1 / 28

Operational Risk, Privacy & Security

Operational Risk, Privacy & Security. Jonathan Rosenoer Point Tiburon Group May 2002. Content. Operational risk management overview Trust as a design imperative and solution requirement Illustrative solution components for security and privacy in an operational risk management system.

kayo
Download Presentation

Operational Risk, Privacy & Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Operational Risk, Privacy & Security Jonathan Rosenoer Point Tiburon Group May 2002

  2. Content • Operational risk management overview • Trust as a design imperative and solution requirement • Illustrative solution components for security and privacy in an operational risk management system

  3. The drive to manage and improve operational risk • Operational risk is “the risk of loss resulting from inadequate or failed processes, people and systems or from external events” • The Basel Committee on Banking Supervision, Bank for International Settlements, seeks to provide strong incentive to improve operational risk management in light of recent changes in Banks • Growth of E-commerce • Use of more highly automated technology • Increased prevalence of outsourcing • Emergence of banks as very large-scale service providers

  4. “Banks should be aware that increased automation can transform high-frequency, low severity losses into low-frequency, high severity losses.” Bank of New York (1985): 28 hour mainframe failure causes Bank of New York to borrow $20B to manage sale of securities, at an interest cost of $4M Barings (1995): Unauthorized and concealed derivatives trading by Nick Leeson leads to $1.2B loss and collapse of Barings First National Bank of Chicago (1996): ATM software error inflates 800 customer balances by sum of $763.9B BancBoston (1998): 20-year employee, Ricardo Carrasco, disappears leaving behind $73M in irregular loans and credit extensions secured by fraudulent or non-existent collateral PULSE (2000): 22-state EFT/ATM network disabled when Tropical Storm Allison floods main and backup power systems in Houston Bank of New York (1999): Investigators allege that up to $15B was laundered out of Russia via the Bank of New York Mellon Bank (2001): 40,000 federal tax returns and tax payment checks totaling $800M are lost or destroyed at processing center operated for the IRS 9-11-01: Cost of NY Financial Services business disruption -- lost revenues due to market closure and dislocation expense -- was about $1.8B Allied Irish Banks (2/7/02): Foreign exchange trader, John Rusnak, is suspected of $750M fraud J.P. Morgan Chase (2/27/02): Insurers deny claim for $965M on surety bonds arising from Enron failure on grounds the bonds were procured though fraud

  5. A meaningful solution is multi-dimensional and flexible • Multi-dimensional:To implement and demonstrate appropriate risk management systems and processes, financial institutions require a holistic solution that provides a: • Methodology to identify and capture loss event data • Reporting framework • Tool for root-cause analysis and alerting • Flexible:To implement and demonstrate appropriate risk management systems and processes, financial institutions require a flexible solution: • Any data… Any control objective….In Real Time

  6. An early vision of an operational risk management dashboard

  7. Illustration: Control objective definition (powered by Digital Fuel)

  8. Illustration: Event correlation

  9. Illustration: Root source analysis

  10. Illustration: What-If analysis

  11. Looking at the problem from the bottom up Data Adaptors • Network perf. mgt. • PBX • Billing • Ticketing • CRM • SFA • … Data Reports Management Console Web presentation Run-Time Engine • Data collection • Correlation • Root cause analysis • What-If • Forecasting • … Tools • Data identification/mapping • Control objective constructor • Report authoring : User Rules Repository • Control objectives • Data collection rules • Calculation rules • Presentation rules : User : User : User Source: Digital Fuel

  12. Content • Operational risk management overview • Trust as a design imperative and solution requirement • Illustrative solution components for security and privacy in an operational risk management system

  13. Required: Security and privacy • Office of the Comptroller of the Currency • A bank’s use of third parties to achieve its strategic goals does not diminish the responsibility of the board of directors and management to ensure that the third-party activity is conducted in a safe and sound manner and in compliance with applicable laws. • The OCC expects bank management to engage in a rigorous analytical process to identify, measure, monitor, and establish controls to manage the risks associated with third-party relationships and, as with all other risks, to avoid excessive risk-taking that may threaten the safety and soundness of a national bank. • The OCC will review the bank’s information security and privacy protection programs regardless of whether the activity is conducted directly by the bank or by a third party. • Gramm-Leach-Bliley Act • Ensure the security and confidentiality of customer records and information • Protect against any anticipated threats or hazards to the security or integrity of such records • Protect against unauthorized access to or use of such records or information that would result in substantial harm or inconvenience to any customer

