A great piece was written up by Kevin Funnell recapping an article in the American Banker the impact of banks meeting the FFIEC Multi-Factor Authentication deadline of January 1, 2007. Thankfully many organizations adopted these requirements prior to the hard deadline, and overall fraud rates have plunged. Key points to highlight in his writeup that jump at me are:
“fraud has decreased by 30% to 40% in the online channel in the U.S. from 2006 to 2007 specifically due to implementing the FFIEC-required authentication”
This highlights and supports that Multifactor authentication is beneficial and should provide immediate returns to the organization on a financial and public goodwill posture.
“increased incidents of branch and contact center fraud and criminals working the channels to get pieces of information”
An important fact that highlights that threats can come from different angles, but the target is STILL the data and we must do a great job at securing and monitoring those data stores.
What truly resonates with me is the amount of fraud reduced through a simple introduction of a control. The economics and technical feasibility of this control are very understandable and not complex. I feel there is a huge opportunity for online merchants, not banks that are subject to the FFIEC, to fully embrace this control and necessary technology. PCI DSS mandates under Section 8.3 that administrators, employees, and third parties use two-factor authentication when accessing data remotely – this does not apply (today) to consumers.
A good set of studies on multi-factor authentication usefulness and applicability can be found here, here, here, and here.
Updated: Great breakdown on Multi-Factor approaches and analysis by Karim Zerhouni Senior Manager for BearingPoint.
Fraud is an issue that impacts the business profit margins and disrupts the consumers lives. Reducing cost and improving a consumer experience is a best practice in any economy, nation, and industry.
This is a positive theme that is occurring around the country and throughout various consulting firms. Deloitte also recently highlighted the challenges and opportunities that exist through the executive and technology branches of the organization. An interesting point is, highlighted by DT, that the CIO is currently not perceived as the executive over information, but instead is more a technology manager. This focus on gears and switches will transition away as the role and the requirements of business evolved. This is consistent with the shifts seen in the CFO suite where a greater focus is placed upon that of strategy and less on Controller type activities.
A recent study was released that highlights the information intelligence and satisfaction of the Executive, the Board, and the rest of the C-Suite.
The Article can be found here:
“In a partnership with Gartner, the Wharton now offers high-level CIO education with a focus on the CEO-CIO relationship.”
By John Soat, InformationWeek Bank Systems & Technology
As the hundreds of non-rss readers know, a few days ago I switched the theme of this site to a simpler and easier to read layout. So, if you were tired of the dark fonts and murky background please come by and let me know your feedback. I will still focus on PCI DSS, of course, but will be continuing to expand the topics covered on this site to include global IT control regulations. What does that mean? Well, any standard U.S., EU, and anywhere else will be given some room. I will attempt to not merely repeat the obvious when news breaks, but instead focus on posting intelligent perspectives on the changes around the world.
Another change to the site is the “NEWS Feed” on the right hand side of this site. Please check it out, and feel free to set those as an RSS feed too. The NEWS Feed is my filter on what is important around the globe on the above topics. I sort through literally hundreds of posts, news items, client emails, and service provider information in an attempt to clear out the noise.
It is a new year (my fiscal year clearly is not following the Dec 31 date), and the plan for this site is simple. Keep posting helpful information whenever possible, and don’t simply post to post. On a personal note, I will update the Press Release page and About soon – and look forward to everyone’s comments and suggestions.
James DeLuccia IV
Posted in CoBIT, Compliance, FERC, GLBA, IT Controls, ITIL, NERC, PCI DSS, regulations, Risk Management, ROI, Sarbanes-Oxley, Security, sox, State Laws
A recent study conducted by Javelin Strategy and Research has determined that fraud is down by 11.5% compared to 2005. The total damage of identity theft and the related fraud totaled $49.3 Billion compared to $55.7 Billion in 2005. This finally shows a measurable impact in the incredible efforts of corporations and average people who have become more vigilant over security and sensitive information.
A contributor to this decline may be that “Nationwide, there were about 500,000 fewer victims“, but 2007 may trend higher given the magnitude of the TJX breach.
Unfortunately, $49,300,000,000 is a tremendous cost, but given an ROI calculation there is plenty of room for improvement and still manage a healthy return.
ISACA published an IS AUDITING GUIDELINE on defining and measuring ROI or ROSI (Return on Security Investment). The publication describes several usable equations, and starting points on creating a measurement program. Below are my comments on the most important points and some commentary on those provided. This publication, unfortunately, is not the be all guide nor does it truly address the reader’s need for a plan on implementing such a valuation program. Any comments beyond the referenced sources for additional starting points would be appreciated.Establishing Metrics is the first task:
These should be based on consistently occurring and measurable. The metrics can reflect the organization’s usage of technology and focus along important aspects of the infrastructure.
Capture information on the existing user experience:
Develop and distribute a survey that pointedly asks the users to grade their experience for specific measurable concerns. An example would be “How often is the mail server unavailable for more than 10 minutes? Daily, Weekly, Monthly”
These surveys provide an indicator on user perception and experiences. Data pulled from the systems through system to system testing and tracking is preferred, but ideal for moving forward tracking. Surveys allow for immediate data benchmarking and measurement.
The insurance conundrum when measuring value for security products:
Security is a risk management method for loss prevention. This, like insurance for your car, is a cost that is extolled today for an event in the future that occurs for the enterprise. The cost of insurance fluctuates (usually up and rarely down) and roughly follows the trend in risks. If for instance an owner moves from a farm to the city – their insurance costs will rise. The reason is there is more occurrences of a loss. Similar in the security world – simply because today we have implemented a security solution, an increase in incidents may still occur. The truth is that the damage would have been worse without the action, but it is still a prevention and looking in hindsight is never, as rosy as we would prefer.
Consider the ideal situation (running a bank): Install super-security application (example: security guard) and the logs (security journal shows no physical bank robbers waving guns) show no incidents. Why pay for the (guard salary) maintenance costs? Did the super-security tool prevent all the losses, or has the criminal world simply moved away from holding up your bank in person to digital attacks? The answer is you need both – remove the guard and that becomes the simpler path of attack; add more security and force a more complex attack vector.
Remember – the blackhat hackers / criminals / mob / cartels are calculating their own ROSI, and only will put forth the effort to attack along a path if there is a healthy return. Our motivations are the same, and therefore, as we know our enemy, we can put forth mechanisms of a sufficient degree to achieve a reasonable security posture that respects the value of the assets within, and allows continued success as a business.