Social Icons

Sunday, March 30, 2014

Dyman & Associates Risk Management Projects on Hughes: Digital spying casts chill on global trade

WASHINGTON - Revelations about U.S. digital eavesdropping have fanned concerns about Internet privacy and may complicate U.S. attempts to write rules enshrining the free flow of data into trade pacts with European and Pacific trading partners. As more and more consumers and businesses shop and sign up for services online, the IT industry is working to fend off rising digital protectionism it sees as threatening an e-commerce marketplace estimated at up to $8 trillion US a year. “Restrictions on information flows are trade barriers,” Google’s executive chairperson Eric Schmidt said at a Cato Institute event last month, warning that the worst possible outcome would be for the Internet to turn into “Splinter net.”

The unease of U.S. technology companies has mounted in lockstep with rising worries overseas about data privacy. German Chancellor Angela Merkel — a target of U.S. spying — has called for a European Internet protected from Washington’s snooping. Brazil and the European Union plan to lay their own undersea communications cable to reduce reliance on the United States. And other countries are showing a preference for storing data on local servers rather than in the United States.U.S. President Barack Obama acknowledged this week that it would take time to win back the trust of even friendly governments.
Trade experts predict the United States will have to make concessions on data privacy in the Transatlantic Trade and Investment Partnership talks (TTIP) with the EU, and will probably not get all it wants in Pacific Rim trade talks either. “It is unfortunate because there were some good nuanced conversations happening before the spying allegations,” said Adam Schlosser, director of the Center for Global Regulatory Co-operation at the U.S. Chamber of Commerce. “But there is now a tendency to inappropriately conflate national security and law enforcement with . . . commercial privacy practices, which has put a damper on rational debate.”

The TTIP and the Trans-Pacific Partnership (TPP) talks are billed as next-generation trade negotiations, covering not only tariffs and goods trade but also common standards and goals in areas ranging from labour standards and environmental protection to intellectual property and data flows.

The last two issues are key for digital trade, which encompasses everything from U.S. cherry farmers selling direct to Chinese families via Alibaba Group Holdings’ electronic shopping platform to plane maker Boeing monitoring in-flight diagnostic data on-line. A 2011 report by the McKinsey Global Institute found almost $8 trillion changed hands each year through e-commerce, something that explains the keen interest IT firms and industry associations are taking in the trade agreements. According to data compiled by the Sunlight Foundation, the computing and IT industry has been the second-biggest lobbyist on the TPP, after the pharmaceutical industry. Industry groups such as the Software & Information Industry Association say free exchange of data is the key focus.

“For SIIA and its members, the most crucial issue in the trade agreements under negotiation is to get provisions permitting cross-border data flows,” said Carl Schonander, international public policy director at SIIA, whose members include Reuters News parent Thomson Reuters. BSA The Software Alliance, an advocacy group for the software industry has warned that TPP partners Australia, Canada, Chile, Mexico, Peru and Vietnam are among countries adopting or proposing rules banning or limiting companies from transferring personal information off-shore. This might mean U.S. companies have to set up local servers in every country.

“Data flows are the life blood of the digital economy,” said BSA policy director David Ohrenstein. “Trade agreements (must) ensure borders are open to data flows.” In an ideal world for IT companies, countries signing the TPP would promise not to impede cross-border data flows or make companies set up local servers. U.S-based lobbyists expect those provisions to make it in, possibly with exceptions, but say work is still needed to convince trading partners to promise that any new regulations, including on privacy, will not restrict trade unnecessarily.

In Europe, where the backlash against U.S. spying has been the strongest, policymakers want changes by mid-2014 to the Safe Harbor Agreement, which allows U.S. companies with European-level privacy standards access to European data. An opinion poll by the Atlantic Council and the Bertelsmann Foundation found rules governing cross-border data flows and the alignment of privacy protections were among the most contentious and important, issues in the U.S.-Europe talks. Atlantic Council vice-president Fran Burwell said it would be hard to get support from the European Parliament or countries like Germany without an agreement on data protection.

“I think the big concession that (the U.S.) will have to make will be in the data privacy area,” she said.Tension is also brewing over intellectual property. U.S. music, book and software companies see piracy of copyright material as the biggest threat to their exports, while companies like Google worry about being held responsible for the actions of clients on their networks. Data privacy group Electronic Frontier Foundation said proposals in draft TPP chapters would restrict flexibility in allowing fair use of copyright materials and encourage low-quality software patents by setting the bar too low.

A group of 29 smaller tech companies wrote to U.S. Senate finance committee chairperson Ron Wyden last week and warned against including harsher criminal penalties for minor copyright infringements in the TPP. The committee has jurisdiction over trade issues in the U.S. Congress. “Reddit is a platform the same way that the telephone is a platform,” said Erik Martin, general manager of on-ine news hub Reddit, one of the signatories to the letter. “To put so much burden on the providers to deal with problems from individual users is just really going to put a chill on investment and put a chill on innovation.”

