Saturday, July 25, 2015

C²: Continuous Continuity in the Enterprise...

Many enterprises today understand the myriad of potential threats to its people, processes, systems and structures. It stands to be better equipped for sustained continuity.  Business Crisis and Continuity Management (BCCM) is a dynamic change management initiative that requires dedicated resources, funding and auditing.

Certainly the largest organizations realize that the risks are taking on different forms than the standard fire, flood, earthquake and hurricane/twister scenarios. These large catastrophic external loss events have been insured against and the premiums are substantial. What is less easy to analyze from a threat perspective, are the constantly changing landscapes and continuity postures of the many facets of the organization having to do with people, processes and systems.
The sources of significant loss events are changing as we speak. Here are a few that should not be overlooked in your Operational Risk Management (ORM) Programs:

· Public perception

· Unethical dealings

· Regulatory or civil action

· Failure to respond to market changes

· Failure to control industrial espionage

· Failure to take account of widespread disease or illness among the workforce

· Fraud

· Exploitation of the 3rd party suppliers

· Failure to establish a positive culture

· Failure in post employment process to quarantine information assets upon termination of employees
Frankly, corporate directors have their hands full, helping executives managing risk and continuity on behalf of the shareholders. The risk management process will someday have as big an impact on the enterprise, as other key functions because shareholders will be asking more questions about the changing landscape of managing risk for corporate governance.

Since effective BCCM analysis is a 24/7 operation, it takes a combination of factors across the organization to provide what one might call C², or “Continuous Continuity”. A one-time threat or risk assessment or even an annual look at what has changed across the enterprise is opening the door for a Board of Directors worst nightmare. These nightmares are “Loss Events” that could have been prevented or mitigated all together.

Most of the best practices talk about a BCCM plan that will be periodically updated. Periodic is not continuous. Change is the key factor here. What changes take place in your organization between these periodic updates? How could any organization accurately account for all the changes to the organization in between BCCM updates? The fact is that they can’t.

This will change over time as organizations figure out that this is now as vital a business component as Accounts Receivable. The BCCM will become a core process of the organization if it is not already, dynamically evolving by the minute as new change-based factors take place in the enterprise. As new or terminated employees, suppliers and partners come and go into the BCCM process, the threat profile is updated in real-time. This takes the operational management that much closer to C², or “Continuous Continuity”.

So what? Boards of Directors have the responsibility to insure the resiliency of the organization. The people, processes, systems and external events that are constantly changing the operational risk landscape become the greatest threat to an enterprise. It’s the shareholders duty to scrutinize which organizations are most adept at “Continuous Continuity” before they invest in their future.

Sunday, July 19, 2015

New Horizons: Commitment to the Long War...

What new technology invention or planetary event will change our way of life forever?  As the sun rises over the water, or the high rise buildings or the dew filled rolling meadows, one can only wonder.  The "New Horizons" streaked past Pluto after nine years from it's launch and 3 billion miles from Earth this week.  What other possible achievement is mankind capable of obtaining, that provides new knowledge and insight about our origins and our future.

Operational Risk Management (ORM) has been at the core of the New Horizons mission from its Genesis, until the day the space probe stops sending us more information.  Over these past nine years the observation and collection of data across our solar system, has provided answers to so many questions as we continue our quest for discovery.

Think about that timeline for a minute.  What has your organization accomplished that requires that kind of commitment to ongoing exploration and data analysis?  How would you keep people focused on continuous learning and problem solving, to gain new understanding and perhaps more empathy in your company.  Patience is often hard to find, when the boss is asking you what you have produced since yesterday.

There are tremendous challenges to keeping the mission focus in mind, even for nine years and beyond.  Maybe that is why there are term limits on some roles in public offices and as a result elections are necessary every two or four years.  Term limits puts priorities in perspective and clarifies what should be accomplished first and foremost.

