Friday, April 13, 2007

In Search of Answers: OPS Risk Intel...

When it comes to Operational Risk, what is on your mind? These are just a few recent inquiries from around the globe:

  • operational risk consultant
  • plausible deniability risk mitigation
  • operational risk and causes for information technology department
  • digital forensics plus ediscovery software
  • operational risk management in bank
  • hedge risk asian tsunami
  • bbc programmes advice on insurance companies covering anti terrorist cover
  • hsac navy seals
  • metrobank and trust company philippines risk managment practice
  • passmark passes fdic audit
  • gsk italy germany executive's supply chain quality assurance manufacturing
  • define issues and action plans orm
  • ethical prior the implemention of disaster response
  • operational risk management dulles airport
  • Business Crisis and Continuity Management (BCCM)
  • invision, deloitte, risk, root cause analyses
  • bs 25999 part1
  • system malfunction hurricane katrina critical infrastructure
  • fraud risk management vs. compliance investigation
  • "opinion letter" "disaster recovery"
  • the newest trends in operational risk for public sector
  • north carolina department of revenue real estate investment trust voluntary disclosure
  • parmalat crisis management
  • public sector operational risk management
  • bank of america sas 70
  • example document retention policy homebuilder
  • fbi justice report sedona mortgage fraud
  • operation risk management test answers
  • suibin zhang
  • authenticol systems boulder
  • helicopter detecting grow ops
  • using ipsonar opinion
  • pneumonia, operational risk
  • reasons for enterprise risk management assessment

If you are like us, we see some real "nuggets" of intel in these searches. One observation is that Operational Risk is diverse and it's facets are complex. The interdependencies of people, processes, systems and external events combined with the legal implications makes this discipline ever more sought after in the ranks of enlightened institutions.

So why would somebody be looking for information on
plausible deniability risk mitigation?

Over a year ago Bruce Schneier had this to say:

Deniable File System

Some years ago I did some design work on something I called a Deniable File System. The basic idea was the fact that the existence of ciphertext can in itself be incriminating, regardless of whether or not anyone can decrypt it. I wanted to create a file system that was deniable: where encrypted files looked like random noise, and where it was impossible to prove either the existence or non-existence of encrypted files.

This turns out to be a very hard problem for a whole lot of reasons, and I never pursued the project. But I just discovered a file system that seems to meet all of my design criteria -- Rubberhose:

Rubberhose transparently and deniably encrypts disk data, minimising the effectiveness of warrants, coersive interrogations and other compulsive mechanims, such as U.K RIP legislation. Rubberhose differs from conventional disk encryption systems in that it has an advanced modular architecture, self-test suite, is more secure, portable, utilises information hiding (steganography / deniable cryptography), works with any file system and has source freely available.

The devil really is in the details with something like this, and I would hesitate to use this in places where it really matters without some extensive review. But I'm pleased to see that someone is working on this problem.

Next request: A deniable file system that fits on a USB token, and leaves no trace on the machine it's plugged into.

So what? Why would an Operational Risk Professional be concerned about a USB token that leaves no trace on the machine it's plugged into? We think you get the big picture here. So are there any other nuggets of intel worth exploring in this latest list of searches?


What about Business Crisis and Continuity Management (BCCM)? When it comes to a crisis, there are numerous sources that impact your Operational Risk Strategy:

The many sources of significant loss events are changing as we speak. Here are a few that should not be overlooked:

· Public perception

· Unethical dealings

· Regulatory or civil action

· Failure to respond to market changes

· Failure to control industrial espionage

· Failure to take account of widespread disease or illness among the workforce

· Fraud

· Exploitation of the 3rd party suppliers

· Failure to establish a positive culture

· Failure in post employment process to quarantine information assets upon termination of employees

So what? Boards of Directors have the responsibility to insure the resiliency of the organization. The people, processes, systems and external events that are constantly changing the operational risk landscape become the greatest threat to an enterprise. It’s the shareholders duty to scrutinize which organizations are most adept at “Continuous Continuity” before they invest in their future. Hopefully you understand that the operational risk spectrum is wide as it is deep. Keeping your fingers on the pulse of what people are concerned about could be as simple as this quick exercise in "search terms analysis."