Friday, March 21, 2014

Dyman & Associates Risk Management Projects: The Weakest Link in Security?

Hardly a day goes by without news of another data breach. It's safe to say that we live and work in risky times. But there's a growing recognition that cybercriminals aren't the only threat—or even the primary threat to an enterprise. "There's a far greater need to educate and train employees about security issues and put controls and monitoring in place to increase the odds of compliance," says John Hunt, a principal in information security at consulting firm PwC.

It's a task that's easier said than done, particularly in an era of BYOD, consumer technology and personal clouds. According to Jonathan Gossels, president and CEO of security firm SystemsExperts, it's critical to construct policies and security protections around two basic areas: malicious insiders and those who inadvertently breach security. "The best security program in the world can be undermined by ill-advised behavior," Gossels explains.

Construct effective policies. Surveys indicate that many workers are not adhering to existing policies. In some cases, they simply disregard them. "The thing that you have to keep in mind," notes Hunt, "is that policies must be clear, understandable and not interfere with the ability of people to get their work done." If an organization is struggling with non-compliance and shadow IT, then it may be time to reexamine policies, as well as the underlying systems and tools the enterprise has in place. "Many organizations have older policies that don't take into account today's tech tools, such as iPads and other portable devices," says Hunt. The policies should also extend to contract workers and freelancers, he notes.

Educate and train employees. One of the biggest problems, says Gossels, is weak passwords and workers sharing passwords. He recommends educating employees about the use of strong passwords. It's also essential to teach employees about increasingly sophisticated phishing techniques. And executives, including CEOs, make the mistake of clicking bad links. "When you receive an e-mail from the Better Business Bureau or a fax that looks legitimate, it's very easy in the rush of the moment to click it," says Gossels. It's critical that employees learn to hover over links. Some organizations also use simulated phishing and spear phishing attacks to identify careless workers. Finally, employees must understand the risks of using personal clouds, USB drives, and other media to share and store sensitive data.

Develop controls that match policies. It's one thing to introduce a collection of security policies, it's another to build controls that effectively enforce them. According to Gossels, any time an organization introduces a policy, it should also consider how to build in technical controls, preferably automated ones. "The less you leave things to humans and chance, the better off you will be," he says. That means using mobile device management and media asset management tools, two-step verification, encryption, endpoint security, and other security measures. It also means looking for so-called low and slow approaches that frequently fly below the radar. But, more than anything else, it means mapping threats to policies and security systems—and ensuring that tools are in place to wipe lost or stolen smartphones and tablets, when necessary. Hunt adds that it's crucial to consider, when adopting policies, how long it will take to build the matching controls. He sees often companies lagging by nine to 12 months—or more.

Monitor activity and access from all endpoints. There's a growing focus on monitoring the network and endpoints for unusual activity and odd behavior, Hunt explains. "If you detect activity that doesn't fit the norm of a person's role, then it's a good idea to take a closer look at the situation," he points out. In fact, even if an organization embeds role-based policies and controls in its IT systems—something that's generally viewed as a best practice—it's wise to monitor activity and look for anomalies. Networks and systems are particularly vulnerable during mergers and acquisitions and during transitions to different or new systems.

Wednesday, March 19, 2014

Dyman & Associates Risk Management Projects: Information, Disinformation and the Credibility Crisis

A large percentage of the American population no longer trusts mainstream news outlets either on television or in print. A June 2013 Gallup poll indicates nearly 4 out of 5 Americans among younger generations from age 21-64 cannot trust the major news networks, not when the likes of NBC and MSNBC are owned by General Electric, Comcast and possibly Time Warner in this age of super-mergers. Both the circulation and very survival of America’s news print organizations have shriveled or dried up completely.

Amongst the nation’s largest cities, few traditional newspapers are still left today. Even the perennial powerhouse dailies like the New York Times, Washington Post and LA Times have gravely suffered, and in an attempt to keep up with the changing times, years ago moved to the internet as their mainstay means of surviving the computer age. Time Magazine and Newsweek similarly have been forced to downsize with Newsweek permanently suspending its print circulation. In recent years’ Time Magazine in print has been reduced in size to a mere skimpy little shadow of what it once was.

To a significant portion of Americans, all the mainstream news corporations have been rendered state propaganda and disinformation tools for the US government. Indeed their embedded (alias “in-bed”) news reporting has become a cynical joke amongst the populace. Entertainment fluff and filler space have come to obscure and replace real news and real issues that vitally affect the well being, safety and concerns of the American public. The controlling powers behind mainstream media outlets have made a concerted effort to keep American citizens the last to know especially when it comes to world events and developments.

