaches a jury, at least one of the laboratory’s analysts must board a plane, find his or her way to an unfamiliar courthouse and sit there waiting to read aloud notes made months ago.”

The outcome of the ruling for the prosecution is that forensic examiners and scientists will be more thoroughly scrutinized in the tests they perform. The process will require more effective documentation and the ability to play back for a jury exactly the process utilized to support any facts of evidence. This will not be difficult as Best Practices today are being utilized such as the video taping of the entire test and examination. Achieving a "Defensible Standard of Care" will however be even more of a priority for Operational Risk Management professionals.

The defendant will have the ability to cross-examine the analyst, whether it was making a determination on what the blood type was of the accused attacker or the date, time, and place that the defendant sent an e-mail from the office computer to a co-conspirator.

In the digital forensics environment, the ruling means that the subject matter experts will simply be spending more time in court and on the witness stand. This will impact the time it takes to conduct the trial yet the rights to examine the process, expertise and documented procedures for the evidence that has been introduced is an important issue.

From an Operational Risk Management point of view, this means that your eDiscovery and Digital Forensics certified examiners will be under the magnifying glass and subject to the questioning by counsel. We see an increased attention related in civil matters coming soon. Several states are asking that the outsourced entities associated with inspection of digital assets be licensed by the state itself, as a Private Investigator. This provision would subject the expert authority to also being legally certified in the knowledge of state laws pertaining to civil procedure, chain of custody and legal procedures on the handling of evidence.

The question remains on whether the Supreme Court Justice's were thinking beyond the test for the presence of a drug, as this case was focused on in MELENDEZ-DIAZ v. MASSACHUSETTS. The defense bar will be utilizing this ruling to go beyond the criminal courts to the civil trials where white collar cases are largely based upon the documents, e-mails and other digital evidence that has been retrieved using forensic procedures.

It will be interesting to see how this ruling impacts the professional licensing, certifications and documentation of examinations for the 21st century Digital Forensic "CSI".

operational risk

Economic Impact: Proving the Truth...

The Madoff investigations into so called "feeder firms" are now gaining momentum. The question on who are the victims and where fraud is suspected continues it's due course. The process of client referrals is not a crime and allegations that correlate this with fraudulent behavior is a flawed mindset. The current basis in the Merkin case has more to do with non-disclosure of where clients money was actually invested:

Andrew Cuomo, the New York attorney general, yesterday filed civil fraud charges against the hedge fund manager Ezra Merkin, alleging he secretly channeled more than $2.4bn to Bernard Madoff's Ponzi scheme in exchange for lucrative fees.

The move is the second regulatory action in two weeks against one of the big so-called "feeder" funds that sent billions of dollars to Mr Madoff, who pleaded guilty to one of history's biggest investment frauds.

Mr Cuomo accused Mr Merkin, a leading figure in the New York charity community and former chairman of financing company GMAC, of steering money from charities, universities and non-profit organisations to Mr Madoff without their permission and reaping about $470m in fees for his three funds.

"Merkin duped individual investors, non-profits and charities into believing he was responsibly managing their investments, when in actuality he was dumping them into history's largest Ponzi scheme,'' Mr Cuomo claimed yesterday.

Operational Risk professionals in these hedge funds and other alternative investment firms are getting prepared. These organizations will continue to be under the regulatory spotlight for years to come. Fraud and the fear of fraud will make their potential clients even more diligent in their understanding of where their funds are being invested. The federal watchdogs, oversight mechanisms and civil law suits will require firms to have their risk management "Act" together.

When it comes time to prove the truth, whether innocent or guilty, it will come down to information. The likelihood that this information is housed in a database, e-mail system or off-site disaster recovery repository is almost certain. Digital information that is part of any inquiry for civil or criminal action is subject to the "Rules of Evidence" and the "Federal Rules of Civil Procedure." This is where most of the alternative investment firms have their greatest exposure and vulnerability today. Call it the "Readiness Factor".

In a groundbreaking case from the past year, Qualcomm Inc. v. Broadcom Corp., No. 05CV1958, 2008 WL 638108 (S.D. Calif. March 5, 2008), the court found the plaintiffs to have committed "monumental and intentional" discovery violations for failing to produce thousands of documents requested in discovery. The court cited the "impressive education and extensive experience" of Qualcomm's attorneys to justify significant sanctions for failure to produce relevant e-mails, including reporting to the State Bar of California.

