Tuesday, April 22nd, 2008
While an overwhelming majority of North American companies see risks associated with their supply chain as having grown more significant, complex, and costly, they also consider themselves largely unprepared to deal with these elevated exposures.
A new study of North American risk managers by Marsh Inc. has found that nearly three-quarters of companies (73 percent) believe their supply chain risk has risen since 2005; nearly the same number (71 percent) believe the financial impact of disruptions to their supply chain has also grown.
Most businesses are ill-prepared to handle the rising risk levels, caused by more global and complex supply chains that are increasing supplier disruptions, logistics delays, and product recalls and safety issues. Indeed, no risk managers in the Marsh study considered their companies to be ‘highly effective’ at supply chain risk management. Only 35 percent considered their companies to be ‘moderately effective’ at managing supply chain risk. Meanwhile, nearly two-thirds (65 percent) characterized their supply chain risk programs as having ‘low’ or ‘unknown’ effectiveness, or said they lacked any formal supply chain risk program.
"Concerns about supply chain risks and supplier issues are reverberating in boardrooms and among shareholder groups throughout the US," said Beth Enslow, report author and a senior vice president of Marsh’s Supply Chain Risk Management Practice. "Yet, at this point, most organizations are just beginning to take the steps needed to manage these challenges effectively. For risk management professionals, this presents a new opportunity to expand their role and increase the value they bring to their enterprises."
According to Marsh, one of the best practices for managing supply chain risk is the creation of a cross-functional team. However, only 31 percent of those in the study have cross-functional teams to manage supply chain risks. More surprisingly, fewer than one in five (19 percent) companies with more than US$1 billion annual revenue have such teams.
The study identified innovative companies that are blazing trails to improve supply chain risk management and found them taking radically different actions than their peers. For instance, these firms are nine times more likely to have built consistent, company-wide processes for supply chain risk management. And they are more likely to have extended their risk assessments to include direct suppliers, critical raw material suppliers, and logistics partners.
"The often ’siloed’ nature of supply chain functions makes it challenging for companies to assess and address their supply chain risks, especially as they relate to product safety and supply dependability across their outsourced manufacturing and distribution activities," Ms. Enslow said. "Companies have hidden interdependencies and supply chain vulnerabilities that can only be identified through cross-functional risk practices that stretch across purchasing, manufacturing, logistics, finance, legal, and the risk management office."
In order to mobilize and partner effectively with supply chain operations, risk managers need to hone their skills in a number of areas. More than three-quarters (77 percent) of the survey participants indicated that for risk managers to be effective, they need to increase their basic understanding of end-to-end supply chain processes. And 79 percent indicated risk managers must strengthen their orchestration skills for networking and interacting across the different supply chain functions.
Marsh’s Supply Chain Risk Management Practice conducted the study and authored the accompanying report entitled “Stemming the Rising Tide of Supply Chain Risks: How Risk Managers’ Roles and Responsibilities Are Changing”. Copies of the report are available free of charge here (registration required).
Posted in Business Continuity Management | No Comments »
Monday, April 21st, 2008
Looking back, those who specialize in the history of corporate and cultural debacles may one day hail 2007 as the year when the dusty topic of document retention became a matter of corporate life and death. Thanks to the pervasiveness of networked computers, corporate data proved again and again that it could not only leak into the wild, but, once there, take on a life of its own-and do enormous harm to its parent.
PCI DSS Follies
The poster child of this dangerous new world would have to be The TJX Companies Inc., whose announced data breach in January did indeed seem to take on a life of its own. Originally pegged at 45.6 million card numbers, by the end of the year the company was admitting that the breach was more like 96 million numbers, and the event was costing the $17 billion retail chain an estimated $216 million.
TJX announced few details, but various court filings and a report by the Canadian privacy commissioner indicated that hackers penetrated the obsolete WEP encryption gear of two Marshalls stores, got into the retailer’s corporate network, and siphoned 80 gigabytes of cardholder data over a nearly two-year period. TJX finished upgrading to the more reliable WPA encryption standard in January 2007-about when the intrusion was detected.
Court filings accused the company of violating nine of the 12 controls mandated by the Payment Card Industry Data Security Standard (PCI DSS), including storing too much data. Perhaps coincidentally, the PCI Security Standards Council thereafter announced its new Payment Application Data Security Standard (PA-DSS), intended to help software vendors write applications that avoid storing data prohibited by the PCI DSS.
More Data Breaches
TJX, meanwhile, was hardly alone-one survey indicated that 85 percent of US corporations had suffered a data breach of some kind. Nor were things different overseas, judging from Her Majesty’s Revenue & Customs (the UK tax authority) which triggered a scandal when it lost two CDs containing sensitive information on 25 million citizens, including nearly every child in the realm.
Monster.com got hit twice during the year: hackers siphoned off data to use in targeted phishing attacks, and later diverted users to malicious sites. Pfizer announced breaches in June (file sharing), July (lost laptops), and September (unauthorized access).
Although the VA did not live up to its 2006 fiasco (when it temporarily losing a laptop with 26.5 million names) the agency had so many problems that the House Veteran Affairs Committee held eight hearings just to examine IT security at the VA.
In January the entire state of Israel was impacted when census files (which the government shared with political parties) showed up on a file-sharing network.
Cyberwars
While some data was walking away in lost laptops and file-sharing indiscretions, other data was being actively kidnapped, and cyberwar became a topic of decision-makers as well as science fiction authors. Hostile factions mounted denial of service (DoS) attacks against each other in Estonia and Russia. The White House made cyber security a part of the national defense and pledged millions for it.