According that that same Gallup poll from last year, this growing distrust that Americans have towards mainstream news is only exceeded by their distrust towards big business, HMO’s and US Congress. Even last month’s Gallup poll shows President Obama’s approval rating dipping to an all time low of just 39% with the majority of Americans now disapproving of his job performance. This negative, across-the-boards view reflects both a generalized discontent and disconnect with today’s status quo power structure. And as a result, a mass exodus of US citizens have switched viewing their world through the known distorted lens of traditional news coverage to that of the world wide web, currently celebrating its quarter century anniversary this week.

Hence, in recent years a growing number of people have been turning to online sources as their primary means for news information and current world events. Despite unlimited numbers to choose from of websites portending to depict accurate coverage of domestic and international events, in today’s world the notion of objective, unbiased news coverage becomes highly suspect. Thus, an informed public must be extremely discerning when it comes to believing what is the truth and what are the lies based on propagandist manipulation. Ultimately individuals will naturally gravitate toward whatever sources of news best fit their particular biases and beliefs based on their world paradigm. So one’s sense of reality and truth about the world becomes both highly elusive and subjective, if not impossible to tease out and grasp.

To compound this already perplexing, complex problem, the systematic dumbing-down of America has produced a mounting population that all too frequently gullibly accepts either the spoon-fed deception and lies of mainstream media or often equally biased non-mainstream news outlets. For decades now Americans have been conditioned to no longer think critically and discriminately to sort out facts from fiction.

Creative questioning, exploring curiosity or daring to challenge authority is entirely absent from the current US public education system bent on homogenized conformity and socialization toward robotic compliance. And as a consequence, too many Americans blindly accept as gospel truth anything they read, that is if they still read at all, naively assuming it would not be fit to print on the internet, in books, magazines or newspapers or seen on TV, if it were not all true.

Monday, March 17, 2014

Dyman & Associates Risk Management Projects: Application awareness using data inspection

Executive Summary

The modern enterprise presents numerous challenges to IT security leaders, as it requires a diverse array of applications, websites, protocols, and platforms. Mobile devices are changing the fundamental composition of network traffic and introducing new types of malware, while consumerization trends such as BYOD are introducing new devices over which IT has little control.

To organize the chaos, IT must look beyond a network packet’s site, port, or IP address and determine a security posture that relies on the complete context of data usage. A deep, thorough inspection of real-time network data can help provide the content awareness required for the granular management that a flexible, modern enterprise requires.

This report examines the shortcomings of traditional security and management processes exposed by device proliferation, an increasingly mobile workforce, and a movement toward cloud applications. It also demonstrates how a deeper understanding of application data in transit can help IT build more-flexible, business-friendly management procedures that continue to provide security and efficiency without disrupting productivity. The report concludes with best practices for testing application-aware network-security devices to gain a greater understanding of the value they will provide when deployed onto the enterprise network.

Consider the following:

·         Traditional security and access controls are no longer capable of protecting enterprise networks yet continue to serve a purpose within a defense-in-depth strategy.

·         BYOD and other consumerization trends bring new threats to the enterprise that must be addressed by innovating network-security and policy management.

·         IT security leaders must validate and test these new application-aware network-security devices and identity-based policy-management systems.

Friday, March 14, 2014

New Oracle Software Tackles Mobile Security Head On, Dyman & Associates Risk Management Projects

Mobility. It’s not a new trend, but it’s a growing one. Indeed, the workforce is becoming increasingly mobile and that mobility is driving security concerns that software giants like Oracle are trying to solve.
Oracle sees a critical need for solutions that help enterprises control access to business data and also protect that data on mobile devices. Advanced security controls for personal and corporate devices, are needed, without complicating the user experience.

To meet these needs, the enterprise-software maker is launching the Oracle Mobile Security Suite, which lets users securely access enterprise data from their own devices, while at the same time protecting that information by isolating corporate and personal data.

Oracle Says Its Solution Is Different

"By extending security and access capabilities to mobile devices, organizations can protect corporate resources on employee devices without compromising the user experience," explained Amit Jasuja, Oracle's senior VP of Java and Identity Management.

Jasuja said Oracle's security solution brings the firm's Identity Management platform to mobile devices, so organizations can address the bring-your-own-device (BYOD) challenge logically.

Along with Oracle’s existing Identity and Access solutions, the new suite offers an integrated platform that organizations can use to manage access to all applications from all devices -- including laptops, desktops, and mobile devices.

Oracle insists its approach is different from the approaches taken by other mobile device management (MDM) solutions because those others focus on the devices themselves. That strategy can create separate security silos requiring companies to spend more money on expensive products to integrate with their identity solutions.