What if you knew when you were going to die.  You knew exactly what would happen when your life ends.  It is written.  How would your thinking change, about what is important and what needs to be accomplished tomorrow.

How would you change your way of living and the vision to accomplish the promise of the future, if you did believe the stories of how it would all turn out.  Would you change the way you live your life, while you had the confidence that you would reach that promised place.  What if you had been taught this by trusted colleagues, read about it in sacred books or on the Internet and was assured that it was attainable.  If you would only believe:
Chattanooga, Tennessee (CNN)  A day after gunman Mohammad Youssuf Abdulazeez ended the lives of four Marines and wounded three other people, hundreds in Chattanooga gathered in prayer to mourn their deaths.

There were Christians. There were Muslims. A cross-section of the Tennessee community packed Olivet Baptist Church for the Friday night vigil.

Authorities are trying to figure out why Abdulazeez -- an accomplished student, well-liked peer, mixed martial arts fighter and devout Muslim -- went on the killing spree.

U.S. Attorney Bill Killian said the shootings are being investigated as an "act of domestic terrorism," but he noted the incident has not yet been classified as terrorism.

Reinhold said there is nothing to connect the attacker to ISIS or other international terror groups. Abdulazeez was not on any U.S. databases of suspected terrorists.

He was not known to have been in trouble with the law except for a DUI arrest in April. He apparently was not active on social media -- one of the common ways police investigate terrorism.
Ones mind has to flashback to the Boston Marathon bombing and the aftermath of that act of domestic terrorism in the United States.  Was this act of jihad on our U.S. citizens, the promise to the future, painted by people these terrorists trusted and respected?  Was this horrific act in Chattanooga against our military, just another blueprint for what our future holds for homegrown violent extremism (HVE) in America?  More on this from the New York Times:
Officials said there was no indication so far of any links to terrorist groups, leaving them to wonder how a young man with no known history of violence or radicalism turned up Thursday with several weapons, spraying bullets at Americans in uniform. Some “lone wolf” attacks have been carried out by people who had no direct contact with extremist groups, but they were influenced by messages online, like those from the Islamic State urging Muslims to take up arms and attack American military sites.

“This attack raises several questions about whether he was directed by someone or whether there’s enough propaganda out there to motivate him to do this,” said a senior American intelligence official, who spoke on the condition of anonymity because the investigation was still underway.
The Charlie Hebdo attack in Paris again was a location with meaning to the actual terrorism act itself by these two brothers inspired by Al-Qaeda in the Arabian Peninsula (AQAP).  It was a target put on a list by people who have a long-term focus and are able to accomplish their goals, even without a nation states resources.  The priority for any nation is to continue a long-term view, on what domestic terrorism and homegrown violent extremism really means, for a local community, in any country.

What is one of the most rewarding ways to connect with the local First Responder community in your U.S. county?  Look no further than your Community Emergency Response Team (CERT) and also your nearest Infragard chapter.  As a new "Citizen Soldier" you will need to learn new skills.  You also have to keep yourself aware of the latest natural or asymmetric threats to your particular community, whether it is a geographical city or a virtual domain in cyberspace.  You can, make a difference.

"Compassion will cure more sins than condemnation”

-Henry Ward Beecher-

It means a renewed commitment to building more resilience into your community.  From the bottom up, at every family household and small business in the town, city or Metroplex.  Operational Risk Management (ORM) doesn't end when you leave your role at the workplace in the warehouse, the cubicle or the executive office of the CSO, CISO or Chief Risk Officer.

Do you remember how you felt on September 12, 2001?  That uncertainty and the feeling you had, about the welfare of your closest loved ones or neighbors.  This was the catalyst for a 14+ year battle.  Just as the "New Horizons" hurtles millions of miles past Pluto, this commitment to the "Long War" is not over, and probably never will be.

Sunday, July 12, 2015

Data Rupture: The Risk of Over-Classification...

