Lost in the Mail

Wall Street & Technology > Compliance > Lost in the Mail: "Dealing With Regulators

At a recent WS&T event on e-mail archiving, Steven Shine, senior regulatory counsel, Prudential Securities, was asked how to deal with regulators.

He explained that if there is an issue, there will be a number of regulators requesting e-mail records - including the Securities and Exchange Commission and multiple self-regulatory organizations, as well as civil litigants (if there is litigation involved). Shine says, 'So what is reasonable under the circumstances and in the case of a joint audit? You've got to be able to deal with regulators and you've got to be able to have the conversation with them and make them understand that no matter what your system capacity is, you're not going to be able to turn around multiple requests and enormous requests in a period of just hours. Twenty-four hours has been the commission standard; sometimes 48 hours. But in the case of enormous requests, multiple requests from multiple regulators and litigants, there's going to have to be a little bit more understanding.'

'What you're going to need to do is have a gatekeeper to make sure priorities are set and that these requests are handled as expeditiously as possible. One other complicating factor - as with any document - before it is turned over to a regulator or to a litigant, it has to be reviewed. You've got to review your e-mails for things such as attorney/client privilege and you've got to do that in electronic medium."

COMMENT:
=======================================
Without deliberate planning, a corporation’s electronic data becomes an uncontrolled beast, feeding on ample supplies of electronic files from e-mail systems, computer backup tapes and user desktop PC’s. As a result:

• Documents are routinely created and saved without regard to their future evidentiary value.

• Data which must be preserved can be lost or destroyed, subjecting the corporation to claims of spoliation or to severe penalties under the Sarbanes-Oxley Act.

• System backup tapes are sometimes retained far longer than the business or legal requirements of the organization, creating unintentional “de-facto” repositories. Not only are these repositories expensive and unwieldy to search, but they often provide surprise evidence.

• E-mail systems take on a life of their own, housing documents of all types with little regard for storage, organization or retention periods.

The Four Principles of Computer-Based Electronic Evidence

The Four Principles of Computer-Based Electronic Evidence

Principle 1: No action taken by law enforcement agencies or
their agents should change data held on a computer or
storage media which may subsequently be relied upon in
court.

Principle 2: In exceptional circumstances, where a person finds
it necessary to access original data held on a computer or on
storage media, that person must be competent to do so and
be able to give evidence explaining the relevance and the
implications of their actions.

Principle 3: An audit trail or other record of all processes
applied to computer based electronic evidence should be
created and preserved. An independent third party should be
able to examine those processes and achieve the same result.

Principle 4: The person in charge of the investigation (the case
officer) has overall responsibility for ensuring that the law and
these principles are adhered to.

---From the Good Practice Guide for Computer based Electronic Evidence - ACPO

WSJ.com - Editor's Note - Workplace Security

WSJ.com - Editor's Note: "

Editor's Note

Is it safe?

That's the opening sentence of our cover story, and it's the driving question behind this entire report.

How much has been done, we wanted to know, to make our workplaces safer in the two years since terrorists destroyed the World Trade Center? How prepared are we in case of an emergency? How vulnerable are our mailrooms to anthrax-type attacks? How secure are our computers to a different kind of threat?

A couple of years ago, such questions might have seemed alarmist, even silly, to most of us. And even now, our interest in them rises and falls, depending on our sense of imminent danger.

Terror alerts are raised -- and we fear that our workplaces are too lax. Then months go by without new threats, and we grouse about having to show our ID cards in the office. Viruses attack our office computers, and we brace ourselves for the coming technical mayhem. Time passes, and we complain that our firewalls are annoying.

So in this report, we wanted to cut through the ups and downs of the public's interest, the day-to-day changes in our perception of danger. And instead we wanted to focus on a simple question: Is it safe?

-- Lawrence Rout"

COMMENT:
========================================
Thanks to our colleague Marc Martin at Kirkpatrick & Lockhart LLP for bringing this report to our attention. The WSJ has done a great job of not only addressing the employee at work, but also at home. You'll need to be a registered subscriber to access the host of articles.

SEC Policy Statement: Business Continuity Planning for Trading Markets

Policy Statement: Business Continuity Planning for Trading Markets:

"A critical 'lesson learned' from the events of September 11, 2001 is the need for more rigorous business continuity planning in the financial sector to address problems of wider geographic scope and longer duration than those previously addressed. These events made clear the possibility of a large-scale regional disaster, resulting in a broad consensus in the financial community that business continuity planning needs to adapt to plan for events of wider scope and, in general, become more robust and resilient.

Since the September 11 attacks, the U.S. securities markets and market participants have taken significant steps toward this goal by demonstrably improving the robustness of their business continuity plans.

The Commission and other financial regulators also have been devoting substantial resources to efforts designed to strengthen the resilience of the financial sector. For example, the Commission, together with the Board of Governors of the Federal Reserve System and the Office of the Comptroller of the Currency, recently published an Interagency Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System that identified "sound practices" relating to business continuity planning for certain key market participants.