Instead, Oracle said its Mobile Security Suite focuses on the apps and the users, allowing IT to more efficiently and securely administer and manage access.

An End-to-End Solution

The company said its Mobile Security Suite provides a secure workspace so organizations can separate corporate and personal apps. That means enterprises can protect their apps and data as well as enforce their security policies without interfering with users' personal information.

The workspace also offers security controls, enabling companies to enforce single sign-on, per-app network tunneling, and encryption for stored data, and integration with Microsoft Active Directory for shared-drive access.

As for mobility security controls, the software are able to limit access or restrict functionality based on location. The solution also lets companies control their application policies, including limiting copy/paste/print to prevent data loss. Additionally, if employees are terminated or otherwise leave their jobs, organizations can remotely wipe corporate data and apps from their mobile devices.

The Oracle Mobile Security Suite also includes an e-mail client, secure browser, file manager, white pages app, document editor, and a mobile app catalog that can serve as an app store.

Thursday, March 13, 2014

Seagate Backup Plus Fast Portable Review, Dyman & Associates Risk Management Projects

The Seagate Backup Plus Fast portable drive is performance-heavy mobile device that provides users a plethora of storage and is the first portable drive that offers 4TB of storage space. Backup plus Fast is fully USB powered, allowing users to bring along their videos, music, and pictures without having to carry an extra external power supply while on the go. Also included is the Seagate Dashboard, which offers users the ability to schedule and automate backups for their computer, social networks and mobile devices.

Seagate’s website claims that their Backup Plus mobile drive boasts up to twice the speed of other portable hard drives fast USB 3.0 interface with its transfer speeds up to 220MB/s. Those are extremely good numbers, especially compared to other portable consumer drives such as the LaCie Rugged and G-Technology G-DRIVE that are limited to a single hard drive inside. So how does Seagate’s new drive reach this performance level? Well, the device actually contains two 2TB 9.5mm Samsung drives in RAID0 (striped) to account for both the speed and 4TB capacity. The Samsung drives have appeared in Samsung branded externals prior, but Backup Plus Fast is the first product to leverage the drives in this creative way.

Also available in conjunction with the drive is a free Seagate Mobile Backup app for the iOS and Android mobile devices. The app allows users to back up all of their content to the drive, when on the same network, or to the cloud when on the go. Additionally, users can use the Save and Share features to download and upload content from social network sites such as Facebook and Flickr. To make sharing the drive between multiple systems more convenient, when the pre-loaded NTFS driver is installed on the on a Mac, Backup plus Fast can be used between Windows and Mac computers without having to reformat the drive.

The Seagate Backup Plus Fast Portable 4TB is shipping now with a street price of $269.99 and is backed by a limited 3-year warranty.


·        Capacity: 4TB (STDA4000100)
·        Performance: 220MB/s
·        Product Colors: Black
·        Length: 116.90mm
·        Width: 82.50mm
·        Typical Weight: 0.307kg
·        Seagate Dashboard pre-loaded on drive
·        Contents
·        18-inch USB 3.0 cable
·        USB 3.0 Y-cable
·        Quick start guide
·        Warranty: 3-year limited

Design and build

As is the case with many Seagate devices, the Backup Plus has a simple design with the company logo on the bottom corner. Its smooth metal enclosure (top and bottom covers, middle section is plastic) helps resist scratches and fingerprints and easily fits into a laptop bag or backpack. The side end of the drive houses the USB 3.0 connector port and the top cover has a small drive activity light.

Overall, the Backup Plus is well built; but is not user accessible, which is not uncommon for portable drives. If a drive fails, the user will have to RMA the entire thing since they can’t swap one drive on their own without damaging the enclosure. Opening up the drive exposed two Samsung 2TB M9T hard drives connected through a dual-SATA to USB 3.0 adapter.


The Seagate Dashboard is included with the entire Backup Plus family, and with it users are able to have a simple, streamlined method of ensuring that all of their content is backed up. Overall, we find the Seagate Dashboard is very simple to use as it allowed us to easily protect, share and save data.

The Dashboard software is located on the Backup Plus drive itself, so there’s no need to download it. To install the Dashboard software on your computer, you simply have to double click the file (.dmg for Mac users, .exe for PC) and follow the onscreen instructions.

If you're using a Mac, you will eventually be asked to select whether you’ll be using your drive on the Mac, PC or both. If you select the only Mac option, the drive will reformat itself to integrate with Mac applications such as Time Machine.

After installing the software, users will see a very simply layed out dashboard with the connected drive listed on the left; we were impressed with its simplicity and easy navigation. The "Social" section allows users to log in to their account for each site and the backup up all of their images and videos; these can be initiated automatically. The Dashboard also allows users to share their photos and videos located on your Backup Plus drive directly to their Facebook, Flickr or YouTube accounts. This functionality worked seamlessly.

