Tip of the iceberg?

The headlines are screaming about the 11000 crore loss of public funds and honest tax payers money, and understandably so. There is no doubt that this is one of the single largest case of fraud – which has come to light - I must add.  We don’t know how many more are hidden in the closets or should we say bank lockers.

But I am surprised as to why no one is talking about the 7+ Lakh Crores NPAs (doubtful debts) of public sector banks..isn’t that loot of the public funds? The 11000 Crores in question is only a fraction of this bounty. Why aren’t the honest tax payers questioning this? The RBI has recently rolled out a new NPA rules for banks, but is it too late? How did it allow the problem to grow to such huge numbers? I have serious doubts on the quantum of recoverability of these NPAs. If properly investigated, many of these NPAs could turn out to be frauds similar to the case in hand.

Is this a failure of governance and risk management systems in banks or something more sinister?

Coming back to the case in the spotlight and assuming it’s a case of controls failure, let’s see what could have gone wrong:

People

-        There was no role rotation for the employee for years together

-        There was collusion between the manager and clerk, possibly few others in the hierarchy as well

-        The bank employees shared passwords of bank systems with bank clients

Technology

-        No integration between SWIFT and core banking. There could be other peripheral systems used in banks which have no integration with core banking platform

-        Poor identity and access management systems

Process

-        No or ineffective reconciliation between the Core banking and SWIFT systems

-        Collaterals were not taken against the LoUs 

Assurance & Governance

-        Risk Management, Vigilance, Internal Audit did not detect/report any discrepancies in controls

-        HR appraisal system did not detect discrepancy in job rotation

-        Regulatory and External audits also did not find any discrepancies

-        Whistleblower system was not effective, suspicions had been reported but no action taken

There could be more control failures which may emerge during the course of the investigation. If so many controls were either not implemented or ineffective, or even worse – discrepancies detected and suppressed, then it’s more a systemic risk and not just an operational risk. If it is a systemic issue, then merely reinforcing controls will not help mitigate this risk, it needs a complete redesign. If we try to retro-fit modern facade on archaic architecture, there will be always be gaps.  

"Chanakyaneeti*" for Risk Managers

The person who stifles innovation, the control freak, the person who restricts adoption of new & cutting edge technology, the person who says "NO" – to a new business proposition, to Facebook in office, to BYOD, to download & installing freeware… who would that be? Ask anyone and the answer would be: The CISO or CRO or someone in a similar role!

While this probably is the feeling amongst general employees, what does your boss & the senior management feel? A knight in shining armor, defender, guardian, superhero..? Nice dreams… Now wake up to the reality. 

When someone proposes a new but potentially risky solution, which is endorsed by the Senior Management, how does the CISO/CRO convince them to take the right decision?

Ideally, the CRO / CISO should provide a solution to implement the idea in a way such that the risk is minimized to an acceptable level. However, if the risk cannot be mitigated or minimized, then the CRO needs to put his/her foot down… So what could be the best way to say “NO” and convince the management?

I prefer "Chanakyaneeti" the diplomatic method mentioned in the Indian scriptures like Mahabharata and also made famous by the Indian philosopher Chanakya. The method suggests four steps to be used progressively and I have tried to apply them in the present scenario:

Sāma: (Reason) explaining the reason with logic. It is important to make the organization the potential risk and impact if the solution were to be implemented.

Dāma: (Price) Assess and present the financial impact in terms of business losses – top line and bottom line impact the organization may be exposed – the price which the organization may have to pay.

Danda: (Penalty) Present the potential regulatory impact in terms of potential sanctions and fines.

Bheda: (Discrimination) The damage to the reputation is the most hard hitting – if the customer, partners and employees were to know the risk, would they still want to be associated with you? The probability of customers turning their back on your organization would hopefully dissuade the management from going ahead with a solution bringing on unacceptable risks.        

If none of the above works, then we always have the Risk Acceptance Form! 

Are we fully geared up for this digital payment revolution?