COMMENT:
=======================================
While they have emphasized the need to more rigorously test the plans they still have given the organizations the flexibility they require for specific operational functions. As an example, they have not "yet" mandated the minimum distance that operational facilities need to be located from each other. At some point, organizations will realize their vulnerability by placing both facilities within the same geographic region. This was ever more apparent in the United States with the recent northeastern blackout and the Mid-Atlantic hurricane events.

You've Been Indicted. The Most Feared Words in the Boardroom

boardmember.com Resource Center - : "You've Been Indicted. The Most Feared Words in the Boardroom
From Corporate Board Member - Resource Center

By Peter L. Higgins

Every Fortune caliber organization from financial services to health care has already implemented a pervasive compliance program to mitigate the risk of ending up with the SEC or US Attorney in the lobby.

The catalyst behind these initiatives is generated from the U.S. Sentencing Commission's Organizational Sentencing Guidelines. They allow for more lenient sentencing if an organization has evidence of an 'effective program to prevent and detect violations of law.'

The Guidelines contain criteria for establishing an 'effective compliance program.'

These include oversight by high level officers, effective communication to all employees, and reasonable steps to achieve compliance such as:

1. Systems for monitoring and auditing

2. Incident response and reporting

3. Consistent enforcement including disciplinary actions

Yet the corporate incivility continues. Why is it that we can't pick up the morning paper or listen to the news on the way to work without hearing about a new indictment of a top ranking officer?

Here lies the question many Board of Directors are scratching their heads about these days. How can we avoid these ethical and legal dilemmas and how can they be addressed without creating a state of fear and panic?

Risk officers serve well as nags

Risk officers serve well as nags: "By BILL VIRGIN
SEATTLE POST-INTELLIGENCER COLUMNIST

Whatever business they're in, most companies follow a fairly standard model for organizing the executive suite: Chairman, president, chief executive officer (often combined in one person), chief financial officer, chief technology officer, chief risk officer, chief ...

Wait a minute. What was that last one?

Chief risk officer isn't a title you see very often in corporate executive structures. Expect to see it more frequently."

COMMENT:
========================================
The Chief Risk Officer will in most cases also have a VP of Operational Risk and Credit or Market Risk reporting to them. The goal here is to put specialists into roles that have high accountability to the CEO and the Audit Committee. Now if we could just get the CSO (Chief Security Officer) to report into the same suite instead of being imprisoned by the CIO and technical side of the business.

Davis To Sign Anti-Spam, ID Theft Legislation

NBC 4 - Technology - Davis To Sign Anti-Spam, ID Theft Legislation: "Spammers Could Be Fined Up To $1 Million

LOS ANGELES -- California will become the first state in the nation to prohibit Internet advertisers from sending unsolicited e-mails known as spam, under legislation that Gov. Gray Davis said he would sign Tuesday.

The anti-spam legislation targets not only the firms that package and send the unwanted e-mails to consumers, but also the companies whose products and services are being advertised. The measure covers all unsolicited commercial e-mail sent or received in California and imposes fines of up to $1 million per incident.

'There are no loopholes, no way of getting around it,' said the bill's author, state Sen. Kevin Murray, D-Los Angeles. 'We are confident that this is going to stop the billions that we are losing to spam.'

Murray said California is the first state to take such a step against spam."

Software Helps Banks Comply With Patriot Act

Bank Systems & Technology > Software Helps Banks Comply With Patriot Act > September 23, 2003: "Software Helps Banks Comply With Patriot Act
Steve Marlin
Sep 23, 2003

As financial institutions scramble to comply with the federal government's Oct. 1 deadline for implementing strict customer-identification procedures, they're looking for technology to scour transactions for patterns of fraud. The USA Patriot Act is aimed primarily at banks, investment firms, insurance companies, and stock and commodities exchanges, regarded as gatekeepers of the nation's financial system. At a minimum, they must put in place procedures to collect information on customers when they open accounts to verify that customers are who they say they are and check whether customers appear on terrorist lists. Records must be retained for five years after an account is closed. The law applies to any organization deemed a likely target for illicit cash, including pawnshops, travel agents, casinos, precious-metals dealers, and money-transfer agents. "

Cyber Threat - Some Fear Computer Attacks Could Cause or Intensify

Overseas Security Advisory Council: "Cyber Threat - Some Fear Computer Attacks Could Cause or Intensify Physical Terror
from ABC News on Tuesday, September 23, 2003

Evildoers commandeer thousands of home computers, creating a virtual army that knocks down chunks of the Internet. Computer infections hit a nuclear plant, crash a 911 system, snarl train service and shut down ATMs. A neighborhood glitch compromises air traffic control computers. It's all happened before, security experts say.

Luckily for America, it hasn't happened all at once yet.

