1 © 2002 Point Tiburon Group Operational Risk, Privacy & Security Jonathan Rosenoer Point Tiburon...
-
Upload
margaretmargaret-mitchell -
Category
Documents
-
view
221 -
download
2
Transcript of 1 © 2002 Point Tiburon Group Operational Risk, Privacy & Security Jonathan Rosenoer Point Tiburon...
1© 2002 Point Tiburon Group
Operational Risk, Privacy & Security
Jonathan Rosenoer
Point Tiburon Group
May 2002
2© 2002 Point Tiburon Group
Content
Operational risk management overview
Trust as a design imperative and solution requirement
Illustrative solution components for security and privacy in an operational risk management system
3© 2002 Point Tiburon Group
The drive to manage and improve operational risk
Operational risk is “the risk of loss resulting from inadequate or failed processes, people and systems or from external events”
The Basel Committee on Banking Supervision, Bank for International Settlements, seeks to provide strong incentive to improve operational risk management in light of recent changes in Banks
– Growth of E-commerce
– Use of more highly automated technology
– Increased prevalence of outsourcing
– Emergence of banks as very large-scale service providers
4© 2002 Point Tiburon Group
“Banks should be aware that increased automation can transform high-frequency, low severity losses into low-frequency, high severity losses.”
Bank of New York (1985): 28 hour mainframe failure causes Bank of New York to borrow $20B to manage sale of securities, at an interest cost of $4M
Barings (1995): Unauthorized and concealed derivatives trading by Nick Leeson leads to $1.2B loss and collapse of Barings
First National Bank of Chicago (1996): ATM software error inflates 800 customer balances by sum of $763.9B
BancBoston (1998): 20-year employee, Ricardo Carrasco, disappears leaving behind $73M in irregular loans and credit extensions secured by fraudulent or non-existent collateral
PULSE (2000): 22-state EFT/ATM network disabled when Tropical Storm Allison floods main and backup power systems in Houston
Bank of New York (1999): Investigators allege that up to $15B was laundered out of Russia via the Bank of New York
Mellon Bank (2001): 40,000 federal tax returns and tax payment checks totaling $800M are lost or destroyed at processing center operated for the IRS
9-11-01: Cost of NY Financial Services business disruption -- lost revenues due to market closure and dislocation expense -- was about $1.8B
Allied Irish Banks (2/7/02): Foreign exchange trader, John Rusnak, is suspected of $750M fraud
J.P. Morgan Chase (2/27/02): Insurers deny claim for $965M on surety bonds arising from Enron failure on grounds the bonds were procured though fraud
5© 2002 Point Tiburon Group
A meaningful solution is multi-dimensional and flexible
Multi-dimensional: To implement and demonstrate appropriate risk management systems and processes, financial institutions require a holistic solution that provides a:
– Methodology to identify and capture loss event data
– Reporting framework
– Tool for root-cause analysis and alerting
Flexible: To implement and demonstrate appropriate risk management systems and processes, financial institutions require a flexible solution:
– Any data… Any control objective….In Real Time
6© 2002 Point Tiburon Group
An early vision of an operational risk management dashboard
XYZ Bank ORM Dashboard Period: 5/01/02 - 5/31/02Business Unit: All Business Line: All
Internal fraud
External fraud
Employment practices and workplace safety
Clients, products, and business practices
Damage to physical assets
Business disruption and system failures
Execution, delivery, and process management
XYZ Bank ORM Dashboard Period: 5/01/02 - 5/31/02Business Unit: Banking Business Line: Retail Banking
Event-type Category: Clients, Products, and Business Practices
Suitability, Disclosure and FiduciaryFiduciary breaches / guideline violations
Suitability / disclosure issues (KYK etc.)
Retail consumer disclosure violations
Breach of privacy
Aggressive sales
Account churning
Misuse of confidential information
Lender liability
Improper Business or Market PracticesAntitrust
Improper trade/market practices
Market manipulation
Insider trading (on firm's account)
Unlicensed activity
Money laundering
Product FlawsProduct defects (unauthorized, etc.)
Model errors
Selection, Sponsorship and ExposureFailure to investigate client per guidelines
Exceeding client exposure limits
Advisory ActivitiesDisputes over performance of advisory activities
NANA
NA
NANA
NA
7© 2002 Point Tiburon Group
Illustration: Control objective definition (powered by Digital Fuel)
8© 2002 Point Tiburon Group
Illustration: Event correlation
9© 2002 Point Tiburon Group
Illustration: Root source analysis
10© 2002 Point Tiburon Group
Illustration: What-If analysis
11© 2002 Point Tiburon Group
Looking at the problem from the bottom up
DataReports
Run-Time Engine
•Data collection•Correlation•Root cause analysis•What-If•Forecasting•…
Management Console
Web presentation
Data Adaptors•Network perf. mgt.•PBX•Billing•Ticketing•CRM•SFA•…
Rules Repository
•Control objectives•Data collection rules•Calculation rules•Presentation rules
Tools
•Data identification/mapping•Control objective constructor•Report authoring
: User : User
: User
: User
Source: Digital Fuel
12© 2002 Point Tiburon Group
Content
Operational risk management overview
Trust as a design imperative and solution requirement
Illustrative solution components for security and privacy in an operational risk management system
13© 2002 Point Tiburon Group
Required: Security and privacy
Office of the Comptroller of the Currency– A bank’s use of third parties to achieve its strategic goals does not diminish the responsibility of the
board of directors and management to ensure that the third-party activity is conducted in a safe and sound manner and in compliance with applicable laws.
