Best,

James DeLuccia IV

• Embrace public; international; open governance / security frameworks and cut from here your own program
• Cost to compliance should DECLINE and not increase over time - unless your business is expanding at which point the cost curve should be correlated to that of the expansion costs
• The achievement of compliance is not sufficient to thwart the risks to the business - security, privacy, operational integrity, and satisfaction of contractual agreements require a cultural and organic approach

Practitioners must take it upon themselves to educate and communicate when compliance F.U.D. and marketing take over a business’ risk management programs.  Only through communication will everyone know what risks exist; what risks are addressed; which risks are immaterial; and how they fit together to form the information security program and governance processes.

Other insights and perspectives on the affect of consolidating and “watering down” effective controls and safeguards to the point where they do not address the original intent?

Kind regards,

James DeLuccia IV

Consider all the data carriers before pushing out point solutions - data should be managed within an evolving program to satisfy each new channel and environment (Social networks, twitter, IM, torrent …)

Thoughts?

James DeLuccia IV

Given those articles as the backdrop - there are two major concerns for executives and businesses that rely on third party firms (which is approximately 99% of the world).

The first is the ability to deliver services without the incumbent service provider

• When setting up third party service providers consideration must be placed on the exact details of how the data flows will occur.  This should be defined in the contract.
• A common, and costly mistake by companies, is to not establish mechanisms to extract their business from a specific service provider.  This is caused by customizing your business to fit their processes, and thereby creating only one vendor that can service your firm.  Businesses must regularly review how these third party processors are integrated and establish a Back-Out Plan.  Similar in principle to a Disaster Recovery Plan (DRP), our BOP provides the organization with a full record of all business data and a workable repository that can be connected to a different vendor.  A consumer example - Ability to export your Google Contacts to your Exchange Server and vice versa, the easier it is the more likely you are to experiment and keep long term costs low.

The second is concern relating to the data and proprietary (patented?) processes and technology that may vanish when the business partner disappears.

• The amount of information passed through a vendor varies, but inevitably sensitive information will be processed or transmitted.  The business owners should - in a contract, establish the ability to quarantine their data to specific systems, and may even consider “buying” these pieces of hardware to insure against losses in the future.
• An alternate approach is to limit the data prudently to eliminate the possibility of company information being exposed.  This can be achieved by placing some processing in house and then passing along data to the vendor in a less sensitive manner.  A consumer example is highlighted on the Kindle2 and the 3rd party conversion process, and what if any data is being passed and processed.  (A single example of numerous services that slice through the daily business process that is seldom considered or understood, and only when problems (Breached / Hacked Organizations) make the news do we consider the full ramifications, let alone if the business itself vanishes.

As is obvious, there are many approaches for businesses to leverage the BPO market while protecting the integrity of the business operations.

Best Regards,

James DeLuccia IV

**Speaking at RSA 2009 on the Payment Card Industry, April 22nd 2009**

“DeLuccia lays a foundation by examining the importance of internal IT controls…explains why silo IT strategy wastes time and resources, offering a better solution in having an IT enterprise control environment”

Comments and challenges?

James DeLuccia

Charles Phillips, President of Oracle was the keynote and opened for about 30 minutes on what Oracle is doing as a company and in the cloud / web 2.o space.  He was excellent and I enjoyed hearing from him.  Unfortunately I, nor anyone from what I can tell, was unable to thank him for his time as he was escorted in and out of the building rather quickly.  He highlighted the use of customer feedback systems and integrating applications for clients.

The other attendees included Eran Gil of Cloud Sherpas (a consulting company); Matt Trevathan, Solutions Architect/Master Inventor, IBM Interactive, and a gentlemen from Turner who provided great “non-vendor sales” responses but whose name doesn’t seem to be posted.

The conversation was good - the archive will be online the MIT Forum site, and if you have time check out the first 30 minutes to see Charles.  I would also check out the last 10 minutes of the feed for a few interesting questions on privacy and security that thankfully didn’t include product speak.  The panel was not qualified for compliance and security questions, but were quite strong on the challenges of open standards and the cost-benefit questions.

Program Synposis:

“The points of discussion are:

• What are the key decision drivers for determining if
  outsourcing to the cloud is right for your business?
• What are the cost dynamics and relationships between
  hardware, software, management, monitoring and customer
  satisfaction/support in today’s environment?
• What are the data security and privacy issues for customers
  of these services and the liability for the service provider?
• What are the mechanisms for moving to cloud computing and
  who gets you there?
• What are the business opportunities for entrepreneurs
  looking to participate in this newly forming ecosystem?”