There is skepticism, but some fear it could. The recent accidental power outage which took out tens of millions of electricity consumers also spurred concerns.

'The Northeast power blackout & could happen as a result of a terrorist attack using cyber [methods],' said Richard Clarke, America's former cybersecurity czar, now an ABCNEWS consultant.

'[There are] a lot of people in the Department of Homeland Security that believe the only terrorist events worth worrying about are the ones with explosions and bodybags, and that's a very 20th-century way of looking at the problem,' Clarke added. 'In the 21st century, cyberspace is what controls the country.' "

Report: Lenders miss most ID theft

Report: Lenders miss most ID theft : "To banks, cell phone firms, it just looks like unpaid bills

By Bob Sullivan
MSNBC

ID theft has grown so far, so fast, because financial institutions and other lenders have missed it. A massive study of 200 million new credit card, checking account and cell phone accounts opened during 2001 with participants like Citibank, Dell, Bank of America, and T-mobile shows that 7 out of 8 identity thefts are mis-categorized as simple credit losses by lenders."

JetBlue violates privacy policy

CNN.com - JetBlue violates privacy policy - Sep. 19, 2003: "NEW YORK (AP) -- Violating its own privacy policy, JetBlue Airways gave 5 million passenger itineraries to a Defense Department contractor that used the information as part of a study seeking ways to identify 'high risk' airline customers.

The study, produced by Torch Concepts of Huntsville, Alabama, was titled 'Homeland Security: Airline Passenger Risk Assessment.' The apparent goal of the report was to determine whether it was possible to combine travel and personal information to create a profiling system that would make air travel safer.

The New York-based airline sent an e-mail apologizing to angry customers and said it has taken steps so the situation will not happen again. 'This was a mistake on our part,' JetBlue chief executive David Neeleman said.

Neeleman insisted the data JetBlue provided was not shared with any government agency and that Torch has since destroyed the passenger records"

COMMENT:
========================================
Actually, now that I think about it, I have no comment. Except that Mr. Neeleman has lost this customer.

Operational Significant Event Imagery

Operational Significant Event Imagery: "The Operational Significant Event Imagery team produces high-resolution, detailed imagery of significant environmental events which are visible in remotely-sensed data available at the NOAA Science Center in Suitland, Maryland."

COMMENT:
========================================
This site will give you a "Bird's Eye View" of potential environmental threats to your organization including fires, floods, storms and other events.

Arkansas Rulings May Hurt Reputation Of Pricewaterhouse

By JONATHAN WEIL and CASSELL BRYAN-LOW
Staff Reporters of THE WALL STREET JOURNAL

TEXARKANA, Ark. -- A pair of judicial orders sanctioning PricewaterhouseCoopers LLP for misconduct in a civil lawsuit here cast a harsh spotlight on the accounting firm and its top U.S. partner, Chairman Dennis Nally, as well as their recent efforts to restore public trust in the firm.

The orders by Miller County Circuit Court Judge Kirk D. Johnson include findings of document destruction by the firm and misrepresentations by the firm to the court about Mr. Nally's knowledge of the facts underlying the suit. The findings prompted Judge Johnson to sanction PricewaterhouseCoopers $50,000 in a March 28 order for engaging in a "systematic course of conduct intended to obstruct the discovery process."

A PricewaterhouseCoopers spokesman Wednesday said Mr. Nally was unavailable to comment. In a court filing Friday, opposing a motion by the plaintiff in the case for further sanctions, PricewaterhouseCoopers wrote that "PwC has taken steps to preserve, collect and produce documents responsive to plaintiff's discovery requests. Those efforts have resulted in the production by PwC of hundreds of thousands of pages of documents, approximately 80 CD-ROMs of engagement letters (roughly equivalent to one million additional pages of information) and an additional 24 CD-ROMs and 2 DVD-ROMs of billing and invoice data (roughly equivalent to an additional two million or more pages of documents.)."

COMMENT:
=====================================
Two items worth mentioning here:

1. Reputation Risk is an intangible reality. For a firm who counsels their clients on the same, this will cost them dearly. I trust they are using some of their own strategy here on how to handle this.

2. Electronic Discovery and Retention Planning. This firm already has experience in the forensic investigation process. They already know how to meet the toughest demands on their data centers. Desktop data, e-mail documents and backup tapes are frequently sought as part of the litigation process. In addition to your active systems, you may be required to analyze data residing on equipment which is no longer
supported, or on tapes for which you no longer possess compatible drives. As a discovering party, you may be tasked with creation of a database of responsive documents, having been provided with large volumes of electronic files in a host of various data formats. Then you have to search and filter these files, de-duplicate them and convert them into formats compatible with your input requirements.

Australia law aims to cut spam

CNN.com - Australia law aims to cut spam - Sep. 18, 2003: "CANBERRA, Australia (AP) -- People sending unsolicited e-mail advertisements and messages known as spam could be fined more than a million Australian dollars (US$660,000) under tough new laws proposed by the Australian government.

