operational risk privacy security n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Operational Risk, Privacy & Security PowerPoint Presentation
Download Presentation
Operational Risk, Privacy & Security

Loading in 2 Seconds...

play fullscreen
1 / 28

Operational Risk, Privacy & Security - PowerPoint PPT Presentation


  • 81 Views
  • Uploaded on

Operational Risk, Privacy & Security. Jonathan Rosenoer Point Tiburon Group May 2002. Content. Operational risk management overview Trust as a design imperative and solution requirement Illustrative solution components for security and privacy in an operational risk management system.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Operational Risk, Privacy & Security' - kayo


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
operational risk privacy security

Operational Risk, Privacy & Security

Jonathan Rosenoer

Point Tiburon Group

May 2002

content
Content
  • Operational risk management overview
  • Trust as a design imperative and solution requirement
  • Illustrative solution components for security and privacy in an operational risk management system
the drive to manage and improve operational risk
The drive to manage and improve operational risk
  • Operational risk is “the risk of loss resulting from inadequate or failed processes, people and systems or from external events”
  • The Basel Committee on Banking Supervision, Bank for International Settlements, seeks to provide strong incentive to improve operational risk management in light of recent changes in Banks
    • Growth of E-commerce
    • Use of more highly automated technology
    • Increased prevalence of outsourcing
    • Emergence of banks as very large-scale service providers
slide4

“Banks should be aware that increased automation can transform high-frequency, low severity losses into low-frequency, high severity losses.”

Bank of New York (1985): 28 hour mainframe failure causes Bank of New York to borrow $20B to manage sale of securities, at an interest cost of $4M

Barings (1995): Unauthorized and concealed derivatives trading by Nick Leeson leads to $1.2B loss and collapse of Barings

First National Bank of Chicago (1996): ATM software error inflates 800 customer balances by sum of $763.9B

BancBoston (1998): 20-year employee, Ricardo Carrasco, disappears leaving behind $73M in irregular loans and credit extensions secured by fraudulent or non-existent collateral

PULSE (2000): 22-state EFT/ATM network disabled when Tropical Storm Allison floods main and backup power systems in Houston

Bank of New York (1999): Investigators allege that up to $15B was laundered out of Russia via the Bank of New York

Mellon Bank (2001): 40,000 federal tax returns and tax payment checks totaling $800M are lost or destroyed at processing center operated for the IRS

9-11-01: Cost of NY Financial Services business disruption -- lost revenues due to market closure and dislocation expense -- was about $1.8B

Allied Irish Banks (2/7/02): Foreign exchange trader, John Rusnak, is suspected of $750M fraud

J.P. Morgan Chase (2/27/02): Insurers deny claim for $965M on surety bonds arising from Enron failure on grounds the bonds were procured though fraud

a meaningful solution is multi dimensional and flexible
A meaningful solution is multi-dimensional and flexible
  • Multi-dimensional:To implement and demonstrate appropriate risk management systems and processes, financial institutions require a holistic solution that provides a:
    • Methodology to identify and capture loss event data
    • Reporting framework
    • Tool for root-cause analysis and alerting
  • Flexible:To implement and demonstrate appropriate risk management systems and processes, financial institutions require a flexible solution:
    • Any data… Any control objective….In Real Time
looking at the problem from the bottom up
Looking at the problem from the bottom up

Data Adaptors

  • Network perf. mgt.
  • PBX
  • Billing
  • Ticketing
  • CRM
  • SFA

Data

Reports

Management

Console

Web presentation

Run-Time Engine

  • Data collection
  • Correlation
  • Root cause analysis
  • What-If
  • Forecasting

Tools

  • Data identification/mapping
  • Control objective constructor
  • Report authoring

: User

Rules Repository

  • Control objectives
  • Data collection rules
  • Calculation rules
  • Presentation rules

: User

: User

: User

Source: Digital Fuel

content1
Content
  • Operational risk management overview
  • Trust as a design imperative and solution requirement
  • Illustrative solution components for security and privacy in an operational risk management system
required security and privacy
Required: Security and privacy
  • Office of the Comptroller of the Currency
    • A bank’s use of third parties to achieve its strategic goals does not diminish the responsibility of the board of directors and management to ensure that the third-party activity is conducted in a safe and sound manner and in compliance with applicable laws.
    • The OCC expects bank management to engage in a rigorous analytical process to identify, measure, monitor, and establish controls to manage the risks associated with third-party relationships and, as with all other risks, to avoid excessive risk-taking that may threaten the safety and soundness of a national bank.
      • The OCC will review the bank’s information security and privacy protection programs regardless of whether the activity is conducted directly by the bank or by a third party.
  • Gramm-Leach-Bliley Act
    • Ensure the security and confidentiality of customer records and information
    • Protect against any anticipated threats or hazards to the security or integrity of such records
    • Protect against unauthorized access to or use of such records or information that would result in substantial harm or inconvenience to any customer
slide14