Unfortunately I don’t feel the panel answered the above questions fully, and I will try and make a series on answering the above as they relate to startups, compliance, and security concerns.

Kind regards,

James DeLuccia IV

“The specific changes in Special Publication 800-53, Revision 3 include:

• Restructuring of security controls to include specific requirements previously stated in Supplemental Guidance;
• Adjusting security control/control enhancement allocations to security control baselines;
• Eliminating security controls and control enhancements that are redundant or no longer needed;
• Incorporating the revised, simplified, six-step Risk Management Framework;
• Strengthening selected security controls by adding new security control enhancements;
• Adding security program management controls that affect organizations, at large, including areas such as capital planning and budgeting, enterprise architecture, and risk management;
• Providing additional guidance on the management of common controls within organizations;
• Adding security controls and control enhancements for advanced cyber threats, including supply chain threats;
• Introducing a three-part strategy for harmonizing the FISMA security standards and guidelines with international security standards including an updated mapping table for security controls in ISO/IEC 27001 (Annex A); and
• Updating supporting appendices including references, glossary, and acronyms.”

To provide substance on the importance of this standard - this document is utilized by thousands of organizations worldwide as both a template and a baseline.  As threats evolve the baseline must shift also, but that requires everyone to move in concert to raise the total level of resilience.  It is critical that a careful eye be placed on this standard - to ensure the sufficiency of the controls, the clarity of the safeguards, and the completeness of the approach.

“Only you can prevent forest fires” - wholly applicable,

James DeLuccia IV

Hat tip to Dan Philpott and Taylor Banks for the heads up!

The first is recognition that a virtualized environment IS in fact different then a physical environment.  Once this is accepted the next premise to be considered is the business mandates of the organization and the team.  This is where the rubber meets the road - smashing together professional knowledge with the “intent” of contracts, laws, and mandates.  Together these pave a path to truly operate a virtualized environment under any set of business conditions.

A great deal of people today consider a virtualized system the same as a physical system.  This is a mistake - there are different risks, threats, attack vectors, and such within a virtualized space that do not exist or are not satisfied by the same safeguards.

Business Mandates (my catch all for contracts, regulations, and directives) are written with the intent of preventing, minimizing, or safeguarding something.  Professionals must recognize the intent and satisfy these within the virtualized space.  It is criminal and fraudulent to pass on a virtualized system as a physical system for the sake of an auditor’s check box or other safety precaution - the simple defense that ‘they didn’t know’ is insufficient and reckless.

Now in the past when the Internet was born regulations and enforcement bodies tried to use existing laws to prosecute and demand appropriate safeguards.  For the most part these old laws did provide financial damages, but did support the government and industry to meet the new standards given the new technology.  Today our laws and the auditor check lists do not sufficiently address virtualization, but that does not eliminate the risk or need to operate securely and in line with our customer’s expectations.

This is a very complex area and I look forward to additional thoughts.  Look for a future ‘Insider Perspective’ breaking out greater facts from the field.

Kind regards,

James DeLuccia iV

“We are concerned that the corporate oversight of AIG Financial Products … lacks critical elements of independence, transparency, and granularity,” Waxman read from the Office of Thrift Supervision’s March 10 letter

Here are two good, brief, summations of the findings:

NYS CPA Article on the fraudulent behavior, “AIG Hid Financial Risks from Auditors”

CNBC Article focusing on the business aspects, “AIG Hid Financial…“

• 2.C - Agreeing on a risk based approach is certainly critical and coordination should exist between internal and external audit, but it should be expanded to other operational divisions.  For instance, IT Security and strategic governance operations must also be in sync with this approach to ensure that all the risks and future needs of the business are satisfied.
• 2.D - There is a precedent, and regulatory mandate, that the “work of others” be leveraged by all parties to ensure efficiency of control environment attestations.  Centering on an agreed method of measuring risk, conducting assessments, and demonstration will ensure maximization of returns on control efforts.
• 3.B - Technology begets more technology - a phrase I commonly state represents the final control highlighted in the article.  The use of software to collect data and validate the input requires the organization to have safeguards to ensure that THESE systems are operating correctly.  Technology should be leveraged to introduce efficiency and not layers; continuous business process redesign is prudent and indicative of leading competitive firms.

Check out the article here, and be sure to consider this as a launch point to revving up your organization.  A great companion book to my book is Paul Sobel’s on Risk and ERM available on Amazon.

Best,

James DeLuccia IV