Introduced to the Australian Parliament by federal Communications Minister Richard Alston, the Spam Bill 2003 would fine spammers up to A$1.1 million (US$726,000) a day for sending illegal messages.

'Spam is a menace to home and business e-mail users and is a major scourge to productivity,' Alston said in a statement Thursday. 'It is commonly used to promote illegal, offensive and unscrupulous ventures such as black market drugs, celebrity porn, bogus prizes, Nigerian money laundering and other false and or fraudulent material.'

But Alston acknowledged the proposed law, which would likely come into force next year if it passes Parliament, would only tackle spam originating in Australia and that the legislation must be backed up by software designed to stamp it out. "

MediaGuardian.co.uk | Web firms rubbish ministers' email plan

MediaGuardian.co.uk | New media | Web firms rubbish ministers' email plan: "Owen Gibson
Thursday September 18, 2003

Internet giants including Freeserve, AOL and BT have lambasted government plans requiring them to retain every email and web page accessed by their customers for up to a year.

They have warned such a move could lead to chaos and higher prices for customers, and attacked legislation for amounting to snooper's charter out of keeping with consumer rights legislation.

'The government has not satisfied the industry that the data they wish to retain is of use to law enforcement agencies,' said Jessica Hendrie-Liano, who heads up a lobby group for ISP firms.

The government has outlined proposals to force internet service providers to retain logs of every email their customers send and every internet site they visit for up to 12 months.

It believes it is a vital weapon in the fight against online crime and particularly paedophilia, with growing evidence from high profile cases of internet child porn, online fraud and paedophiles using online chat rooms to 'groom' possible victims."

COMMENT:
========================================
Look for increased prices in the next year from your ISP as they have to lease more expensive real estate and build out additional infrastructure.

Weakened NYSE Faces Host of Challenges

SEC Is Investigating Governance;
Rivals May Be Able to Capitalize;
Lobbying in Capitol Is Hampered

By KATE KELLY and SUSANNE CRAIG
Staff Reporters of THE WALL STREET JOURNAL

With Dick Grasso stepping aside, the New York Stock Exchange now faces a series of challenges without its most ferocious and familiar advocate.

The NYSE chairman and chief executive officer tendered his resignation at an emergency board meeting late Wednesday, ending a 36-year career at the Big Board.

Mr. Grasso's resignation came amid intensifying criticism about his compensation, details of which were released in late August. The compensation package included $139.5 million in deferred compensation that Mr. Grasso had agreed to withdraw as part of a contract extension into 2007. Last week, the NYSE disclosed that he had also opted to forgo an additional $48 million in deferred compensation. The Wall Street Journal had reported details of Mr. Grasso's compensation in May.

Among the issues facing the Big Board were a Securities and Exchange Commission inquiry into the NYSE's corporate-governance policies; an SEC examination of market structure; and questions about the NYSE's status as a self-regulatory organization.

Bank One Calls Attention to ID Theft

Bank One Calls Attention to ID Theft: "September 16, 2003
Bank One Calls Attention to ID Theft
By Mark Berniker

Bank One is partnering with the US Postal Inspection Service and other government entities for a new national crime prevention campaign to raise awareness among business and consumers facing the specter of identity theft.

'Today's initiative is a coming of together of a number initiatives concerning the growing problem of identity theft,' said Chris Conrad, senior vice president of fraud management for Bank One.

Conrad told internetnews.com more than three million brochures will be mailed to individuals in areas of the country where identity theft has been most prevalent.

'Identity theft is significant, serious and a growing concern. It's something that consumers and businesses need to get educated about, and this public awareness program is designed to help,' Conrad said.

The name of the identity theft public awareness program is: 'Operation: Identity Crisis,' a national crime prevention campaign to help the general public guard themselves against identity theft, the fastest growing crime in America. "

Terrorist Screening Center Announced

Terrorist Screening Center fact Sheet: "

Today, Attorney General John Ashcroft, Secretary of Homeland Security Tom Ridge, Secretary of State Colin Powell, FBI Director Robert Mueller, and Director of Central Intelligence George Tenet announced the creation of the Terrorist Screening Center (TSC) to consolidate terrorist watchlists and provide 24/7 operational support for thousands of Federal screeners across the country and around the world. The TSC will ensure that America's government screeners are working from the same unified set of anti-terrorist information HBC comprehensive anti-terrorist list when a suspected terrorist is screened or stopped anywhere in the Federal system."

COMMENT:
========================================
"Names" are the name of the game. Do you have an employee or are you doing business with someone on the TSC watchlist? Only they know how many different ways there is to spell/speak Haj Mohd Othman Abdul Rajeeb across the Arabic World.