  14. A threat assessment is a traditional starting place for building trust Source: Common Criteria

  15. Trust is a function of confidence in countermeasures Source: Common Criteria

  16. Systems thinking is key Data Extractors • Network perf. mgt. • PBX • Billing • Ticketing • CRM • SFA • … Data Reports ! ! Management Console Web presentation Run-Time Engine • Data collection • Correlation • Root cause analysis • What-If • Forecasting • … Tools • Data identification/mapping • Control objective constructor • Report authoring : User Rules Repository • Control objectives • Data collection rules • Calculation rules • Presentation rules ! ! : User : User : User

  17. Content • Operational risk management overview • Trust as a design imperative and solution requirements • Illustrative solution components for security and privacy in an operational risk management system

  18. Remote login and SSH SSH Secure Shell is used for remote logins. It seeks to solve the problem of hackers stealing passwords. Typical applications include 'lite VPN' applications, remote system administration, automated file transfers, and access to corporate resources over the Internet. • SSH Secure Shell allows you to • securely login to remote host computers • execute commands safely in a remote computer • securely copy remote files • provide secure encrypted and authenticated communications between two non-trusted hosts • TCP/IP ports can be forwarded over the secure channel, enabling secure connection, for example, to an e-mail service. • SSH2 is designed against threats that include • Eavesdropping • Hijacking • IP spoofing Source: SSH Communications Security

  19. VPNs to connect offices and partners VPNs securely extend corporate networks and reduce the costs that are incurred by leased lines and frame relay networks Source: Check Point

  20. An application layer “VPN” seeks to provide access to applications without exposing an internal network The Yakatus Secure Global Relay supports simultaneous, secure, bi-directional data transmission from multiple services, applications, and protocols through a single port - and a single server. This feature seeks to obviate security issues generated by numerous open ports, tiered firewalls and multiple servers.

  21. Trusted e-mail is repositioning for enterprise information exchange

  22. New messaging systems seek to enable enterprise applications to communicate securely and reliably with one another over the Internet Kenamea messaging operates in real time, securely delivering messages from any application end point to any other. At the core of the Kenamea offering is the Kenamea Message Switch, which acts as a hub, coordinating communication between application end-points.

  23. Integration middleware offers another level of streamlining The SeeBeyond Business Integration Suite centers on business processes in order to provide an integration solution that first streamlines business from end-to-end, then drills down into the next level of detail for application integration, data transformation, routing and messaging by generating the necessary technical components that manage the transformation and flow of information.

  24. Enterprise security management provides a holistic view at the center The ArcSight architecture is comprised of a data collection and storage system to consolidate network-wide alarms and alerts, analysis tools to detect multi-source and multi-target threats, and a display and report function to manage the results.

  25. Integrated enterprise management provides another level of assurance Tivoli provides a common framework and single management agent for the core IT infrastructure. IBM Tivoli Access Manager for Business Integration is a comprehensive security solution for IBM WebSphere MQ

  26. At the presentation layer, secure relationship management Netegrity Secure Relationship Management PlatformTM combines identity management, single sign-on and access control, provisioning, with portal presentation and integration services. Netegrity SRM provides customers with a platform for securing, delivering and presenting enterprise resources for the interactive e-business.

  27. In the future …? Policy Store Root Policy Policy Application Credential Management PKI Compliance Checker : User : Policy author Security Credential Security Credential Policy, Security Credential Action Request, secure user ID Action Request, secure user ID Request, Credential, Policy Security Credential, secure user ID verification Policy Compliance Value Process action / deny Request

  28. Questions? Jonathan Rosenoer President Point Tiburon Group Ph. 415.789.1354 JROSENOER@CYBERLAW.COM

More Related