Tuesday, May 20th, 2008
Gartner has published a new report ‘A Risk Hierarchy for Enterprise and IT Risk Managers’ in which it claims that risk management practices in many enterprises are in a poor state. Many enterprises continue to take a narrow ‘siloed’ approach to risk assessment and management, often developing risk practices that are not effective or appropriate to their specific needs.
Gartner says that in many enterprises, specialists with functional areas of responsibility for risk management operate independently from one another, use different definitions of risk, record information inconsistently and fail to share information beyond the boundaries of their specific business or support areas. As a result, there is little transparency across processes and no holistic view of risk, which is necessary for enterprise-level analysis of exposure and mitigation decisions.
"An enterprise that wishes to better understand and manage the risks to which it is exposed should begin with enterprise-specific risk definitions and an organizational risk hierarchy to which all risk-related specialists can align," said Paul Proctor, vice president and distinguished analyst at Gartner. "Although no single definition will work for all enterprises, it is important to start from a common, overarching framework to eliminate overlap, avoid gaps in coverage and ensure good governance."
In the report Gartner details seven key steps which enable IT managers to understand and manage the risks facing them and allow them to quickly contribute to an enterprise-level risk management effort as their enterprises evolve in that direction:
* Implement a framework for risk assessment and mapping.
* Establish the responsibilities of risk managers with their areas of responsibility.
* Identify and define the risks to which the business is exposed and what constitutes a risk event or "near miss" so that incidents can be mapped to specific risks.
* Determine the threat level, and focus on those risks with the highest impact on performance.
* Establish levels of controls for processes commensurate with the perceived threat.
* Record and retain risk incident and near-miss information.
* Conduct periodic risk assessments to determine changes in the operation’s risk profile and assess control performance.
The report is available here (payment required).
Posted in Risk Management | No Comments »
Friday, May 9th, 2008
April 22, 2008 — Network World — Researchers are touting an innovative cryptography method they’ve developed called "functional encryption," which though largely untested in the real world, one day could have an impact on how enterprise data is encrypted, stored and decrypted.
UCLA associate professor Amit Sahai, who has worked with UCLA computer-science alumnus Brent Waters on functional encryption for three years, says the technology lets an individual encrypt data in a way that lets people decrypt it only if they have the right "attributes."
"The mathematical system will produce an encrypted record that only people matching the criteria can decrypt," says Sahai, who recently published a paper on functional encryption with Waters that was presented at last week’s Eurocrypt Conference. "To do this, you get a personalized key that expresses your attributes bound up in one key."
In an enterprise environment, the attributes bound up in users’ encryption keys might be associated with just a name or also with the jobs they do that require restricted access to scrambled data in business, government or a university. "There could be a one-way decryption function used in many ways in both custom or Web applications, for example," Sahai says Each personalized key, expressing the security attributes of what that person is permitted to view, would unlock only the appropriate encrypted data and nothing else.
A user’s key would be able to decrypt scrambled data because the data, always stored in encrypted form, would recognize through a mathematical process the people holding the right key with the appropriate attribute associated with that data. "It’s through all this math packed into the message that the reader is recognized," says Sahai, who says functional encryption makes use of elliptic-curve encryption, which is seen as computationally efficient.
Sahai says the hope is that the work he and his colleagues have done will one day improve server-based security. "We really want to make it so the server has no idea what it’s holding," he says. "Instead, we want to make sure the right people get the data, and this is through the mathematics itself."
Although Sahai says his technology can’t properly be called digital-rights management, he says it could be viewed as a type of "privacy-rights management" based on the concept of a system public key. The challenge of devising a tool for functional encryption is not just the complex math but also making sure the system can withstand so-called "collusion attacks" to undermine its integrity, Sahai says.
Earlier versions of a functional-encryption software tool were made public in the past at UCLA, and Sahai says he will soon make available a new version of the functional encryption tool for review so experts can test its efficacy.
The paper will also be published in a forthcoming edition of the Journal of Cryptography. UCLA says the research into functional encryption has been funded in part by the National Science Foundation, the U.S. Army Research Office and the U.S. Dept of Homeland Security.
Posted in Information Security, Risk Management | No Comments »
Thursday, May 8th, 2008
Bank Technology News | May 2008
The risk in supply chains is growing as businesses expand their outsourcing efforts, says risk-consulting firm Kroll of New York. A survey found that 42 percent of companies had suffered from either theft of physical assets or other incident of supplier fraud, a problem which has manifested itself from lost or stolen funds to the importation of dangerous materials (remember melamine in pet food?)
As part of some corrective steps, Kroll points out that the payment and financial activity with a supplying vendor could provide fraud-vetting clues for companies and their financial institutions. Among the suggestions is that firms modernize accounts payable systems to fully automate purchase order/invoice comparisons and gain more understanding into the calculation of charges. Traders must also invest in data mining and reporting capabilities to figure out where payment matching and approval systems are weakest: falsified invoices that have telltale signs of dramatic payment increases to one vendor; a high number of transactions conveniently coming in under audit thresholds; or consecutive invoice numbers or multiple same-day invoices.
One important tip, which apparently no technology can duplicate: keep the lines of communication open with potential tipsters by following departmental dynamics. “While logistics managers or executives may wield the power to navigate weak controls to perpetrate fraud, they have a harder time fooling those working closely with them. Eventually, they try to get rid of non-conformers or exclude them…” according to Kroll.
Posted in Risk Management | No Comments »