Security Gets Top-Level Attention

Optimize Magazine > Executive Report / Security > Security Gets Top-Level Attention > August 2003 : "
By Tom Stein
September 2003, Issue 23

Akhil Bhandari, VP of IT at CCL Industries Inc. in Toronto, has noticed an interesting trend. Lately, members of the executive team have been sending him E-mail about viruses, security breaches, and acts of cyberterrorism they've read about in the news. These executive including the CFO, COO, and even the CEO just want to make sure the $1.2 billion contract manufacturer of popular consumer products is adequately protected.

'Security is certainly more of a discussion point among executives these days,' Bhandari says. 'More than ever, I have to keep our executive team abreast of what's happening out there and what we need to do about it.'

Bhandari isn't alone. A recent survey of 815 business-technology and security professionals, jointly conducted by Optimize and InformationWeek, found that senior executives are taking a greater interest in information-security issues and having a stronger say in how security dollars are spent.

Significantly, more than half of the survey respondents said regulatory requirements are the primary drivers of new investments in information-security products and services. Other reasons cited include potential liability/exposure (70%), potential revenue impact (41%), and partner/vendor requirements (24%)."

COMMENT:
========================================
Now the question remains, how do you allocate the funding to protect your most valuable intangible asset? Corporate Reputation.

Corporate governance isn't a dirty word, honest

Herald Sun: Corporate governance isn't a dirty word, honest [16sep03]: "By Geoff Elliott
16sep03

SOME executives might have dismissed it as a concept revolving around the right words in an annual report but it looks like the new buzzwords in business - corporate governance - are going to start affecting balance sheets.

Once the interest rate a company was charged on its borrowings was simply a judgment on the kind of financial numbers a company could report.

But it's increasingly going to become a judgment on less tangible factors: like the quality and transparency of board practices.

Global rating agencies like Moody's, Standard & Poor's and Fitch are starting to take into account corporate governance when rating a company's balance sheet. "

Va. Executive Yoran Named Government Cybersecurity Chief

Va. Executive Yoran Named Government Cybersecurity Chief (TechNews.com): "By John Mintz
Washington Post Staff Writer
Tuesday, September 16, 2003; Page E05

The Bush administration announced yesterday that a well-regarded cybersecurity executive from Virginia will become the government's top computer security official, with responsibility for protecting networks from computer worms, viruses, hackers and terrorists.

The selection yesterday of Amit Yoran as cybersecurity chief in the Department of Homeland Security follows months of complaints from private technology executives that the Bush administration had failed to focus adequate attention on safeguarding computer networks."

Digital upgrades open electrical grid to hackers and viruses, experts say

News Story - canada.com network: "JIM KRANE

Canadian Press

Thursday, September 11, 2003

NEW YORK (AP) - Since last month's blackout, utilities have accelerated plans to automate the electricity grid, replacing aging systems with digital switches and other high-tech gear.

But those very improvements render the electricity supply more vulnerable to computer viruses and hackers who could black out substations, cities or entire regions.

Researchers working for the U.S., Canadian and British governments have already sniffed out 'back doors' in the digital relays and control room technology that increasingly direct electricity flow.

With a few keystrokes, they say, they could shut the computer equipment down - or change settings in ways that might trigger cascading blackouts.

'I know enough about where the holes are,' said Eric Byres, a cybersecurity researcher for critical infrastructure at the British Columbia Institute of Technology in Vancouver. "

COMMENT:
=======================================

Fortunatley most critical business and infrastructures have plans in place to
handle situations like this if they do ever occur. The greater threat lies in
the lack of funding to key functional areas of the utilities to mitigate the
risk of digital intrusions.

Hurricane Isabel a powerful Category 5 storm

CNN.com - Hurricane Isabel a powerful Category 5 storm - Sep. 12, 2003: "CNN) -- The most powerful storm in the Atlantic Ocean in nearly five years, Hurricane Isabel rolled west far from land early Friday, with maximum sustained winds of nearly 160 mph (256 km/h).

Isabel is a Category 5 hurricane on the Saffir-Simpson scale of hurricane strength. Hurricanes are ranked 1 to 5 on the scale.
At 5 p.m. EDT, Isabel was 350 miles (565 kilometers) northeast of the northern Leeward Islands, moving steadily to the west at 9 mph (14 km/h), according to the National Hurricane Center in Miami, Florida.

There has not been a Category 5 hurricane in the Atlantic since Hurricane Mitch in 1998. That giant storm slammed into Central America and sped across Florida into the North Atlantic. Mitch caused more than 9,000 deaths in Central America from flooding and mudslides.

The last Category 5 hurricane to hit the United States was Andrew in 1992.

The hurricane center's forecasters said Isabel could experience some 'temporary weakening' Friday and predicted a gradual weakening over the coming five days.

Isabel's current direction could put it on the path toward the Bahamas and the U.S. East Coast, but forecasters said it is still too early to predict accurately. "

"Firms' Newest Security Measure: Their Chief Governance Officers

Today in Investor's Business Daily stock analysis and business news : "Firms' Newest Security Measure: Their Chief Governance Officers

BY DONNA HOWELL

INVESTOR'S BUSINESS DAILY

It took Robert Lamm two weeks to drive up the East Coast and get settled for a new job as director of corporate governance at Computer Associates International. (CA)  But during that time, his workload grew by miles.