The "Readiness Factor" goes far beyond the process or procedures for preserving evidence. It starts with the creation of information inside the organization. How is it classified, where is it stored and who has access to it? These are fundamental Information Technology and Records Management 101 questions that any prudent organization has already answered. Where most firms find themselves with their backs up against the "legal wall" has to do with relevance, authenticity, and admissibility of information.

The "Alternative Investment" industry is quickly learning that their own IT professionals are going to end up on the witness stand and in early depositions. They are going to be hearing questions such as:

• What policies or procedures do you manage in your department/organization?
• What training do you have on the collection and preservation of "Electronically Stored Information"?
• Explain your responsibility or supervision of access controls, folder management, indexing, purging controls and metadata?
• Describe the procedures your firm utilizes to identify the places, people (custodians) and quality of the data that has been preserved for this case?

The list continues and the IT professionals better be ready. Adversarial counsel will be digging deep to get after the key components of authenticity and spoilation issues. The unfavorable outcomes from a lack of readiness can produce an "Economic Factor" that far exceeds the cost of just finding and producing the information for e-Discovery.

The economic impact of proving the truth in any case can be significant. If you were a savvy and smart prosecuter, the cases that would filter to the top for scrutiny may very well be those firms that display the most "IT Immaturity." Getting some wins under your belt with some relevant case law could determine how fast future cases are settled far in advance of ever getting to trial.

For those "Alternative Investment" firms that are behind the 8 Ball, here is a good place to start your own discovery of the total cost of proving the truth. The E-Discovery Road Map.

operational risk

PII: Achieving a Defensible Standard of Care...

A data security breach of "Personal Identifiable Information" (PII) will impact your organization in the future. This incident is no different than other Operational Risk loss events to your global enterprise this year, such as occupational fraud or the settlement of a lawsuit. Correct?

This time however, the difference is that now your own employees or your customers are the victim. Their PII has been lost or stolen and your organization has been the safeguarding entity of that valuable data until now. Your response is vital and the way you legally and ethically behave is a significant risk factor in itself.

Your brand reputation in the marketplace is on the line and the potential churn in lost customers or employees is at stake. Like many post 9/11 companies, your crisis response protocol is already in place for incidents that require your senior executives and the establishment of an immediate Incident Response Team (IRT).

So why is lost or stolen PII such an important executive issue for any organization?

In privacy, PII is less restrictive than in Information security and one definition can be found in the EU directive 95/46/EC:^[1]

Article 2a: 'personal data' shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;

Although the concept of PII is ancient, it has become much more important as information technology and the Internet have made it easier to collect PII, leading to a profitable market in collecting and reselling PII. PII can also be exploited by criminals to stalk or steal the identity of a person, or to plan a person's murder or robbery, among other crimes. As a response to these threats, many web site privacy policies specifically address the collection of PII, and lawmakers have enacted a series of legislation to limit the distribution and accessibility of PII.

As your General Counsel and Chief Privacy Officer begin to assess the magnitude and breadth of your recent PII exposure, so too does the plaintiff lawyers. Now the clock starts ticking and each tick gets louder and louder, as different litigation strategies are discussed. In Board Rooms and judges court chambers across the United States, the Federal Rules of Civil Procedure (FRCP) and the admissibility of "Electronically Stored Information" (ESI) is being discussed as a legitimate component of evidence and it's relevance in the case.

What if you could now "Rewind" this scenario and find yourself in a "legal safe zone" to adequately prepare, prevent and even preempt a "Data Security Breach" in your organization. This "legal safe zone" is available today and is as close as your corporate executive conference room, with several "Subject Matter Experts" working side-by-side. It's a professional service solution from the data breach services leader, idexperts.

The "Achieving a Defensible Standard of Care" Readiness workshop in your organization begins with a two day facilitated process for discovery and convergence with your fellow company executives. You will be engaged in a proactive, preventive and preemptive tactical plan in preparation for the day of your next PII-involved Data Security Breach. Upon completion, this operational plan establishes the baseline framework for a complete team-based drill. This outcome will then test the readiness of your key stakeholders internally and external to the company. More importantly, it provides the strategic insight on what vulnerabilities still exist in your particular organizations approach to remediation and legal compliance.

Each year, despite security efforts, millions of personal records are compromised as a result of corporate and public-sector data breaches. Breach response costs - mandated notification, PR, call handling, credit monitoring and legal fees - can add up, yet traditional approaches don't fully mitigate the risk to your business or your customers.

A data security breach of "Personal Identifiable Information" (PII) will impact your organization in the future. The next one will be different.

operational risk