With the growing number images and videos stored on smartphones and tablets, backup is something that is becoming very important for these mobile devices. The "Mobile backup" section allows users to back up their movile devices that have the app installed on their phone. Additionally, once you set up the backup plan in a few quick steps, backing up your phone or tablet is automatic. iOS users can find it on iTunes while Android users can find it on the Play Store.


Using our Consumer Testing Platform, we measured 2MB sequential speeds. The Seagate Backup Plus clocked in at an impressive 237.2MB/s in the write column and 183.4MB/s for read activity. By comparison, the recently reviewed LaCie Fuel (USB 3.0) measured 98.3MB/s read and 109.1MB/s write. To approach Backup Plus Fast's performance numbers, we have to compare it to a DIY solution like the Newer Technology Guardian MAXimus Mini. The MAXimus Mini (RAID0) measured sequential speeds with an Hitachi 7K500 array of 213MB/s read and 213MB/s write. In aggregate, pretty similar performance, but the enclosure approach doesn't include the software or cloud features, though it does allow for physical drive management and optional RAID1 configuration.

When testing with 2MB random transfer speeds, the Seagate Backup Plus measured read and write speeds at 90.0MB/s and 135.8MB/s respectively. The LaCie Fuel measured read and write speeds at 71.2MB/s and 79.7MB/s respectively. The dual-drive fast again tops the performance table as expected.

It is worth noting that the Backup Plus Fast uses RAID0 to achieve it's high speeds and capacity, something that is not without risk. In a RAID0 environment, there is no parity of data, so if either drive fails, the entire RAID fails and data loss is certain. The drive then makes for an excellent backup target or media file repository, especially when combined with Seagate's software for cloud backup, but it should not be relied upon as a primary data storage volume for backup or files.


The Seagate Backup Plus Fast Portable drive with USB 3.0 provides consumers with a very durable and fast 4TB mobile hard drive; it is also bus powered, meaning that users do not need to pack those pesky AC cords with them when they are on the go. Consumers working on the go will find that the Seagate Backup Plus fast especially useful due to its plethora of space and speedy write activity. Under the hood, the Seagate drive contains two 2TB drives in RAID0 to account for the speed and high capacity, giving it a substantial boost in performance. Using a RAID0 configuration comes at a cost, however, as it allows for total data loss if one of the two internal drives fail. Users should thus be wary of that fact and we recommend that users are backing up their data to something else on a regular basis or use Seagate’s cloud option and apps to backup. This all said, this is a common issue for most mobile drives so it's not too much of a surprise or hindrance.

One thing that we really found handy is that users can share and manage files between Windows and Mac computers without having reformat the drive; a very welcomed feature for users who cross-platform often (eg. work vs home). The included software bundle, which adds an app for mobile device backup too, is one of the more comprehensive available in the market today.

As far as performance goes, we measured 2MB sequential speeds at an impressive 237.2MB/s in the write column and 183.4MB/s for read activity, which is much higher than other premium mobile drives for only around $60 more. The extra 3TB of data, which is significantly more storage than most portable storage solutions, more than makes up for the slightly higher price for many users.

Wednesday, March 12, 2014

Appthority App Risk Management, Dyman & Associates Risk Management Projects

Appthority App Risk Management provides service that employs static, dynamic and behavioral analysis to immediately discover the hidden actions of apps and empower organizations to apply custom policies to prevent unwanted app behaviors. Only Appthority combines the largest global database of analyzed public and private apps with advanced policy management tools to automate control over risky app actions and protect corporate data.

According to a recent Appthority blog post, the National Cyber Security Alliance recently promoted its internationally recognized annual holiday, Data Privacy Day. The theme of Data Privacy Day, “Respecting Privacy, Safeguarding Data, and Enabling Trust,” came just on the heels of new revelations from the N.S.A. around how they target mobile. The company indicated that the New York Times, the National Security Agency let it slip that they use mobile apps as a method to access personal information. These “leaky apps” such as the popular gaming app Angry Birds give away things such as smartphone identification codes and pinpointed locations throughout the day.

There is big data potential. The potential to transform health care but structural issues may pose obstacles. Privacy issues will continue to be a major concern. McKinsey estimates $300 billion to $450 billion in reduced health-care spending could be conservative, as many insights and innovations are still ahead. Training initiatives is great. EMarketer estimates that digital pharma US ad spending will reach $1.19 billion in 2013 and climb to $1.33 billion by 2016. This market has remained cautious in its investment strategies following regulations and standards.

Organizations objectives should reach results of quality risk management impacting the overall pharmaceutical quality system. The areas could be evaluated when implemented and also potential opportunities to improve could be identified. The companies that are successful today are collaborative, nimble, smaller and multidisciplinary. Applying compliance to these ecosystems is a priority. The traditional model is going away. Acquisitions of licensing is in a lot of momentum now.