As a result of the latest "data rupture" at the U.S. Office of Personnel Management (OPM), there are several Operational Risk factors.  The issues that most people are focused on, dwells on a lack of proper information security controls or antiquated technologies, that have not kept up with the speed of the modern day asymmetric threat.

However, this is not the primary problem that needs to be resolved.  The problem definition has been discussed in the wings of government for many years.  The root of the discussion is really a personnel hiring process combined with a human resource function.  The next level of the debate has to do with the classification of information.  The process by which certain types and kinds of information is classified at different levels of sensitivity.

In terms of the private sector vetting of an employee for employment vs. the government employee (contractor) it is very similar for non-executive personnel at the "Secret" level of classification.  You could leap to the analogy, that once you move to an executive level in the private sector, you may be vetted more thoroughly including more extensive looks into references, interviews with others and a deep dive into financial affairs.  This is more in line with the "Top Secret" level clearance in the government.
Call it a “data rupture”: Hack hitting OPM affects 21.5 million
Highly personal data from background clearances are a data bonanza to spies.


by Dan Goodin - Jul 9, 2015 6:10pm EDT

Last year's massive hack of the US Office of Personnel Management's security clearance system affected 21.5 million people, including 1.8 million people who didn't apply for a background investigation, officials said Thursday, making it official the breach was the worst in US government history.

The new figure includes most, if not all, of the 4.2 million people the agency previously said were exposed in a separate breach of personnel files. The much larger number resulted from the hack in June or July of last year on the system used to conduct background checks on contractors and other private sector employees, as well as federal workers. Some 1.1 million of the stolen records included applicants' fingerprints. Background checks for people applying with the Central Intelligence Agency weren't affected because that agency conducts its own security clearance investigations.
 The tagging of information at the point of creation, inside the walls of the private enterprise or government is the key problem set.  Then making the decision on who and why a person needs this information for them to do their job, is the secondary factor.  We all need information to do our assigned jobs and tasks.  When information is tagged as "For Official Use Only", "Confidential" "Secret" or "Top Secret" in the government, there is a reason.  The Classification system:
The United States government classification system is established under Executive Order 13526, the latest in a long series of executive orders on the topic.[1] Issued by President Barack Obama in 2009, Executive Order 13526 replaced earlier executive orders on the topic and modified the regulations codified to 32 C.F.R. 2001. It lays out the system of classification, declassification, and handling of national security information generated by the U.S. government and its employees and contractors, as well as information received from other governments.[2]
The desired degree of secrecy about such information is known as its sensitivity. Sensitivity is based upon a calculation of the damage to national security that the release of the information would cause. The United States has three levels of classification: Confidential, Secret, and Top Secret. Each level of classification indicates an increasing degree of sensitivity. Thus, if one holds a Top Secret security clearance, one is allowed to handle information up to the level of Top Secret, including Secret and Confidential information. If one holds a Secret clearance, one may not then handle Top Secret information, but may handle Secret and Confidential classified information.
When you work as an employee of a private company, there is a documented personnel hiring process.  The early part of the process in some cases is outsourced to recruiting agencies, just as the government uses contractors to process many of it's back ground investigations.  In both cases, the reason is evident.  Does this person being considered for employment, pose a risk to the enterprise?

 The purpose of the discussion now is to look at the information.  The tagging of information at its origin.  Whether in the private sector or government.  Who decides what sensitivity to put on the document, picture, video, spreadsheet, text, audio or other data element?  How do you keep only certain people from viewing and reading or listening to the information with the correct level of security clearance? (Access Controls)  Certainly the viewing of the salary levels of all employees inside the private sector company is sensitive and only certain people have the authority and need to see this information.  The assurance of information is critical:  Confidentiality, Integrity and Availability.  No different in the government.  So what is the common thread?
Information security, sometimes shortened to InfoSec, is the practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. It is a general term that can be used regardless of the form the data may take (e.g. electronic, physical).[1]
The failure at OPM is complex and no different than the complexity of the data breach failure at Target Corporation.  Both incidents were and are the basis for case studies in Information Security classes at the academic level.  Each has idiosyncrasies, in terms of the actual data breach methodologies and the tools used by adversaries.  So what?