A threat assessment is a traditional starting place for building trust

Source: Common Criteria

systems thinking is key
Systems thinking is key

Data Extractors

  • Network perf. mgt.
  • PBX
  • Billing
  • Ticketing
  • CRM
  • SFA

Data

Reports

!

!

Management

Console

Web presentation

Run-Time Engine

  • Data collection
  • Correlation
  • Root cause analysis
  • What-If
  • Forecasting

Tools

  • Data identification/mapping
  • Control objective constructor
  • Report authoring

: User

Rules Repository

  • Control objectives
  • Data collection rules
  • Calculation rules
  • Presentation rules

!

!

: User

: User

: User

content2
Content
  • Operational risk management overview
  • Trust as a design imperative and solution requirements
  • Illustrative solution components for security and privacy in an operational risk management system
remote login and ssh
Remote login and SSH

SSH Secure Shell is used for remote logins. It seeks to solve the problem of hackers stealing passwords. Typical applications include 'lite VPN' applications, remote system administration, automated file transfers, and access to corporate resources over the Internet.

  • SSH Secure Shell allows you to
    • securely login to remote host computers
    • execute commands safely in a remote computer
    • securely copy remote files
    • provide secure encrypted and authenticated communications between two non-trusted hosts
    • TCP/IP ports can be forwarded over the secure channel, enabling secure connection, for example, to an e-mail service.
  • SSH2 is designed against threats that include
    • Eavesdropping
    • Hijacking
    • IP spoofing

Source: SSH Communications Security

vpns to connect offices and partners
VPNs to connect offices and partners

VPNs securely extend corporate networks and reduce the costs that are incurred by leased lines and frame relay networks

Source: Check Point

slide20
An application layer “VPN” seeks to provide access to applications without exposing an internal network

The Yakatus Secure Global Relay supports simultaneous, secure, bi-directional data transmission from multiple services, applications, and protocols through a single port - and a single server. This feature seeks to obviate security issues generated by numerous open ports, tiered firewalls and multiple servers.

slide22
New messaging systems seek to enable enterprise applications to communicate securely and reliably with one another over the Internet

Kenamea messaging operates in real time, securely delivering messages from any application end point to any other. At the core of the Kenamea offering is the Kenamea Message Switch, which acts as a hub, coordinating communication between application end-points.

integration middleware offers another level of streamlining
Integration middleware offers another level of streamlining

The SeeBeyond Business Integration Suite centers on business processes in order to provide an integration solution that first streamlines business from end-to-end, then drills down into the next level of detail for application integration, data transformation, routing and messaging by generating the necessary technical components that manage the transformation and flow of information.

enterprise security management provides a holistic view at the center
Enterprise security management provides a holistic view at the center

The ArcSight architecture is comprised of a data collection and storage system to consolidate network-wide alarms and alerts, analysis tools to detect multi-source and multi-target threats, and a display and report function to manage the results.

integrated enterprise management provides another level of assurance
Integrated enterprise management provides another level of assurance

Tivoli provides a common framework and single management agent for the core IT infrastructure.

IBM Tivoli Access Manager for Business Integration is a comprehensive security solution for IBM WebSphere MQ

at the presentation layer secure relationship management
At the presentation layer, secure relationship management

Netegrity Secure Relationship Management PlatformTM combines identity management, single sign-on and access control, provisioning, with portal presentation and integration services.

Netegrity SRM provides customers with a platform for securing, delivering and presenting enterprise resources for the interactive e-business.

slide27

In the future …?

Policy Store

Root Policy

Policy

Application

Credential

Management

PKI

Compliance

Checker

: User

: Policy author

Security Credential

Security Credential

Policy, Security Credential

Action Request, secure user ID

Action Request, secure user ID

Request, Credential, Policy

Security Credential, secure user ID verification

Policy Compliance Value

Process action / deny Request

questions
Questions?

Jonathan Rosenoer

President

Point Tiburon Group

Ph. 415.789.1354

JROSENOER@CYBERLAW.COM