– The OCC expects bank management to engage in a rigorous analytical process to identify, measure, monitor, and establish controls to manage the risks associated with third-party relationships and, as with all other risks, to avoid excessive risk-taking that may threaten the safety and soundness of a national bank. The OCC will review the bank’s information security and privacy protection programs regardless of
whether the activity is conducted directly by the bank or by a third party.
Gramm-Leach-Bliley Act– Ensure the security and confidentiality of customer records and information– Protect against any anticipated threats or hazards to the security or integrity of such records– Protect against unauthorized access to or use of such records or information that would result in
substantial harm or inconvenience to any customer
14© 2002 Point Tiburon Group
Source: Common Criteria
A threat assessment is a traditional starting place for building trust
15© 2002 Point Tiburon Group
Source: Common Criteria
Trust is a function of confidence in countermeasures
16© 2002 Point Tiburon Group
DataReports
Run-Time Engine
•Data collection•Correlation•Root cause analysis•What-If•Forecasting•…
Management Console
Web presentation
Data Extractors•Network perf. mgt.•PBX•Billing•Ticketing•CRM•SFA•…
Rules Repository
•Control objectives•Data collection rules•Calculation rules•Presentation rules
Tools
•Data identification/mapping•Control objective constructor•Report authoring
: User : User
: User
: User
!
! !
!
Systems thinking is key
17© 2002 Point Tiburon Group
Content
Operational risk management overview
Trust as a design imperative and solution requirements
Illustrative solution components for security and privacy in an operational risk management system
18© 2002 Point Tiburon Group
Remote login and SSH
SSH Secure Shell is used for remote logins. It seeks to solve the problem of hackers stealing passwords. Typical applications include 'lite VPN' applications, remote system administration, automated file transfers, and access to corporate resources over the Internet.
SSH Secure Shell allows you to – securely login to remote host computers– execute commands safely in a remote computer– securely copy remote files– provide secure encrypted and authenticated communications between two non-trusted hosts– TCP/IP ports can be forwarded over the secure channel, enabling secure connection, for
example, to an e-mail service.
SSH2 is designed against threats that include– Eavesdropping – Hijacking– IP spoofing
Source: SSH Communications Security
19© 2002 Point Tiburon Group
VPNs to connect offices and partners
Source: Check Point
VPNs securely extend corporate networks and reduce the costs that are incurred by leased lines and frame relay networks
20© 2002 Point Tiburon Group
An application layer “VPN” seeks to provide access to applications without exposing an internal network
The Yakatus Secure Global Relay supports simultaneous, secure, bi-directional data transmission from multiple services, applications, and protocols through a single port - and a single server. This feature seeks to obviate security issues generated by numerous open ports, tiered firewalls and multiple servers.
FirewallData MiningApplication
Server
SGR
Firewall
UCC
Laptop B
PDA A
Workstation A
Workstation B
Corporate network B
Corporate network A
WANInternet
SGR Modules
VPA
SGR Modules
VPA
Laptop A
PDA B
SGR
21© 2002 Point Tiburon Group
Trusted e-mail is repositioning for enterprise information exchange
22© 2002 Point Tiburon Group
New messaging systems seek to enable enterprise applications to communicate securely and reliably with one another over the Internet
Kenamea messaging operates in real time, securely delivering messages from any application end point to any other. At the core of the Kenamea offering is the Kenamea Message Switch, which acts as a hub, coordinating communication between application end-points.
23© 2002 Point Tiburon Group
Integration middleware offers another level of streamlining
The SeeBeyond Business Integration Suite centers on business processes in order to provide an integration solution that first streamlines business from end-to-end, then drills down into the next level of detail for application integration, data transformation, routing and messaging by generating the necessary technical components that manage the transformation and flow of information.
24© 2002 Point Tiburon Group
Enterprise security management provides a holistic view at the center
The ArcSight architecture is comprised of a data collection and storage system to consolidate network-wide alarms and alerts, analysis tools to detect multi-source and multi-target threats, and a display and report function to manage the results.
25© 2002 Point Tiburon Group
Integrated enterprise management provides another level of assurance
10
Single Action
Management
Task Profile
Management by
Subscription
Tivoli Software Distribution
Tivoli Inventory
Tivoli Distributed Monitoring
Tivoli Remote Control
Tivoli Business Systems Manager
Tivoli Enterprise Console (TEC)
Tivoli Manager for: Domino, DB2, Oracle, MQSeries, ...
Tivoli Enterprise Suite
Configuration and Operations
Management
Performanceand Availability
Management
Tivoli Enterprise FrameworkFoundation to establish
consistent management policies across heterogeneous platforms:
UNIX, Windows NT / 2000 / XP, Linux, NetWare, AS/400
Secure Authority
Delegation
Tivoli provides a common framework and single management agent for the core IT infrastructure.
IBM Tivoli Access Manager for Business Integration is a comprehensive security solution for IBM WebSphere MQ
26© 2002 Point Tiburon Group
At the presentation layer, secure relationship management
Netegrity Secure Relationship Management PlatformTM combines identity management, single sign-on and access control, provisioning, with portal presentation and integration services.
Netegrity SRM provides customers with a platform for securing, delivering and presenting enterprise resources for the interactive e-business.
27© 2002 Point Tiburon Group
: User
Credential Management
PKI
ComplianceChecker
Application
: Policy author
Request, Credential, Policy
Policy Compliance Value
Policy, Security Credential
Action Request, secure user ID
Security Credential
Security Credential
Process action / deny Request
Security Credential, secure user ID verification
Policy StoreRoot Policy
Policy
Action Request, secure user ID
In the future …?
28© 2002 Point Tiburon Group
Questions?
Jonathan RosenoerPresident
Point Tiburon GroupPh. 415.789.1354