One has to question the need for so many people to have "Top Secret" security clearances in the government.  When you look at the numbers it is staggering.  It almost seems that the process for hiring good people in the government made it a requirement, that someone have the ability to obtain a "Top Secret" clearance.  Even though the likelihood that this person would ever be exposed to or asked to review "Top Secret" information was low.  The failure is that so many people were required to obtain Top Secret clearances, when it was not really a factor for the job they were doing or would ever do.

Now that the "Chinese hackers" (the so called suspects) have our SSN, DOB, previous addresses, (same for family members), financial and other references in their database, time will only tell what individuals will be targeted and for what.  So for those "Chinese hackers," here is a news flash:

"NOT ALL THE PEOPLE WITH GOVERNMENT TOP SECRET CLEARANCES HAVE REVIEWED TOP SECRET INFORMATION"

This is why, much of the hiring and background process that is part of the human resources systems is out of synch, with the information classification process and what someone needs to do their particular tasks in the enterprise.  The level of security clearance has unfortunately become a badge of acceptance and of perceived importance.  Just look at the number of "Linkedin profiles" today, where someone openly declares their "particular level of security clearance" with the government.  Why do people do this?

What is part of the solution to the defined problem set?

1.  Thoroughly address the defined problem of over-classification.

2.  Depends on the success of solving #1.

Operational Risk Management (ORM) is about the risk of loss resulting from inadequate or failed processes, people and systems or from external events.

Saturday, July 04, 2015

July 4: Framework for Liberty...

On this July 4, we can reflect.  In 1776, a courageous man named Thomas Jefferson would never know how the United States would endure.  239 years later, the United States of America is a historical example that the entire world studies.  This Republic, has certainly changed since the design was created by the "Founding Fathers".

As this Independence day unfolds across America, our Operational Risk Management (ORM) professionals are on watch.  They are celebrating in spirit and yet also worried, behind the facade of all the weekends festivities.  Why are so many across the globe in fear of the United States?  What are their motivations, for attacking our people and systems; what are they afraid of?

The fabric and infrastructure of our country is more diverse than ever.  The rule of law that governs all citizens are still capable of change, through a documented and proven process.  Change is attainable and civility is alive and well.  The power base of government is held in check, by systems designed to give the people a voice.  The United States is a complex invention that the papers written and agreed upon by Jefferson, Madison, Adams, Franklin and 56 delegates, still remain true to the mission.

When you think about the entire design of the system today in your hometown USA parade; look around.  What do you see and hear?  People of all religions and ethnic backgrounds expressing their ability to assemble and show their signs of affiliation.  Playing their own favorite music.  Celebrating their particular favorite American freedom.  Some by the original nations design and others by the Supreme Court of the United States.

Surrounding all of the expression of these freedoms are those who are on 24/7 watch.  These First Responders are waiting for your call.  Some in uniform and others in the shadows.  Perhaps it is your Mother or Father with Atrial Fibrillation, that may need an EMT in a moments notice.  Perhaps it is a need for assistance when an armed bandit robs your retail establishment.  Perhaps it is your tip or information, that intervenes with those evil-minded people who would attack our churches, public events or even the growing digital infrastructure.

You see, this ecosystem of people operating across America, in pursuit of their own dreams and their daily needs is what many across the world are unable to experience.  Many do not truly understand it, until they have had the chance to experience its feeling for real; to comprehend the emotions of people who are expressing their rights and their liberty.  The United States of America and other nations who are blueprints for democracy, know the vision and understand why it is worth defending at all costs.
 "We hold these truths to be self-evident, that all men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are Life, Liberty and the pursuit of Happiness."