'I think it was a two-week period during which the SEC issued more proposed regulations than it ever had in its existence,' Lamm said. 'I got here and said, 'Oh my goodness, I'm really behind the eight ball. I'm going to kill a lot of trees keeping up.' '

Jobs like Lamm's are hot now. More firms are hiring integrity watchdogs, now that corporate scandals have spurred tighter regulations and focused a spotlight on reputation. Some firms are adding a new high-level executive: the CGO, or chief governance officer."

COMMENT:
========================================
Why does Mr. Lamm report to the General Counsel?

Two Years Later, Still Adrift?

Two Years Later, Still Adrift? - CFO Magazine - September Issue 2003 - CFO.com: "Two Years Later, Still Adrift?

After 9/11, business continuity got plenty of attention, but many companies remain ill-prepared for disaster.

Scott Leibs, CFO Magazine September 01, 2003
In the weeks following September 11, 2001, the New York Board of Trade (NYBOT) was praised, in these pages and elsewhere, for having invested in a disaster recovery plan that proved nearly priceless. The commodities exchange had been spending $300,000 annually for a backup facility that sat idle for years, an expense that had been questioned but that paid off: the exchange not only used the site in the days after 9/11 but continues to use the site as its de facto headquarters as it transitions to a new one in lower Manhattan this month.

That was the kind of success story that was supposed to galvanize the business-continuity market, highlighting as it did the vulnerability not only of computer systems but also of phone, power, and transportation grids. What had been seen as an issue affecting primarily a company's data center was now framed as a strategic imperative affecting every aspect of infrastructure."
========================================
COMMENT:

This article reinforces the reality of this fact. Even if you have tested your BCP, it doesn't mean that your suppliers and partners have. As part of the audit of your continuous continuity (C2) include the check up on your most vital 3rd party companies. They must be as prepared and resilient as you are. You may require that they be included in all of your scenario exercises to make sure that you know their level of readiness.

Oversight of Mortgage Giants Sought

Oversight of Mortgage Giants Sought: "Oversight of Mortgage Giants Sought

By MARCY GORDON AP Business Writer

WASHINGTON (AP) - The Bush administration is seeking a stronger hand over government-sponsored mortgage giants Fannie Mae and Freddie Mac, amid accounting turmoil at Freddie Mac that has brought the departure of two chief executives since early June.

Administration officials are putting forward a legislative proposal that would shift financial regulation of the two - the biggest players in the multitrillion-dollar home mortgage market - to the Treasury Department from the Department of Housing and Urban Development and widen the government's authority over them.

Congress, which created the two companies and has been loath to rock the economically vital housing market, now may be receptive to such a plan. After Freddie Mac's accounting and management woes surfaced in the spring and brought federal investigations, members of the House and Senate proposed legislation that would tighten regulatory oversight of the two politically influential companies whose stock is widely traded."

New purported bin Laden tape raises fear of new attacks - Sep. 11, 2003

CNN.com - New purported bin Laden tape raises fear of new attacks - Sep. 11, 2003: "CNN) -- On the eve of the second anniversary of the September 11 attacks, a taped statement purportedly from two al Qaeda leaders is raising concerns of new terror attacks against U.S. interests.

The Arabic-language news network Al-Jazeera broadcast Wednesday what it said was a new tape of Osama bin Laden and his top deputy, Ayman al-Zawahiri encouraging new attacks against Americans.

The voice claiming to be bin Laden praises the suicide hijackers who crashed jetliners into the World Trade Center, Pentagon and a Pennsylvania field two years ago, killing more than 3,000 people. He mentions several of the hijackers by name. "

Security Issues and Threats

BITS - Financial Services Security Lab/Criteria
Experience

The financial services industry brings its historic expertise in assuring safe and secure financial transactions to the new environment of electronic commerce. No other financial services providers have comparable expertise and experience in risk management. Financial institutions put the highest priority on protecting the safety, soundness and security of financial transactions and the systems upon which those transactions depend.

"Security: it's your job, managers told"

Overseas Security Advisory Council: "Security: it's your job, managers told
from MIS on Wednesday, September 10, 2003

Corporate managers, rather than security professionals, should be accountable for IT security breaches, according to the federal Attorney-General's department.

Security is 'everyone's business', but managers must accept ultimate responsibility for their department's IT protection, says Peter Ford of the Attorney-General's department's information and security law division.

'Managers, for example, should be accountable for breaches of security in the same way as they are accountable for working within their budgets,' Ford told delegates at last week's Information Security World conference and expo in Melbourne. 'While this is a simple proposition, it is a radical departure from the traditional rule-based approach to security, which allows managers to leave security issues to the attention of security professionals and encourages a culture of compliance.'

