© copyright 2006 cyberrave llc. all rights reserved. confidential information. please do not...

© Copyright 2006 CyberRAVE LLC. All rights reserved.Confidential Information. Please do not distribute or reproduce without permission.

1

CyberRAVE

The Case for Data Insurance

By Joseph A. Sprute


2

About CyberRAVE

• CyberRAVE is an Arkansas, USA Limited Liability Company, originally formed in 1996. CyberRAVE provides a host of media, marketing & consulting services for companies in divergent markets internationally.

• President & CEO, Joseph A. Sprute has worked with individuals and groups to conceptualize and develop marketing strategies that address data security and information privacy needs.

• CyberRAVE manages a cognitive domain name library of topical URLs representing vertical markets and secure/private online communications.

• CyberRAVE research has exposed an increasing need to insure against instances of loss resulting from the use, storage and management of data assets. This (insurance) need is met by the demand for security, information privacy and regulatory compliance.

• CyberRAVE anticipates a Member services role helping construct and manage public-facing content and media materials relating to institutional Data Insurance and “Certified Secure” initiatives for communities of interest.


3

Overview

• Description: Quasi-Governmental Company to act as Certificate Authority for Insurance Underwriters

• Problem: Regulated companies are at a loss to define how to avoid the latest electronic risks and remain competitive

• Solution: Develop and run a risk management services company aimed at providing insurers analytical data relating to the “condition” of an insured users data assets

• Service Description: Real-time logistics and transaction monitor for customer-facing information management systems (virtual surveillance system collects metadata used for calculating risk premium and managing “compliance”)

• Key Products: (1) Risk Premium Calculator, (2) Secure Metadata Communications Grid


4

Business Intent

• Programmatically Couple Enterprise Risk Management with Computer Assisted Audit Technology.

• Provide Network Data Compliance and Insurability for “Certified” environments.

• Underwrite and sponsor new lines of insurance products for corporate customers.

• Foster a business culture that mitigates network data threats and vulnerabilities.


5

Business Case

• Companies need additional risk coverage for network data systems.

• “Certified” products & services establish a framework for optimized business performance.

• Companies will benefit using compliant systems that have key insurable components.

• The baseline for defining risk associated with Network Data is raw data.


6

Charter

• Offer network members the ability to insure against known risks associated with their corporate data.

• Offer relevant and timely insurance coverage for data related assets.

• Protect the public domain through sponsored “Certified Secure” activities.


7

Data Insurance

• Pilot program in Arkansas aimed at National and International customers of regulated industries.

• Public & Private sector initiative to establish a system for “Insuring” institutional data assets.

• Protects network “Owners” from risks associated with compliance, data integrity, management, recovery and non-repudiation.


8

Trusted Authority

• Quasi-Governmental

• Director Boards built from Industry Luminaries, Business & Gov’t Leaders

• Insurance Underwriting supported by State, & Gov’t Acts

• Industry Sponsored Memberships & Events

• Standards Governed


9

Public & Private Sector Cooperation

• Scaleable Risk Management System– Data Silo-to-Enterprise– Threats & Vulnerabilities Control– Measurement– Actuarial Data– Calculations & Algorithms

• Insurance Underwriters • Regulated Industries


10

Risk Conversion

• Data Context

• Storage & Handling

• Asset Valuation

• Threats & Vulnerabilities Mitigation

• Risk Management

• Insurability


11

Certification Program

• Assessment

• Compliance Goals

• Transparent Accounting

• Threats & Vulnerabilities Management Systems

• Automated Reporting & Remediation


12

“Certified Secure”

• People, Process & Technology – Assessment – Policy Development – Risk Control– Accounting & Reporting– Audit Verification


13

Description of Insurability

• Certified Secure

• Approved Providers

• Transparent Accounting System

• Continuous Environmental Monitoring

• Automated Reporting and Remediation


14

Process Efficiency

• Transparent Tracking, Reporting, and Intelligence• Accounting & Audit Trail (GAAP)• Data Management• Regulatory Compliance• Risk Management• User/Group Policy Manager• Accurate means to value “Data”


15

Industry Benefits

• “Certified Secure” Services Provide– Regulatory Compliance– Transparent Accounting (Fully Auditable)– Automated Reporting and Remediation – Secure Public and Private Information Sharing Network– Ability to Insure Data Assets– Trust Mechanism for eTrade etc– Skilled Jobs – Critical Infrastructure Protection– Economies of Scale


16

Operational Requirements

• Depends on the availability and use of existing resources relative to corporate objectives and regulatory mandates.

• Initial assessment is designed to spell-out deficiencies and generate clearly articulated recommendations towards remediation.

• Final operational issues are defined by specific insurance coverages.


17

Risk Premium Calculator

• Collects metadata from Insured Customers including compliance measurements and risk metrics.

• Monitors “Metadata” for anomalies defined by security standards and User/Group policies.

• Uses Compliance Guidelines to generate Risk Metrics and initiate any escalation process.

• Uses intelligence gathering techniques to form analytics needed to calculate risk premiums.


18

Secure Communications Metadata Grid

• Advisory Group Oversight– Common “Language” (Semantic Ontology)

– User/Group Policy Framework

– Business Rules

– Escalation Procedures

– Regulatory Parameters

• Strengthens Critical Infrastructure– Real-time situation awareness of condition and state of

institutional threat readiness.

– System for reporting “Sensitive” (not classified) information.


19

Metadata – Data about Data

• Focus is gathering real-time “Situation Awareness” using control points to describe the protective condition of a user environment.