C-Level and supporting senior management would make a significant impact on governance in Pharma. Controlling risk and regulations is a big issue for the industry. Emerging threats could be prevented with patience, time investment and allocating the right resources available. Compliance is a time consuming process.

Tuesday, March 11, 2014

Card Brands Launch Security Initiative, Dyman & Associates Risk Management Projects

Ending weeks of relative silence by the two major payment card brands in the wake of payments breaches at Target Corp., Neiman Marcus and others retailers, MasterCard and Visa have announced the formation of a cross-industry group to work on improving U.S. payment security. The collaborative effort aims to advance the migration to chip cards as well as point-to-point encryption.

In addition to the card brands, the coalition will include banks of all sizes, credit unions, acquirers, retailers, point-of-sale device manufacturers and industry trade groups, the card brands say in announcing the effort.

"The recent high-profile breaches have served as a catalyst for much needed collaboration between the retail and financial services industry on the issue of payment security," says Ryan McInerney, president of Visa Inc. "As we have long said, no one industry or technology can solve the issue of payment system fraud on its own."

Top Priorities

The initial focus of the group will be on the adoption of payments cards using chip technology based on the EMV standard that's widely used in other nations. The cards offer greater security than magnetic-stripe cards that are now commonly used in the U.S.

Other areas of focus for the new group will include:

Promoting additional security solutions, including tokenization and point-to-point encryption. "While EMV addresses the physical point of sale, the need to protect mobile and online transactions is critical," the card brands say in their announcement. "In tokenization, the traditional account number will be replaced with a unique digital payment code, providing an additional layer of security."
Developing an actionable roadmap for security across all segments of the payments industry.

"One of the critical roles we play is to protect consumers and businesses against criminals and fraudsters," says Chris McWilton, president of North American markets for MasterCard. "Only through industry collaboration and cooperation will we address the real and immediate issue of security and maintain consumer confidence and trust. EMV will be the next step in these efforts, alongside enhanced security solutions for online and mobile channels."

The formation of the group, the card brands say, is an acknowledgement of the need for all parties involved in the payments process to work together and will "ensure all voices can contribute to the strategic direction of payment security."

MasterCard and Visa also expect the new group to engage with other ongoing security efforts, including proprietary risk councils, EMV task forces and standards management bodies.

Assessing the Efforts

News of the card brands' focus on tokenization and point-to-point encryption is encouraging, says Gartner analyst Avivah Litan. The efforts could make a meaningful difference if standards are created for the technologies "so that one vendor's solution [is] interoperable with another," she says.

"These standards have been lacking in the market, and, as a result, especially with point-to-point encryption, retailers and card acceptors are somewhat hesitant to adopt the technology out of valid fear of vendor lock-in and the pricing and competitive disadvantages that go along with that," Litan says.

"Visa and MasterCard have had plenty of time to work on these standards," she says. "Let's see if they do something meaningful and actionable this time."

Monday, March 10, 2014

Dyman & Associates Risk Management Projects, Is the cloud the next stop for enterprise risk management?

Could enterprise risk management become a common cloud-based service at most government agencies? It's an idea being explored by other industries, especially within the financial management and manufacturing sectors. There's a good chance that the idea could take root in the public sector too.

Once an organization assesses its potential safety and economic risks, specific rules can be then be set to help mitigate those risks. Historically organizations have not always taken an enterprise wide approach to risk management. More often solutions were done piecemeal, such as requiring locks on certain doors or passwords on specific machines. As risk management became more formalized, it slowly became an evaluation process to be followed, a set of formal decisions to be made and a way to track and enforce specific rules.

A risk-management system often is used not only to track risk but to document decisions made on how the risk should be addressed. This system can include coordinating resources to minimize risk, monitoring risk-related activity, and managing the short- or long-term impact of known risks.

Such systems fall under the general heading of governance, risk and compliance (GRC), and many government agencies already have systems in place to help them manage their approach to risk. The key word here, though, is "systems" (plural). Agencies can find it difficult to integrate a truly enterprisewide view of how risk is managed. Too often GRC systems have been built ad-hoc at the sub-agency level to deal with local issues.

Further, government has unique needs. Risk management is not the same for government as it is for an insurance company that is working to manage risk and assure profits across thousands of insurance policies and investments. Government also tends to focus heavily on risk associated with project management. Getting program or project governance properly aligned helps ensure success for the program itself, and it also reduces long-term risk from other internal and external factors.

There are popular GRC solutions available from enterprise software vendors such as Oracle and SAP. Some organizations have created their own customized risk-management solutions, and other companies have risk-management solutions that are targeted at a specific issue, such as compliance with the Federal Information Security Management Act or the Homeland Security Presidential Directive (HSPD) 12.