Security issues must be taken into account as 'an integral part of discharging one's responsibilities', says Ford, whether they be software designers, managers of an enterprise or consumers. "

How Hackers Break In To Enterprise Networks--A Step-By-Step Demo

Overseas Security Advisory Council: "How Hackers Break In To Enterprise Networks--A Step-By-Step Demo
from Internet Week on Tuesday, September 09, 2003

The SetUp

Ryan Breed is a hacker. He's honed his skills since his undergraduate days at the University of Rochester, where a cryptography course piqued his interest in network security. Breed, 28, enjoys the analysis of computer systems and 'decomposing systems and figuring out how they work.'

As a security consultant for Unisys, hacker Breed tests his mettle against company security systems, pointing out weak spots. He's gearing up to do his thing. But this evening's hack is sanctioned, commissioned, and paid for by the targeted company. Breed is an ethical hacker, a security consultant for Unisys, and tonight he's conducting a penetration test on an international business-consulting firm with 10 servers and more than 150 desktops. The name of the company and information that would disclose its identity have been withheld at the company's request."
========================================
Comment:

This article will give you a taste of how companies like Unisys use ethical hacking exercises to put the fear into a client that they are vulnerable. It shouts of "Hire us Now Before its Too Late". What is important here is to realize that any large enterprise is in a dynamic environment full of moves, adds and changes. It requires a daily proactive program of internal risk management exercises to be effective against the sales tactics of vendors threat exercises like this one.

Survey Reveals 90 Percent of Financial Institutions Suffer Loss Due to Poor Ops Risk Management

Headlines Powered by Business Wire: " Managers Expect Substantial Returns from Risk Management Programs without Much Investment in Technology, Support

A global survey of 400 risk managers at 300 financial institutions indicates that although operational risk management is moving up in the priority list for financial institutions, they are still suffering annual losses incurred through poor operational risk management that range into the millions of dollars. The survey of corporate risk managers, the most comprehensive of its kind to date, was conducted by the Risk Waters Group and SAS, the market leader in business intelligence.

The results show that a fifth of all companies in the financial sector still do not have an operational risk management program, despite the fact that 90 percent of them lose more than $10 million a year because of poor risk management.

Even those companies that have put programs in place are reluctant to invest the money for a framework, such as personnel and additional software functionalities, needed for it to work. Despite annual losses that cost the industry hundreds of millions of dollars, 33 percent of the risk managers surveyed expect to spend $1 million dollars or less in improving operational risk management in 2003. "
==================================
Comment:

$10M.year is not enough of a loss to get any board member
upset at a large money center bank. What is more of a concern
is that 20% of the financial sector still does not have an
operational risk management program, regardless of the amount
being allocated for spending.

DHS | Department of Homeland Security | DHS Advisory to Security Personnel, No Change in Threat Level

DHS | Department of Homeland Security | DHS Advisory to Security Personnel, No Change in Threat Level: "The following Advisory was issued to security personnel by the Department of Homeland Security this afternoon. Protective Measures included in the original document have been removed for security reasons.

TITLE: Maintaining Awareness Regarding Al-Qaeda's Potential Threats to the Homeland

ATTN: Federal Departments and Agencies, Homeland Security Advisors, First Responders and Information Sharing and Analysis Centers

OVERVIEW

The Department of Homeland Security (DHS) has been aggressively monitoring and assessing information with other Federal agencies on potential terrorist threats in the United States (US). Based on a recent interagency review of available information leading up to the September 11th anniversary, we remain concerned about Al-Qaeda's continued efforts to plan multiple attacks against the US and US interests overseas. However, at this time, we have no specific information on individual targets or dates for any attack."

ERisk Weekly Review - 30 August - 05 September 2003

Weekly Review - 30 August - 05 September 2003: " 

After Citi was hit by a high-profile email scam a couple of weeks ago, it appears that the bank has been targeted again although the new email was not sophisticated enough to avoid obvious typos and spelling errors, as reported by silicon.com: Your email is not registred [sic] with us, you need to setup [an] account with us and verify your identity. Please fill this form to be enrolled to c2it.com service. Once you register, the money will appear in your c2it's account balance in your overview page. You can withraw [sic] the outstanding balance to your credit or debt [sic] card's bank account.

If all so-called scams remain this crude, one might think that bank customers will be able to avoid them without too much effort but it seems unwise to assume that fraudsters will not at some point learn how to use dictionaries. Australia Westpac is one bank that has chosen to take preventative steps by embarking on a program to educate its customers about the potential pitfalls of giving away personal information online. An industry-wide response in Australia is also being actively considered."

Bank Systems & Technology > Accepting the Risk > September 01, 2003

Bank Systems & Technology > Accepting the Risk > September 01, 2003: "THE UPSHOT

- Financial-services companies are becoming more sophisticated about how they track and value the risks they face.