• Reporting Initiative combines public & private sector metadata using standards and control points for insurability.

• All pertinent data remains with (and under the control of) the insured User/Group customer unless required by law.

• Raw data is contextualized (converted to metadata), stored and protected inside originating User/Group environments.

• Insured User/Groups share related metadata over a private network in accordance with pre-defined User/Group policies, insurance guidelines and laws.


20

Public & Private Sector Cooperation

• Risk Managed Communications Grid

• Certified “Insurable” User Environments

• Boards of Directors– Wired & Wireless Communications– Insurance Actuaries and Resellers– Regulated Industries– Legislative Bodies


21

Quasi-Governmental

• Boards Represented by both Public & Private Sectors

• Member Controlled Data Exchanges

• Compliance Certification

• Security Rating

• Insurance Rating


22

Insurability Goals

I. Actuarial Components

II. Risk Metrics

III. Application Environment

IV. Module Integration

V. Systems Integration

VI. Certification Programs


23

I. Actuarial Components

• Risk Classification

• Unknown Risk

• Threats & Vulnerabilities Assessment

• Risk Controls

• Price Variables

• Price Drivers


24

II. Risk Metrics

• Asset Profile

• Asset Valuation

• Variable Risk Factors

• Risk Calculations

• Decision Support

• Risk Minimization


25

III. Application Environment

• Systems & Platforms

• Actuarial Reporting

• Regulation Compliance

• Account Management

• Customer Use


26

IV. Module Integration

• Beneficial Uses

• Change Management

• Application Environment

• Administrative Support

• Training

• Sales


27

V. Systems Integration

• Business & Technology

• Sales & Marketing

• Legal & Administrative


28

VI. Certification Programs

• Coverages– Employees & Processes– Data & Information– Legal & Jurisdiction


29

Coverages

• Transaction

• Disaster

• Employee

• Legal

• Privacy

• Regulatory


30

Assessment

• Asset Profile

• User Environment

• Actuarial Components

• Risk Metrics

• Compliance Standards

• Goals & Expectations


31

Accounting

• Asset Inventory

• Liability Assessment

• Controls

• Reporting & Transparency

• Certification


32

System Hardening

• Data

• Networks (Public/Private)

• Communication Methods & Systems

• Information Management Systems

• User Environments

• Users & Groups Compliance


33

Scope of Audit

• People

• Processes

• Technology


34

Players

• State of Arkansas

• Business Interests

• Insurance & Finance Trade Groups

• US Government


35

Marketing

• Virtual Private Network Service Provider

• eTrade Logistics and Transactions Services

• Arkansas-Based Pilot

• State Legislative Support for Corporate Data Insurance Law

• National Lobby to Establish Insurance Reform for Regulated Industries


36

VPN Domain Name Library

• CyberRAVE managed domain name library• The “VPN” Acronym is Associated with Secure

Communications (and Privacy) everywhere in the World. Note: Frost & Sullivan defines “VPN” as “Resource Gateway”

• Cognitive (Easy to Remember) domains include primary industries, military branches and related technologies + “VPN.com”

• COI Architecture provides for distributed remote access public-facing User/Group Portals

• Search Engine “Friendly”• Would support Wireless and Hands-Free environments with

Keyword (Voice) Navigation system


37

Future Expansion

• Licensing of “Certificate Authority” to qualified organizations

• Vertical Market Approach (focus on Regulated Industries)

• Legal Support for Cross-Jurisdiction

• Multi-National Business Sponsorships

• Secure Reporting Networks (Grid)


38

Foundation for National Information Security Initiative

• Way to get public and private sectors working together to share information.

• Way to protect valuable data assets for consumers up and down the supply chain.

• Way to enforce compliance.• Way to enable US business to compete more

effectively in global eTrade environment.• Way to establish Trust Mechanisms needed

between operators in regulated industries.


39

International Vision

• Companies worldwide should have access to a global network of “Trusted” solution providers who can tailor services to comply with ISO standards for metadata reporting and compliance.

• Establishing a secure link between two or more parties should rely on the recognition of being “Certified Secure”, whereas the ability to insure against potential loss exists.


40

Expense Outlook

• Company Formation

• Board Development

• Plan Development

• Product Development

• Sales & Marketing


41

Revenue Opportunities

• Systems Certification

• Managed Services

• Events & Seminars

• Sponsorships

• Training

• Consulting

• Certificate Authority Licensing


42

Customer Outlook

• Arkansas Financial Institutions

• Arkansas Bankers Association


43

Strategic Partnership

• Accuvant– Network security experts– Practice areas aligned with critical needs– AccuCERTT compliance application

• Arkansas Insurance Board• Arkansas Bankers Association• Arkansas Government• Department of Homeland Security


44

Development Areas

• Product & Services• Vertical Markets• Advisory Groups• Insurance Underwriting Metrics• Certification – Compliance, Insurability• Certificate Authority – Digital Democracy • Legislative Support


45

Thanks!

CyberRAVE LLC

Joseph A. Sprute, President

Web Address: http://www.cyberrave.com

This Presentation: http://cyberrave.com/hutchinson

Physical Address: 33 Westbury Dr., Bella Vista, Arkansas 72714

479-876-6255 (Office)

[email protected]


46

Questions?

© copyright 2006 cyberrave llc. all rights reserved. confidential information. please do not...

Documents

corporate data

data security

raw data

data integrity

network data systems

network data compliance

management of data assets

network data threats