We've also seen compliance monitoring and enforcement systems that address data privacy, cyber-threat protection, configuration management rules and monitoring as well as network monitoring. The Federal CIO Council even mentioned these types of systems as leading priorities for 2014. Individual government lines of business are influencing an ever greater number of investment decisions related to GRC initiatives.

So there's a critical mass of interest in these types of solutions. That’s because agencies are under pressure to take an enterprisewide approach to GRC. They need to upgrade systems in order to make that happen, and there are always new rules hitting them that affect what their risk-management systems must track. In fact, big data and analytics draw the most attention for risk and innovation, and both are key expansion areas for government agencies. Meanwhile, we have an increasingly mobile workforce and onset of new cyber threats. Thus, security and risk has become a key government business function that relies on technology as a cornerstone to its success.

Cloud-based GRC solutions are a logical step for agencies that need to address new rules, consolidate systems and serve their mobile workforce. Most enterprise software vendors offer cloud-hosted versions of their risk management solutions, and it's worth talking to them to see if this is a logical place for an agency to migrate.

Government can offer help too. Last year the National Institute of Standards and Technology published a Draft Cloud Computing Security Document that introduced a "cloud-adapted Risk-Management Framework for applications and/or services migrated to the cloud." Back in 2010 NIST also established a guide for applying the Risk-Management Framework to federal IT systems. GSA also offers a set of solutions under a blanket purchase agreement related to Risk-Management Framework and associated services (though it's not clear how much of this is available via cloud.)

Sunday, March 9, 2014

Safety products: Web-based driver risk management, Dyman & Associates Risk Management Projects

Utility vehicles: Alert Driving, a provider of web-based driver risk management solutions, has announced the launch of Hazard Perception 360, an interactive mobile driver risk assessment solution. The new release builds on Alert Driving’s proven, industry-standard Hazard Perception Evaluation program.
Hazard Perception Evaluation is designed to identify high-risk drivers by assessing their risk awareness and reaction time across six core safe driving categories. Based on each individual’s specific deficiencies, the program assigns targeted training to mitigate a driver’s assessed risk.

The advancements made with Hazard Perception 360 include:

•             A web-based, mobile application that does not require a company to download an app to launch the program;
•             A 45% larger clickable, interactive area; and
•             An enhanced driver scoring algorithm that more accurately pinpoints a driver’s deficiencies and risk rating.

“AlertDriving was the first company in the marketplace to bring the Hazard Perception Evaluation to fleets,” said Matthew Latreille, Vice President of Digital Marketing and Innovation at AlertDriving. “The fact that AlertDriving can deliver this highly interactive solution to mobile devices without the hassle of app stores or installations makes for a seamless program launch.”

The initial release of Hazard Perception 360 is customized specifically for iPad users and available in nine countries, including; the United States, the United Kingdom, Slovakia, Argentina, Brazil, Philippines, Czech, Italy, and Russia. Further expansion to additional countries will occur throughout 2014 with new versions for other tablets such as the Samsung GalaxyTab and Google Nexus coming on stream during the same timeframe.

“With the ever-increasing use of mobile technology and growing mobile workforce, there needs to be a change in the way training is delivered to drivers,” said Rob Martin, Vice President of Sales at AlertDriving. “We’re at the forefront of this change, with Hazard Perception 360 allowing companies to bring the training to the drivers wherever they are,” Rob Martin continued. “This results in a seamless delivery of the training, increased productivity for employees and ultimately a reduction in collisions, personal injuries, and financial cost on the road.”

Established in 1998, AlertDriving pioneered web-based driver risk management and has trained over 1,200,000 drivers worldwide. The company’s fully customizable, driver risk management platform, has helped clients significantly reduce their collisions, injuries, costs and liability exposure.

Saturday, March 8, 2014

Dyman & Associates Risk Management Projects Cartoon: the climate contrarian guide to managing risk

A new cartoon created by John Cook illustrates the failure of climate contrarians to manage global warming risks

Climate contrarians want us to bet everything on the best case global warming scenario. That's a failure of basic risk management. Photograph: Erik De Castro/Reuters

Climate change is fundamentally a risk management problem. Whether or not you agree with the 97 percent expert consensus on human-caused global warming, there is an undeniable risk that the consensus is correct and that we're causing dangerously rapid climate change.

Frequently, climate contrarians argue against taking action to mitigate that risk by claiming the uncertainties are too large. One of the most visible figures to make this argument is climate scientist Judith Curry, who said in 2013,

"I can't say myself that [doing nothing] isn't the best solution."

This argument represents a failure to grasp the principles of basic risk management, as illustrated in the following cartoon.