Authorities in multiple countries saw file-stealing Chinese hackers lurking in every shadow. Just in December, the Department of Homeland Security blamed China for attacks on the Oak Ridge National Laboratory, and in the UK MI5 blamed China for a wide range of attacks. But there were cooler heads willing to point out that, basically, when it comes to cyber espionage, everyone is now doing it to everyone else. Why go to the expense of maintaining networks of covert operatives when you can get reliable results from a kid with a laptop?
The Dark Side
For all the problems they may or may not have caused, the cyber-spies at least answered to some chain of command, somewhere. The same could not be said of the world’s grassroots hackers, especially the ones who created the so-called Storm Worm and its highly successful botnet. By summer it had infected as many as 50 million machines (some put it closer to 15 million) and experts were nervously noting that it amounted to the world’s biggest supercomputer, capable of taking down the entire Internet with DoS attacks. Mostly, though, it sent out pump-and-dump spam.
Then came the Storm Worm’s 9-11, as Microsoft added the Storm Worm to the Microsoft Malicious Software Removal tool on September 11. Infections dropped 20 percent overnight. By October the botnet had shrunk to 160,000 machines.
As for spam, pundits began to talk about Spam 2.0, which has no visible link to the source of its funding. Basically, fraud artists send spam touting some penny-stock into which they have bought a position. The price of the stock goes up slightly, and the spammer sells.
But there was also trouble on the Dark Side, as indicated by the sudden disappearance of the so-called Russian Business Network. This hacker-friendly consortium suddenly went dark in November, re-appeared in China two days later, and went dark again. Sadly, no one seemed to believe that it was gone for good.
Regulatory Affairs
Amidst all the excitement, government regulations continued to evolve. Surviving an attempt to have it declared unconstitutional, Sarbanes-Oxley continued to be the law of the land, but the Public Company Accounting Oversight Board issued Auditing Standard No. 5 (AS5) to make Section 404 audits more risk-based, ditching the "account for every dime" approach that previously held sway. The board also issued special guidelines for auditing small firms. In December the head of the SEC suddenly decided that smaller corporations should be given another year’s exceptions for complying with Section 404, to give the commission time to determine if AS5 really saved money. Otherwise, smaller corporations would have needed to demonstrate compliance for fiscal years ending after December 15, 2008.
The SEC agreed to allow foreign firms to file their statements using International Financial Reporting Standards (IFRS) instead of Generally Accepted Accounting Principles (GAAP), and was reportedly toying with the idea of letting US firms to do the same.
Eight years after it was passed, the SEC and the Federal Reserve set rules to enact the final provisions of Gramm-Leach-Bliley, defining what securities transitions that a bank can conduct without registering as a broker.
Final Basel II implementation rules were also published by the Fed, for banks with assets exceeding $250 billion or foreign exposure of at least $10 billion. The new risk-based capital adequacy framework is supposed to be rolled out it stages covering at least four years.
Finally, many corporate IT departments spent 2007 learning how to talk to corporate legal departments, as a result of last year’s amendments to sections 16, 26, 33, 34, 37 and 45 of the Federal Rules of Civil Procedure, creating comprehensive rules governing the discovery of electronically stored information as part of the litigation process. Basically, a corporation must store all files that might be involved in litigation, and must be able to produce them in a useable form. In May, a federal court in Maryland issued a detailed protocol covering issues that opposing attorneys should settle before the electronic discovery process can proceed. Among other things, they must decide if metadata is to be preserved, who will pay for the preservation, retrieval and production of the files, and how to redact data that is not deemed discoverable.
Lamont Wood is a freelance writer in San Antonio who has been covering the information technology field for a quarter century.
Posted in Compliance Management | No Comments »
Friday, April 18th, 2008
ITPolicyCompliance.com
Performance Results: Small Business
The majority of small businesses - those with revenue, assets under management or budgets of less than $50 million - are performing at the norm when it comes to compliance results (Table 1).
Table 1: Small Business Compliance Results
| |
Small
businesses
|
All organizations, private and public
|
|
Laggards
(More than 15)
|
20%
|
21%
|
|
Norm
(3 to 15)
|
69%
|
70%
|
|
Leaders
(Less than 3)
|
11%
|
9%
|
Source: ITPolicyCompliance.com, 2006
Compliance Results: Size Does Not Matter
The compliance performance results - for small business - are nearly dentical to the performance results for all organizations. Despite slight differences, the smaller size - and presumably fewer available resources - does not materially influence compliance performance results among small businesses.
Strategic Actions to Improve Results: Mixed Results
The top five prioritized strategic actions taken by small businesses do not match, one for one, the strategic actions being taken by organizations with the best (fewest deficiencies) compliance results (Table 2).
Moreover, increasing the frequency of monitoring - the key factor determing results - is not emphasized enough by most small businesses. On average, small businesses are conducting IT audit, monitoring and reporting once every 200 days: far short of the once every 21 days of the industry leaders.
Table 2: Top Five Strategic Actions for Compliance
|
Compliance leaders
|
Small business
|
|
1. Documented business procedures, IT assets and IT controls
|
1. Automated IT configuration and controls management
|
|
2. Changed business procedures to comply with mandates
|
2. Automated monitoring and reporting
|
|
3. Automated monitoring and reporting to improve results
|
3. Changed business procedures to comply
|
|
4. Automated configuration and controls management
|
4. Automated IT security controls and procedures
|
|
5. Increased the frequency of monitoring, measurements and reporting
|
5. Delivered training and accountability to employees
|
Source: ITPolicyCompliance.com, 2006
Guidance Recommendations:
Guidance for small businesses, based on fact-based benchmark results, include:
- Document business procedures, IT assets and IT controls
- Increase the monitoring of IT policies, controls and audit logs to monthly or more frequently
© IT Policy Compliance Group, 2006
Posted in General | No Comments »
