Tuesday, March 02, 2010

ID Risk Management: Dubai Investigation Links to Workplace Violence...

What is your name? Where do you live? What is your phone number? Where were you born? What is your social security number? What is your passport number? Where was it issued? What evidence do you have that this is all true? Your identity is at stake and Operational Risk Management is on the line.

These questions and more are asked of us on a regular basis to establish our true identity. The entity asking these questions is considering you to be granted access, access to what? It could be to establish an account at a banking institution, get a drivers license or become a member of a trusted community of people. Or it could be a country deciding whether to grant you a visa to visit or work for a period of time.

SOCA is in the midst of interviewing people who had their identity stolen. This investigation is about a form of ID Theft that goes beyond the international scandal associated with the Dubai homicide incident. The Washington Post reports:

Agents from Britain's Serious Organized Crime Agency are in Israel investigating the use of forged British passports by people who Dubai officials allege were part of an assassination squad run by Israel's Mossad spy agency. The 27 members of the group used European or Australian passports -- some forged -- to enter Dubai, officials say. In several cases, the names and other information on the passports matched those of Israeli citizens who hold dual nationality and who claim that their identities were "borrowed" by those involved in the operation.

Two SOCA agents will interview the 10 British-Israelis who were affected and issue them new passports, a British Embassy spokesman said. According to Israeli news reports, Australian investigators are planning a similar visit. The European Union last week condemned the use of forged travel documents in the killing of Hamas commander Mahmoud al-Mabhouh, without mentioning Israel specifically.


Whether you are the UAE, admitting people into your country or a Global 500 company allowing someone access to your corporate facilities, digital assets or place of business; you must have ways to effectively validate who people say they are, and who they really are. Even if you asked all of the questions above in the early stages of the company hiring process, would you really have the entire picture? This changes over time and events in a persons life. Identity Management and the use of both "known to many" and "known to few" attributes about who you are and who you know, is a reality in today's blur of global commerce.

When a country has a breach of security admitting people, who are not who they purport to be, is it any different in the context of a Defense Industrial Base company headquartered in Chicago, IL or an Investment Banking firm in Geneva, Suisse? What are different are the motives and the outcomes from the fraudulent acts.

What are the current arguments and the leading reasons why our policies, methods and tools associated with Identity Management are in a state of chaos in the United States? The FTC's latest report gives you a better idea of the breadth of the privacy problem trying to be solved:


The Federal Trade Commission released a report listing top complaints consumers filed with the agency in 2009. It shows that while identity theft remains the top complaint category, identity theft complaints declined 5 percentage points from 2008.

The report breaks out complaint data on a state-by-state basis and also contains data about the 50 metropolitan areas reporting the highest per capita incidence of fraud and other complaints. In addition, the 50 metropolitan areas reporting the highest incidence of identity theft are noted.

The top complaint was Identity Theft, which accounted for 21% of all complaints for the year.

A complete list of complaints can be found at: http://www.ftc.gov/sentinel/reports/sentinel-annual-reports/sentinel-cy2009.pdf.


What is interesting is that the same people who are coming to work every day with their TWIC or CAC cards are also victims of ID Theft as consumers. The same individuals who walk into the SCIF or the bank vault may very well be people who have active investigations going on regarding their identity being used to perpetrate crimes or other fraudulent motivations. So what are some of the most important issues on the Identity Management horizon?

In all of the breaches, all of the incidents there is a root cause for the failure in the people, process, systems or external factor that opened up the vulnerability for the attacker to exploit and obtain their objective. It's called Continuous Monitoring. This issue is found in all places in Appendix G of the US NIST sp800-37 that illustrates the reason why continuous monitoring is critical especially in information systems:

Private Sector companies have a duty to invest in resources, policy refinement and new methods or tools to keep continuous monitoring as vigilant as possible:

"Conducting a thorough point-in-time assessment of the deployed security controls is a necessary but not sufficient condition to demonstrate security due diligence. A well designed and well-managed continuous monitoring program can effectively transform an otherwise static security control assessment and risk determination process into a dynamic process that provides essential, near real-time security status-related information to organizational officials in order to take appropriate risk mitigation actions and make cost-effective, risk-based decisions regarding the operation"


Whether you are the United Arab Emirates or the University of Alabama-Huntsville the Identity Management problem is much the same. David Swink at Psychology Today has this to say on the other growing virus named "Workplace Violence" that is invading corporate America:


In the aftermath of school and workplace attacks, it is often discovered that there were warning signs that the perpetrator was moving down a path toward violence. In some circumstances, people reported the troubling behavior and the information was not forwarded to the people who could prevent an attack. Sometimes the troubling behavior didn't reach a threshold, in the judgment of the person receiving the report, that something needed to be done. There is often confusion about what information can or cannot be shared under privacy laws like FERPA or HIPPA.

Threatening behavior may come to the attention of multiple departments within an organization that generally don't share information with each other. Without clear policies, procedures, and training, large organizations may find it challenging to channel widely dispersed information about potential threats to a central reporting entity.

With a single report of threatening behavior, the situation may not look that bad, but when the other "dots" are connected, a clear image emerges that this person is someone that needs to be assessed and managed in order to prevent violence.


Much of what we know about our employees is found in their HR files, background reports (if ever done) and what co-workers say about their behaviors in the workplace. Corporate Security, Risk Management, General Counsel, Information Technology, Public Relations and even the EAP (Employee Assistance Program) executive managers shall create, maintain and continuously operate a Corporate Intelligence Unit and Threat Assessment Team. Without it, the consequences of not knowing a persons true identity or current state of mind could cost you more than the loss of life. It could cost you your global reputation.