Payment Card Security & IT Controls Explained

In the mail I received an early copy of the “2008 Report to the Nation on Occupational Fraud and Abuse” from the Association of Certified Fraud Examiners.  The 2006 report has represented de facto standard for qualitative fraud calculations and risk mitigation efforts.  While there is no substitute for reading the full report I will highlight the following key areas - Audience, Nuggets, and Action items.

Audience:
The report is written for those that have both fraud responsibilities within the organization and those who have assets worth being exploited.  Therefore the audience I see (beyond the obvious Fraud professionals) includes:

• Chiefs - CFO, CRO (Chief Risk Officer), CAO, CIO, CISO
• Business Owners - VP, Directors
• Team Leaders - of small teams

Nuggets:

• 67 pages of facts sum up 959 cases of occupational fraud
• 7% of Annual Revenues are lost due to fraud (up from 6% two years ago
• In the U.S. that is approximately $994 Billion in fraud losses
• 25% of the fraud sample were a million plus in damages
• Tips identified 46.2% of all frauds
• Small Business suffers more frequently (39.1% of all frauds) and greater (nearly double that of a public company)
• Independent audit of financial statements was the most common control and nearly the worst in mitigating fraud (accountability of perception high error area)
• Most Effective Controls: Internal Audit, Surprise Audits, Management review of Internal Controls and Fraud Hotlines

Action items:

• Re-prioritize internal controls to address fraud
• Identify what roles are truly accountable for fraud detection (i.e., address the perception vs. reality conundrum)
• Emphasize training of employees of fraud (recognition) and the safeguards (whistleblower policies) and mechanisms (confidential hotlines)
• Institute a mature process that follows-up on all leads completely and objectively (damages of a fraud grow over time, so quick elimination of identified fraud has strong rewards)
• Establish Surprise Audits and mandatory job rotation

Again, this ACFE report is incredibly valuable and should be a cornerstone of any control environment.  Segments may be adopted today and into the future.  In addition, the ability to eliminate subjective values in risk calculations is tremendous.

Kind regards,

James DeLuccia IV

Looking forward to seeing everyone at the ACFE 19th Annual Fraud Conference next week in Boston.  My session on Best and Worst IT controls is on Monday!

Structuring and maintaining a risk management process that is integrated can be daunting, and despite the tremendous amount of documentation surrounding the topic most organizations are still in the early years of maturity.  A common challenge that organizations face is the identification of roles.  The assignment of roles depends greatly on the structure and culture of your business, and therefore any method you adopt must respect these unique attributes.  While developing a structure for a client I came across ENISA’s efforts and found them to be quite practical.

Classic roles for integrating risk management with operations must include:

• Senior Management/Board of Directors
  • This role is accountable for inventing Risk Management in the organization, defining the basic participating roles, creating and communicating risk awareness, as well as deciding on the degree of risk tolerance of the organization. The Senior Management will not be directly responsible for any of the Risk Management processes (since it does not execute them) and hence does not appear as a role in any of the swimlanes in the model.
• Risk Manager
  • The Risk Manager is chiefly responsible for the definition, structuring, implementation, and coordination of Risk Management in the organization. The Risk Manager can be an individual or a group, which may be hierarchically organized (local, global Risk Manager).
• Risk Owner
  • The Risk Owner is usually an officer in a business unit/functional unit. The Risk Owner is responsible for dealing with risks in his business unit. The maintask of this role is to implement Risk Management processes according to the guidelines defined by the Senior Management and the Risk Manager. Often the role is assigned to the same person as the role Domain Expert (especially in smaller organizations), due to a flat organizational hierarchy.
• Internal Audit
  • Internal Audit is responsible for monitoring the Risk Management processes. Events are being tracked and the processes are being evaluated towards the background of the previously created Risk Management plans.
• Domain Expert
  • The role Domain Expert is responsible for assisting the management of risks by delivering input from a specific domain perspective (consulting role). His special knowledge about a particular domain in the organisation serves as a basis for identifying and treating the specific risks in that area. Additionally, the role participates in the process of monitoring the risks. The Domain Expert may be an internal or external (consultant) person. Due to his role specification he will not be responsible for any of the Risk Management processes and hence not appear as a role in any of the swimlanes in the model. Often the Domain Expert role is assigned to the same person as the Risk Owner role (especially in smaller organisations), due to a flat organisational hierarchy.

The ENISA RM/RA Framework is presented using the outputted HTML files from ADOit.  This allows users to navigate but not edit the contents.  Check out ENISA’s site to see the output.  Organizations should consider the steps that must be taken in order to properly construct such a visualization - Identifying the processes, determining the flow of information between the activities, and finally relating data to activities.  This simple process will rapidly mature your organization’s understanding of cross dependencies and criticality, while providing a method of communication.

Best,

James DeLuccia

The new book is HERE!!!