Mobile Wallets, Digital Payments, UPI, have become a daily conversation now. I personally use digital payments regularly. We see posts on social media showing how the street vendors and auto rickshaws are now accepting payments digitally. This is definitely a good start and also the best way forward in my opnion..but as a risk professional it is my second nature to look at the possible pitfalls and perils.

 “Are we fully geared up for this digital payment revolution?” Let me articulate some of the possible risks and then we can try to find solutions together..

Let’s look at the common man first, yes he has started using smart phones extensively..even the senior citizens and children have smart phones. But are they aware of the “secure” use of the mobile / digital payment methods? We are seeing a huge upswing in the cybercrimes which revolve around social engineering, phishing and vishing scams, debit / credit card and mobile wallet apps.

Possible solutions – User awareness is key. Security is a topic which should be taught in schools, public awareness must be drilled by government / regulators, banks and the payment service providers.

What happens if I lose my phone, or my phone battery runs out or the app malfunctions, or I don’t get the OTP?

Possible solutions – Don’t rely solely on mobile wallets. Keep a debit / credit card as backup. Net banking is another option. Develop Aadhar based easy payment systems which do not require the payer to carry a phone or card – “pay with your fingerprint”.

What about the apps themselves? Are the apps secure? One of the well-known and widely used app did not have a password till last week..even now the password is the same as the mobile unlock code / pattern. So if the phone is handed over for repair, one has to share the phone unlock code which can then be misused…

Possible solutions – We need a secure app standard, regulation and approval process by RBI and security audits immediately. Rogue apps and fraudsters must be dealt with swiftly by the government with help from the appstore / playstore providers. 

What happens in emergencies or during disasters? As we saw during the recent cyclone in Chennai, there was no power to charge the phones or swipe machines. Internet connectivity was inconsistent. What is the plan B in such situations? We still have issues with connectivity and signals in rural areas and even in some parts of the towns and cities depending on the service provider.

Possible solutions – Offline payment options should be thought about..but in such situations cash exchange may be inevitable??

What happens if I make an error and make a mobile payment to the wrong person? What happens if I am a victim of a fraud? Where do I complain? How do I recover the money? What is the grievance redressal system? Can I lodge a police complaint? Will the overworked and already stressed law enforcement mechanism prioritize my complaint of a few thousands?  

 

Possible solutions – Define a simple and standard framework and work flow to address such cases. Empower banks and create a “clearance house” to resolve orphan / failed payments and funds missing in transit. Government needs to strengthen the law enforcement mechanism to tackle frauds.

What happens if some unknown person accidently / intentionally transfers money to my wallet?  Will I be caught in money laundering trap?

Possible solutions – Again, awareness is key. There should be a simple process to report money laundering which does not antagonize the person reporting the issue. Genuine mistakes should be addressed through the “Clearing house”. But intentional misuse must be tracked and dealt with swiftly.  

Change is good..but every change brings some uncertainty and disruption which most humans are uncomfortable with. By nature we strive for equilibrium, so we need to find this equilibrium ASAP to get back the focus on the progress of our country.

Please feel free to share any solutions which you can think of..

Beyond Network Security - Risks for Financial Services Companies

(Published in "Communications Today" magazine - Nov 2011 issue)       

"Endpoint protection suites that include anti-malware/spyware, personal firewall, and security policy enforcement for VPN connectivity are replacing the basic anti-virus software." Parag Deodhar, Chief Risk Officer, Bharti AXA General Insurance With growing penetration of mobile computing (tablets/mobile phones) and increasing proliferation of Internet access across India, financial services companies are leveraging the online mode of business. However, online transactions are prone to various security threats. Organized crime is targeting this lucrative avenue to make a fast buck. Application security is one of the most neglected areas, which results in various vulnerabilities, and hackers take advantage of the unprotected websites and transaction portals to introduce malware to unsuspecting users. The unsuspecting users give away their confidential information and fall prey to fraud. More and more users now access Internet through wireless networks, freely available at Wi-Fi hotspots in airports and cafes, which are unencrypted and unprotected. These networks are highly susceptible to threats like sniffing and hacking. Enterprises are under growing pressure to allow BYOD, i.e., bring your own device. This means that employees are allowed to use their personal laptops/tablets to connect to the enterprise network and work on it. While this may help reduce costs to a certain extent, the number of security issues rise manifold. Most websites now have SSL encryption between the client's web browser and server. This makes it difficult for the perimeter security products such as content filtering, anti-malware to scan the encrypted data and payload exchanged between the endpoint and server. Hackers use SSL as one of the ways to mask malware like viruses, Trojans, and other exploits and target corporate networks. Organisations cannot block SSL encrypted traffic because most business-critical websites use it. SSL encrypted traffic can also be misused to leak sensitive data through encrypted email and filesharing sites. Access to social networking sites also poses risks to the networks and can be exploited as a channel for data leakage. Attacks like DNS poisoning and click jacking direct users to malicious websites which look genuine and entice users to part with their credentials, passwords, and other confidential information. Solutions Implemented By Financial Services Organisations are deploying sophisticated tools to minimize threats to the network security. Endpoint protection suites that include anti-malware/spyware, personal firewall, and security policy enforcement for VPN connectivity are replacing the basic anti-virus software. Anti-phishing software and toolbars are now being used to warn end-users about malicious and spoofed sites. In addition to network firewalls, organisations are deploying web application firewalls to protect their websites and portals. Intrusion detection and prevention systems are now the minimum requirement to protect the networks. Apart from these, content filtering tools are also being implemented to allow selective access to Internet content. Wireless networks are being encrypted and sandboxing virtual terminals are implemented for secure access through personal devices. Data leakage prevention (DLP) suites are being implemented by many organisations. This is implemented with a defence-in-depth architecture. The DLP suite includes endpoint agents, network - email, Internet gateways, and servers. Some of the DLP software and perimeter security products now allow SSL visibility and control. These minimize the risk of data leakage or malware creeping in through encrypted traffic. To protect customers from fraudulent transactions and attacks, most financial services companies now use two factor authentication, one-time passwords, and virtual keyboards for their online transactions. While financial services companies are trying to implement various security measures to minimize the risk, criminals seem to be one step ahead and manage to find and exploit new loopholes or vulnerabilities to defraud the financial services companies and their customers.

Changing rules of the game

(published in Express Computer 16-31 July edition and Security Practices Knowledge Center - 2 of CIO Research Center)

In the information security realm, we generally get to hear the prefixes total, comprehensive, best in class, etc. I had never heard the prefix reasonable (in the context of security) before it was mentioned in the IT (Amendment) Act 2008. Even then, it has only come up for debate amongst the info-sec professionals.

Privacy is another term which was rarely used in the Indian context. True to the Indian fondness for imported stuff, we were well versed with laws like HIPAA, EU data protection and PCI-DSS. However, we lacked indigenous data privacy legislation.

On 11 April 2011, the Government of India brought about a sweeping change in one stroke with the IT (reasonable security practices and procedures and sensitive personal data or information) Rules 2011 thereby changing the rules of the game. Lets examine the significance of this news for Indian organizations.

Sensitive personal information

To begin with, organizations will need to understand what constitutes personal sensitive information, analyze the information being collected at various points from their prospective or current customers, partners and suppliers. It may be at the point of acquiring the customer or when doing a promotional event (outsourced to a marketing company) or even a contest on a Web site. As per the rules, passwords also constitute sensitive personal information. Therefore, if you require a customer or partner to create an account on your Web site with a user id and password, then you are required to comply with these rules, even though you may not be taking any other personal information such as financial details, debit/credit card or bank account numbers, health information, etc.

Privacy policy

All organizations in India, collecting, storing or transferring sensitive personal information will need to put a privacy policy in place and make it available publicly i.e. on the company’s Web site.

A privacy policy should include

• Commitment to privacy
• The information collected
• How and where information is stored and shared
• Commitment to data security
• How to access or correct your information
• Contact details
• A grievance redressal mechanism

Information collection and retention

Organizations will also need to take explicit permission from the information owner regarding purpose of usage, in writing, through a letter, fax or e-mail. This could turn out to be a challenging process. While organizations that get forms filled for account opening, proposal forms, etc. could include the consent in the form itself, it would be difficult to implement where forms are filled or information is collected online e.g. during online insurance policy issuance, hotel booking, visa applications, etc. The rules do not make it clear if ticking an I Accept box on terms and conditions on a Web site suffices. If organizations choose to take this consent over e-mail, will this electronic record be held as valid only if it is digitally signed in accordance with the IT Act?

Organizations will be required to educate the information owner on the purpose, intended recipients as well as the agency, which will retain the information that is collected. This means that, if you have outsourced any of your data processing activities, you will need to disclose the names of your outsourced partners who will use this personal information at the time of collection.

Organizations are also required to allow the information owners to review the information that has been stored and correct it if any discrepancies are found. This will probably require an addition to the customer service window. A grievance officer will need to be appointed and details published on the Web site.

The information owner can also withdraw this consent (in writing of course) and the personal information will need to be struck from the records. In such cases, the organization reserves the right to stop providing the service to the information owner. I wonder if organizations will still need to keep the information in their records for a particular period, if required by law. It seems to be a contradiction and this will need some clarification.

Data transfer
If organizations want to transfer sensitive personal information to any other organization, e.g. outsourced data processing unit, call centre or data centre, then they would need to ensure that such a third party would also have the same level of security as maintained it. It will be imperative for organizations to mandate the level of security and also ensure that these standards are met with by partners through regular audits.

Data destruction

Organizations should not store data for a period longer than is required for providing the products or services unless required by law. The organizations will need to implement secure data deletion processes for all data including backups store on tapes, off-site locations, DR sites and, not to forget, the Cloud. They will also need to ensure that data is deleted securely from outsourced partners and their DR sites.

Reasonable security

Organizations are required to document and implement reasonable security practices and processes covering managerial, technical, operational, and physical security measures, commensurate with the information to be protected. The rules also recommend ISO 27001 as a standard, which covers all these requirements. In case the organizations prefer to follow their own security measures, they would need to get their measures approved by the central government.

Organizations will also be required to get their security measures audited at least once a year by an independent auditor approved by the central government. In the unfortunate event of an information security breach, the affected organizations will have to demonstrate to the investigating agency that they had put reasonable security processes in place. However, it is not clear if this will absolve them of their liability.

Checker-board

Looking at the history of information security breaches in India, both published and unpublished, data privacy rules are definitely required. Nevertheless, these rules should be practical and reasonable in terms of implementation. In their current form, some of these rules pose multiple challenges if they are to be implemented in their true spirit. Again, what constitutes reasonable security will remain a matter of interpretation and this would be an area of major debate in the days to come.

Steps to consider:

• Analyze if you collect any sensitive private information
• Draft a privacy policy and publicize it
• Take consent from information providers
• Implement reasonable security measures to protect information
• Ensure that your partners who access or use this information are equally secure
• Don’t forget to destroy the sensitive information once it is no longer required
• Get an annual audit done to ensure compliance with reasonable security measures

Child safety in cyberspace

Published in Smart Techie September 2011 issue (www.thesmarttechie.com).  

“Mom, all my friends are on facebook, why is it that only I cannot have a facebook[1] account?”  My 10 year old daughter was pleading her case in the Supreme Court.  I could already see from the expressions on face of the Judge, the case was beginning to tilt in prosecution’s favour without even giving a chance to the defendant.  But I was not going to give up this case so easily, I had my defence ready…

Would you leave your child alone in a busy marketplace or on a highway?  The child would be prone to all kinds of dangers in the physical world – accidents, kidnapping, molestation.. I am sure none of us would do this.   

Then why would you leave the child alone on the information superhighway? I have seen many of us do this, unknowingly. 

Internet has become a necessity in our lives so much so that the United Nations has declared Internet Access as a human right. Today the schools are networked, have their own website and the homework instructions too are published on the net. Students as young as 4^th Grade are expected to log in on to the school website on a daily basis.  Students are required to browse the net to collect information and pictures for their projects. There is no denying that Internet has become an integral part of our children’s lives.  But the fact is that children are at risk in cyberspace, if we do not take adequate precautions.

More and more children now have their own cell phones. Children are exposed to text messages, MMS (multi media messages) and can also access Internet, social networks on their phones.

Alice in the wonderland

Inappropriate Content

<><><><> <><><><> <><><><> <><><><> Children use Internet to search information and pictures for school projects.  You would be shocked to see the amount of inappropriate information, images and advertisements are displayed when they search for seemingly innocuous queries and images and click on the links displayed in search results. Spam messages (including the ones selling blue tablets, exotic names showing interest to know you better etc.) do not distinguish between children and adult mail boxes.

Sharing personal information and images

Children share a lot of personal information including the name, address, passwords, information about their family, photographs over email and social networks. This information could be potentially misused for identity theft or other cybercrimes.

Most cell phones now have cameras which can capture photographs and videos. Explicit images / videos can be shared easily over the MMS and through mobile internet.     

Children do not understand the legal implications of creating, storing and distributing explicit photos or videos of minors. If such material is circulated through phones or Internet, children could be exposed to risk of embarrassment, leading to psychological disorders and could impact their studies and social life.

Big bad Wolves waiting for Red Riding Hood

<><><><> <><><><> <><><><> <><><><> Contact with Strangers              

Children may come into contact with strangers on social networks, chat rooms, online forums or email. Strangers could take advantage of the impressionable minds and persuade them into parting with personal information, photographs, videos etc.  Such predators are known to entice children by promising gifts in return for sharing information. The online contact may advance to telephonic contact and finally meeting them in real life – without the knowledge of parents. 

Cyber stalking, Cyber bullying

Bullying is common in schools and on the playground. However, with the advent of technology in their lives, children have also adopted a new form of bullying – online and over cell phones.  The difference is that cyber bullying can occur anytime, anywhere – the child can receive offensive messages while at home over the Internet or SMS.  Derogatory messages or information against a child can be posted over social networks, forums or over chat.  

Predators ask children for their cell phone numbers after meeting them online since it allows them to contact the child anytime. They can stalk a child, could send abusive, threatening SMS or emails.    

How do we minimise these risks?

To ensure that your child is safe in cyber space, you need to establish ground rules, monitor use and discuss safety practices with children.  It is important that children trust you and share important information with you about their online activities regularly. Various technology controls are also available to prevent, monitor and detect any problems. 

Awareness and rules

Especially for pre-teens, try to supervise Internet usage personally as far as possible.  Set time limits for Internet use and keep the home computer in an open area like the living room.

Explain to children that they should never give out personal details to online friends. Make them understand what information about them is personal: i.e. home address and telephone numbers, user-ids/passwords, email address, mobile number etc. They should not share any pictures or videos of themselves, their family or friends – except under your supervision.

If your child receives email from unknown persons, spam or junk mails, remind them never to believe their contents, reply to them or click on any links. They should not open files that are from people they don't know - it could be a virus or an inappropriate photo or video.

Explain the consequences of posting or forwarding inappropriate material online or through cell phones.  It could harm the child’s reputation and his life.

Just as in real life we warn them about interacting with strangers, the same rule applies in cyberspace.  They should not talk to strangers in chat forum, accept invites on social networks or respond to SMS or emails from strangers. 

It is important for children to know that that people may not be always speaking the truth online and they should not believe everything that they see or hear online. If an online friend asks them to meet, they should inform you, and you can arrange for a supervised meeting if appropriate.

As a responsible parent, be firm not to let your child get access to content that is not meant for their age, e.g. DO NOT let you child have his own facebook account if they are below the prescribed age limit. There are separate social networking sites especially for children.

Technology can help

Make sure your home computer has updated anti-virus software and there is no inappropriate content on it.

Children should use child friendly search engines.  Alternatively, make sure “safe-search” settings are enabled and locked down in the regular search engines. This can help keep out inappropriate content being displayed, while searching for information or images.   

If your children have unsupervised access, consider installing “parental control” software. This will help prevent access inappropriate content as well as help you monitor the online activity of children. If your child has a cell phone, consider getting an itemised statement which can help identify any specific / unknown numbers which are calling / messaging frequently and at odd hours.

 Magic wand

The magic wand is “TRUST”.  If your child trusts you, they will talk to you if they have had any problem in cyberspace – just as they would talk to you about any problem in school or on the playground. Children should know that it's never too late to tell if something makes them feel uncomfortable. So it is important for you to build the bridge of trust, which can keep the child safe from any evil spells! 

P.S.:  After hearing my defence, my Supreme Court ruled that we settle the matter out of court – so finally my daughter did get her account – but on a social network site specially created for children…

---

[1] As a policy Facebook allows individuals only above the age of 13 to create an account.

Security Metrics: Demonstrate the Business Value

Security Metrics: Demonstrate the Business Value

                               

"The top management doesn’t want to listen to a technology speech. Show them trends and measurably demonstrate the business value of the various controls put in place"

What does the management look at, in the money spent by the company’s information security specialists on various controls?
Our company, Bharti AXA General Insurance Company Ltd., is a general insurance joint venture started about three years ago, and right from the start, I’ve been interacting extensively with the business side of the company. We were late entrants into the insurance market, we were probably the 16th entrant, there were giants ahead of us, and shareholders wanted to get into the top five in the five-year time frame.
Every time I went to the management to get budget approvals for information security, the questions were very different from what I’d faced earlier. The management would say, ‘fine we’ll give you the money, but tell us how this will help us get into the top 5 slot in the insurance market?’ I would get stumped, thinking I’m talking about security and controls, but the management needs to know how that will help the company meet its objective.
Balanced Score Card: Such questions prompted us to attempt a balanced-score-card approach to demonstrate the value at risk, to our business colleagues. Our company’s mission is to become the preferred general insurance provider for our customers, partners, employees, and, shareholders. The balanced score card talks about finance, employees, learning and growth and customers, which put our mission statement in alignment with the score card quadrants. That’s how we got the idea to use the score card approach to show how information security is adding value and contributing to the company’s growth.
Every department had to come up with their goal sheets in line with the mission statement. The Information Security team also did the same. While not exactly following the score card methodology, we looked at how we can add value to shareholders, partners, and customers.
Metrics: What did we measure? Instead of the normal way of counting incidents, user IDs created or deleted, we tried to give them a business value number on what is at risk. How does one match the security metrics with the top line and the bottom line with every single security incident -- we presented this from a finance and business perspective.
For example, if the company’s website went down for a certain period, customers won’t be able to buy online policies, which would hit the top line. While this isn’t a fool-proof system, and has a lot of assumptions, it still yields a way to value risk to business. Therefore, tracking the number of customers who generated quotes using the site would be an indicator, as the ratio of the quotes generated to actual conversions to policies sold is known.
If we don’t have Log monitoring, firewalls, IPS, IDS and so on, what would be the value at risk. From a regulatory and compliance point of view, the auditors from the Insurance Regulatory Authority of India tend to look at the steps we’ve taken from the perspective of customer protection, which again plays into the idea of figuring out what’s the value at risk and how the score card will be affected by the absence of certain IS measures.
Business executives look for trends in the form ‘where were we six months ago and what is our position today and where do we want to be two quarters down the line.’ Finding a way to show in a measurable way, which way the risk to the business is moving before and after putting in place various controls, will help CIOs get the backing of their business colleagues.

Dear CIOs, CTO Forum is happy to present this opinion piece by Parag Deodhar, Chief Risk Officer, Bharti AXA General Insurance Company Ltd., in continuing our efforts to bring you expert opinion of substance from peers and specialists. The top management doesn’t want to listen to a technology speech. Show them trends and measurably demonstrate the business value of the various controls put in place Click here for the full opinion. We value your feedback:editor@thectoforum.com. Happy reading, Team CTO Forum 9.9 Media | B - 118, Sector 2 | Noida - 201 301 | I N D I A

Bring out the value at risk in both the top line and bottom line, and your information security plans will get the business backing, says Parag Deodhar, CRO of Bharti AXA General Insurance Company. Click herefor the full opinion.