- Business technology plays two roles in this assessment: making it easier to evaluate risks while increasing the risks of technology failure as banks become more dependent on IT.

- Basel II, an accord being worked out among the world's top bankers and national financial regulators, will put greater emphasis on operational risks such as technology failure. And it will likely offer lower reserve requirements for banks that invest in IT to lower their risks. "

========================================
Comment:
Great article with some excellent examples

silicon.com - E-tail big hitters club together to beat ID theft

silicon.com - E-tail big hitters club together to beat ID theft: "E-tail big hitters club together to beat ID theft
All the gang are here...

Some of the biggest names in ecommerce, including Amazon.com, eBay and Microsoft, have formed a coalition to curb online identity theft.

The Coalition on Online Identity Theft said it plans to launch a public education campaign and encourage its members to work more closely with law enforcement officials in an effort to fight a crime that has emerged as a major concern among politicians and consumers in recent years.

The group is being organised by the Information Technology Association of America, a trade group representing the high-tech industry. "

Mercury News | 08/27/2003 | Nasdaq announces new corporate governance education

Mercury News | 08/27/2003 | Nasdaq announces new corporate governance education: "NEW YORK (Dow Jones/AP) -- The Nasdaq Stock Market Inc. and the National Association of Corporate Directors announced an alliance to provide corporate governance educational services to Nasdaq-listed companies."

Bank Systems & Technology > Blackout Highlights Gray Areas > September 02, 2003

Bank Systems & Technology > Blackout Highlights Gray Areas > September 02, 2003: "Looking back at the August 14 blackout in the Eastern U.S. and parts of Canada, it's evident that the disaster recovery plans at financial institutions worked precisely as intended. But there's still room for improvement in business continuity. What's the difference? Disaster recovery is bouncing back after an adverse event, while business continuity is not stumbling in the first place. "

National Do Not Call Registry to Be Available to Telemarketers Beginning September 2, 2003

National Do Not Call Registry to Be Available to Telemarketers Beginning September 2, 2003: "National Do Not Call Registry to Be Available to Telemarketers Beginning September 2, 2003


The Federal Trade Commission today announced that telemarketing organizations will have access to the National Do Not Call Registry on September 2, 2003, one day later than the opening date originally announced. The URL to access telephone numbers in the registry, www.telemarketing.donotcall.gov, will NOT be available until September 2, 2003. From that date forward, organizations that complete application information, pay any applicable fees, and certify under penalty of law that they are accessing the registry solely to prevent telephone calls to telephone numbers on the registry, will be granted access to the consumer telephone numbers included in the registry.

Specific information about accessing telephone numbers and downloading files from the national registry is available at http://www.ftc.gov/opa/2003/08/tmkraccessinfo.htm.. Additional information will be provided on the telemarketer Web site, www.telemarketing.donotcall.gov ."

=======================================
Comment:

I wonder how long it will take for these phone numbers to end
up on the public Internet?

U.S. Treasury - Office of Foreign Assets Control

U.S. Treasury - Office of Foreign Assets Control: "Mission



The Office of Foreign Assets Control ('OFAC') of the US Department of the Treasury administers and enforces economic and trade sanctions based on US foreign policy and national security goals against targeted foreign countries, terrorists, international narcotics traffickers, and those engaged in activities related to the proliferation of weapons of mass destruction. OFAC acts under Presidential wartime and national emergency powers, as well as authority granted by specific legislation, to impose controls on transactions and freeze foreign assets under US jurisdiction. Many of the sanctions are based on United Nations and other international mandates, are multilateral in scope, and involve close cooperation with allied governments."

Virginia's Institute for Defense and Homeland Security -- July-August 2003 Newsletter

Virginia's Institute for Defense and Homeland Security -- July-August 2003 Newsletter
DHS Names Executive Committee
George C. Newstrom, Virginia's Secretary of Technology, and John O. Marsh, Jr., former Secretary of the Army, will serve as co-chairs of the IDHS executive committee. Additional members of the panel include current and former federal officials from defense or homeland security agencies, Commonwealth of Virginia cabinet and university officials, and industry representatives from research- and technology-intensive companies in Virginia. Members are as follows:


Steven Cooper, CIO, Department of Homeland Security (ex officio)
Michael Daniels, Sector Vice President, SAIC
Scott Erskine, Society of Former Special Agents of the FBI
John H. Hager, Assistant to the Governor for Commonwealth Preparedness
Peter Jobse, President, Virginia's Center for Innovative Technology
Hugh E. Montgomery, Jr., Executive Director, IDHS
John B. Noftsinger, Jr., Co-Chair, Virginia Research & Technology Advisory Commission, and Associate Vice President for Research, James Madison University
Suzanne Spaulding, American Bar Association
Charles Steger, Chair, Virginia Council of Presidents, and President, Virginia Tech
Belle S. Wheelan, Virginia Secretary of Education
Jim Wrightson, Vice President for Strategic Development, Lockheed Martin Corp.More