Here are two quick shots taken while opening up the first shipment of books! Below the pictures I briefly sum up the intent of the book. Of course, the major book sellers present it better, and you can read the entire back covers and inside flaps here.

A brief overview:
Over the past year and a half I have been putting together a book with the magnificent crew at John Wiley & Sons Publishing (a company that is over 200 years old - a point that makes sense if you skim my final closing chapter). I have had a tremendous amount of help from friends, colleagues, companies, and numerous industry and government enforcement groups. My family was especially kind while I put together the book - allowing me to lock myself in my office while I sought to simplify the book to ultimately become:

A global synthesizing of how society and business has progressed over the past 100 years to integrate information technology, and their relative importance to business. The work is based on an analysis of over 140 separate public frameworks, laws, audit reports, and numerous guidance documents plus personal experience auditing and assessing over a million systems around the world. This effort resulted in an identification of key principles that represent the best practices that globally competitive organizations must adopt to balance the risks and rewards of operating in the 21st century. An action plan is designed to enable businesses to evaluate their important controls and consider the next 100 years.

A great deal of time is spent exploring PCI DSS, NERC, SOX, FFIEC, and their related controls. Plus some interesting challenges related to virtualization, grid computing, and the implied reliability of the Internet backbone. Thank you for taking the time to visit and contribute to this forum, and your feedback and future comments on this site.

Kind regards,

James DeLuccia

A great piece was written up by Kevin Funnell recapping an article in the American Banker the impact of banks meeting the FFIEC Multi-Factor Authentication deadline of January 1, 2007. Thankfully many organizations adopted these requirements prior to the hard deadline, and overall fraud rates have plunged. Key points to highlight in his writeup that jump at me are:

Great Success:

“fraud has decreased by 30% to 40% in the online channel in the U.S. from 2006 to 2007 specifically due to implementing the FFIEC-required authentication”

This highlights and supports that Multifactor authentication is beneficial and should provide immediate returns to the organization on a financial and public goodwill posture.

Escalation continues:

“increased incidents of branch and contact center fraud and criminals working the channels to get pieces of information”

An important fact that highlights that threats can come from different angles, but the target is STILL the data and we must do a great job at securing and monitoring those data stores.

What truly resonates with me is the amount of fraud reduced through a simple introduction of a control. The economics and technical feasibility of this control are very understandable and not complex. I feel there is a huge opportunity for online merchants, not banks that are subject to the FFIEC, to fully embrace this control and necessary technology. PCI DSS mandates under Section 8.3 that administrators, employees, and third parties use two-factor authentication when accessing data remotely - this does not apply (today) to consumers.

A good set of studies on multi-factor authentication usefulness and applicability can be found here, here, here, and here.

Updated: Great breakdown on Multi-Factor approaches and analysis by Karim Zerhouni Senior Manager for BearingPoint.

Fraud is an issue that impacts the business profit margins and disrupts the consumers lives. Reducing cost and improving a consumer experience is a best practice in any economy, nation, and industry.

Best,

James DeLuccia

Is your ASV really getting the job done? I spent several years working with organizations building their Automated Remote Scanning systems and fought the good fight as prices for remote PCI DSS scans plummeted. It became very evident within the first 6 months that vendors who fully automate their systems were winning the battle. What always baffled my teams was that we ALWAYS found weaknesses in customer systems when they switched over to our services - even after being “compliant” by these automated companies.

So the recent news of ScanAlert customers being hacked - while being “compliant” (no disclosure has been presented to indicate if they were compliant at the exact moment the breach occurred… updates will be added when available), and several posts highlighting similar inconsistencies is not news to me or my colleagues (Jeremiah has a nice write up on this) . The fact is we left that market due to economics - I couldn’t cover my costs of the scans. Over the past few years I have enjoyed the other side of the coin and have been supporting companies in an advisory fashion. Meaning, I help them understand their business needs, the risks involved, and work through solutions that are best for the company. Usually the cheapest vendor is NOT the best solution.

The one fact I want to pass along given all these unfortunate Merchants who have suffered a breach is that you must evaluate your own security precautions. It is the duty of the executives in every corporation to ensure there are proper safeguards that protect the company and it’s stakeholders. This includes ensuring that if a service provider is providing a service:

• That service is of sufficient quality
• The service is implemented and operational as required (these remote scans must be given complete and direct access to your online properties, and should not be molested by load balancers / IPS / firewalls / etc…)
• Regular quality checks by the staff (i.e. Conduct your own web application assessment and compare the results, if they are not identifying threats and only providing a check box then it is the best interest of everyone that you find another provider).

The end result of this flight from ineffective scanning providers is a stampede to quality and a return of balance in the necessary delivery of skilled assessments. Challenge your perceptions and question the assumptions of your security program for the good of your company and my sensitive information.

Thanks to Jeremiah for a great post on this topic.

Update: May I recommend alternative Approved Scanning Vendors for your reference.

Kind regards,

James DeLuccia