The climate contrarian guide to managing risk. Created by John Cook

When it comes to managing risk, uncertainty is not our friend. Uncertainty means it's possible the outcome will be better than we expect, but it's also possible it will be much worse than we expect. In fact, continuing with business-as-usual would only be a reasonable option in the absolute best case scenario.

Doing nothing is betting the farm on a very low probability scenario.  It's an incredibly high-risk path that fails to reduce the threats posed by the worst case or even most likely case scenarios. This is a concept Judith Curry understood in 2007, when she wrote,

"The rationale for reducing emissions of carbon dioxide is to reduce the risk of the possibility of catastrophic outcomes. Making the transition to cleaner fuels has the added benefit of reducing the impact on public health and ecosystems and improving energy security ... I have yet to see any option that is worse than ignoring the risk of global warming and doing nothing."

Judith Curry of 2007 got it exactly right. Unfortunately she and her fellow climate contrarians no longer seem to grasp these fundamental principles of risk management.

Failing to mitigate global warming by significantly reducing greenhouse gas emissions is fundamentally equivalent to continuing to smoke cigarettes, driving without a seat belt, or refusing to buy homeowner's insurance. Each situation represents the failure to take action to reduce the risks of a very dangerous outcome.

Even if you personally have doubts about the 97 percent expert consensus on human-caused global warming and the threats it represents, there's a good chance you're wrong. You may also doubt the medical science consensus that smoking causes lung cancer, but acting on that doubt by continuing to smoke is a risky decision. The difference is that in the latter case, you're only risking the health of yourself and those in your proximity. In the case of global warming, you're risking the health of entire ecosystems and future generations.

From a risk management perspective, mitigating the undeniable threat of catastrophic climate change is a no-brainer. So let's stop delaying and denying and get to it.

To know more from Dyman & Associates Risk Management Projects, See:

Thursday, March 6, 2014

Dyman & Associates Risk Management Projects

Risk management is the identification, assessment, and prioritization of risks (defined in ISO 31000 as the effect of uncertainty on objectives, whether positive or negative) followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities. Risks can come from uncertainty in financial markets, threats from project failures (at any phase in design, development, production, or sustainment life-cycles), legal liabilities, credit risk, accidents, natural causes and disasters as well as deliberate attack from an adversary, or events of uncertain or unpredictable root-cause. Several risk management standards have been developed including the Project Management Institute, the National Institute of Standards and Technology, actuarial societies, and ISO standards.

Methods, definitions and goals vary widely according to whether the risk management method is in the context of project management, security, engineering, industrial processes, financial portfolios, actuarial assessments, or public health and safety.

The strategies to manage threats (uncertainties with negative consequences) typically include transferring the threat to another party, avoiding the threat, reducing the negative effect or probability of the threat, or even accepting some or all of the potential or actual consequences of a particular threat, and the opposites for opportunities (uncertain future states with benefits).

Certain aspects of many of the risk management standards have come under criticism for having no measurable improvement on risk, whether the confidence in estimates and decisions seem to increase. For example, it has been shown that one in six IT projects becomes a 'Black Swan', with cost overruns of 200% on average, and schedule overruns of 70%.

A widely used vocabulary for risk management is defined by ISO Guide 73, "Risk management. Vocabulary."

In ideal risk management, a prioritization process is followed whereby the risks with the greatest loss (or impact) and the greatest probability of occurring are handled first, and risks with lower probability of occurrence and lower loss are handled in descending order. In practice the process of assessing overall risk can be difficult, and balancing resources used to mitigate between risks with a high probability of occurrence but lower loss versus a risk with high loss but lower probability of occurrence can often be mishandled.

Intangible risk management identifies a new type of a risk that has a 100% probability of occurring but is ignored by the organization due to a lack of identification ability. For example, when deficient knowledge is applied to a situation, a knowledge risk materializes. Relationship risk appears when ineffective collaboration occurs. Process-engagement risk may be an issue when ineffective operational procedures are applied. These risks directly reduce the productivity of knowledge workers, decrease cost-effectiveness, profitability, service, quality, reputation, brand value, and earnings quality. Intangible risk management allows risk management to create immediate value from the identification and reduction of risks that reduce productivity.

Risk management also faces difficulties in allocating resources. This is the idea of opportunity cost. Resources spent on risk management could have been spent on more profitable activities. Again, ideal risk management minimizes spending (or manpower or other resources) and also minimizes the negative effects of risks.

·         For the most part, these methods consist of the following elements, performed, more or less, in the following order.
·         identify, characterize threats
·         assess the vulnerability of critical assets to specific threats
·         determine the risk (i.e. the expected likelihood and consequences of specific types of attacks on specific assets)
·         identify ways to reduce those risks
·         prioritize risk reduction measures based on a strategy

More from Dyman & Associates Risk Management Projects: