integrated safety, security & surveillance
DESCRIPTION
Security & Risk are TWO sides of the same coin. The Risk side touted as GRC is the opposite of i3S (Integrated Safety, Security & Surveillance). Even Homeland Security could learn something from us.TRANSCRIPT
i3S
White Paper & Solution(s) options © Casper Abraham, FEB 2010 http://www.edgevalue.com
Email : [email protected] Cellphone : +91 98450 61870
i3S Integrated S afety, S urveillance & S ecurity
Physical, Virtual, People, Cash & Information Security
Base of Experts, Advisory, Staffing & Consulting.
The Firm
Software, Backend, Tool & Platform
Business Model, Methodology, and System(s)
Fullrange services in Governance, Risk & Compliance
Systems Integrators
i3S
General
i3S List of NATURAL Hazards q Displaced Persons q Drought q Earthquakes q Epidemics and other Health Threats q Extreme Temperatures q Floods q Global Climate Change q Hail q Hurricanes and Tropical Storms q Infestations/Invasive Species q Landslides q Power Outage q Structural Fire q Technological Hazards/HAZMAT q Terrorism and Civil Hazards q Thunderstorms and Lightning q Tornadoes q Wildfire q Winter Snow/Ice Storms
i3S List of MAN-MADE Threats
q Vindictive Behaviour q Weapons. Firearms. Chemicals. Explosives. q Hostage Situation. q Dacoit. q Ideology, Psychological and Behavioural Situations.
q Selfish Behaviour q Petty Theft. q White Collar Entry. q Identity Theft / Fake Identity. q Fudged paperwork / documentation. q Unauthorised Vehicles vs Changed Licence Plates. q Removal of Assets.
q CoOperative Behaviour q Cartels of Security + Staff + Others. q Lax systems. NOR Audit NOR Oversight.
i3S Aspect. It s about .
1. Choice 1. Better to be ‘safe’ than ‘sorry’.
2. Insurance 1. If nothing is going to happen … you don’t need it.
3. Uncertainty 1. An attempt to Predict / Quantify the future.
4. The opposite of ‘Risky’ is ‘Secure’.
i3S Priorities
1. Databases. 2. People logins. 3. Remote access. 4. Storage & Backup issues. 5. Down & Repair related issues.
i3S Two sides of the same coin Risky …
• Greed • High risk – High rewards • Force Majeure. • Requires Insurance. • Contingency & Backup Plans. • Exit options. • Speculation vs Gambling. • Unknown threats / weaknesses.
Security …
• Safe • Average Returns. • Known threats / weaknesses.
i3S Today s Reality
Event, Incident, Crime, observable ‘physical’ or ‘virtual’ action takes place.
Investigation, Modus operandi, Witnesses, Suspects, Evidence, Forensics, Motive, Detective work, legal or illegal. Law & Constitution. Police. Courts. Jail.
Intent to destruct. Sixth Sense. Intuition. Suspicious. Pattern.
Intelligence Gathering. What if …and IF. Word &
Observations of others. Behavioural Patterns. Prepared
to die. PROFILING.
i3S Track the WHOLE population?
1. CreateIdentify, Train, Motivate & Manage a base of PROFILERS.
2. Start with the Criminals in Jail. Of course you can PROFILE them.
3. Database of their accomplices. 4. Foreigners in INDIA. 5. Foreigners in INDIA STATE(s).
6. A risk metric on every TARGET.
7. Do you want to know more about who is IN?
8. Do you want to know more about who is OUT?
9. Do you want to monitor or watch their movements? Monthly? Weekly? Hourly? Realtime?
10. Public? Households? Private?
Keypatterns … 1. Lifestyle. 2. Family, friends & relationships. 3. Travel. 4. Opinions & Beliefs. 5. Behavioural Assessment. 6. Observable Behaviour Profile. 7. Income & Sources. 8. Spending on what. 9. What do they possess? 10. What was; and is now not with them?
i3S Going to be a criminal
1. Manual 24hour Surveillance. Detective work. Night Vision
Binoculars. Photo & Video Cameras. Bugs & Microphones. Recorders. Telephone Taps.
Your life was hardly threatened. Intuition, Sixth Sense, “I can feel it” & Behavioural
Pattern Recognition. “I know this guy did it.” 2. Challenges today …
Surveillance presence detection. CBRN Presence. Mobile phones. Internet. Radio monitoring. Encryption.
Aspirational threat to Planning threat. Your own life is threatened if you challenge OR become
a part of the “situation”. Intuition, Sixth Sense, “I can feel it” & Behavioural
Pattern Recognition. “I know this guy is up to no good … but is that a Homeland Security threat?”.
i3S Further challenges
1. There may yet be no infringement of the law.
2. Is it a lawenforcement, Police, State issue? 3. When is it a central, Defense or Homeland,
Central issue? 4. Our man (or woman) … the whole range.
Personal Values; Individual behaviour; Current Stress; triggerhappy; Moral issues … Human Rights; Encounters; Self defense; Whether armed; adequate protection; onthespot ‘manual’ or ‘automated’ information; informationon demand. Real time Decisionmaking
i3S So how real is a threat?
i3S Threat nuances 1. What are the Force Majeure threats? 2. Are lives at stake? 3. Can Insurance solve it? 4. Airlines were downed for 3 days … so what. The
city came to a standstill for 5 days … so what. The US economy is slumping … so what? The Delhi CWG games was a disaster … so what?
5. Katrina. Asian Tsunami. Gulf oil spill. Hungary toxic spill. Pakistan floods. What could have been done? Is something being done about other FUTURE such events?
6. Even if someone knew something was going to happen … Clairvoyants? Hollywood? Witches? Aliens?
7. And if it never happened … perhaps it was not going to happen at all. Who pays? How do you prove this?
i3S Security Activity Monitoring
Traditionally, security has focused on putting up a perimeter fence to keep others out, but it has evolved to monitoring activities and identifying patterns that would have been missed before. Information security professionals face the challenge of detecting malicious activity in a constant stream of discrete events that are usually associated with an authorized user and are generated from multiple network, system and application sources. At the same time, security departments are facing increasing demands for evergreater log analysis and reporting to support audit requirements. A variety of complimentary (and sometimes overlapping) monitoring and analysis tools help enterprises better detect and investigate suspicious activity – often with realtime alerting or transaction intervention. By understanding the strengths and weaknesses of these tools, enterprises can better understand how to use them to defend the enterprise and meet audit requirements.
i3S
Financial Risk
i3S High Risk High Rewards
Good … • Sound as a Bank. • Ensure capital return. • The Markets
• EQUITY. • DEBT • COMMODITY • CURRENCY
• Safe as houses. • Property • Art & Antiques.
Bad … • Islamic Banking. • Gambling. • Speculation • Throw good
money behind bad • Ponzi Schemes. • MLM
i3S Risk
1. Controllable – Manage it. – Eg. Forward Contracts / Commodities
Exchange. 2. Uncontrollable
– Insurance – Force Majeure Management.
i3S Systems Thinking & Systems Dynamics related to Risk 1. Behavioural Systems Thinking. 2. Financial Systems Thinking. 3. Risk Systems Thinking.
4. Systems Dynamics Modeling. 5. Team, Systems, Practice, Instrument level
Systems flowcharts.
6. Mathematical Modeling. 7. Behavioural Modeling.
i3S ALM Flow Example
i3S Classical Risk Curve
i3S Staff at Risk Management Steps
1. Identify the hazards
2. Decide who might be harmed and how
3. Evaluate the risks and decide on precaution
4. Record your findings and implement them
5. Review and update (if necessary)
i3S Risk Factors
Asset(s)
Vulnerability
Threat Risk
Risk_Metric R% = A% x T% x V%
Internal
External
Cost
i3S Choose ..
Sharing
Integrity
Security Ideas for implementation : • IT Policy • Intangible Assets
• List. Cost. Manage. Usage. • Internal Patent System. • USA Defense Services Orange Book
• Setup a MarComm, Communications, Documentation Division. • Establish a ‘VI’ practice. • Develop a partbranded ‘consumerusable’ line of products. • Design & Manage a Catalogue. • Push OR Pull ‘strategy’ ….
Sharing + Security+ Integrity= 100%
i3S Paper Wealth
i3S Built on shaky fundamentals
i3S
Risk because of Information & Communications Technology
i3S Six sigma credo
Ø We don't know what we don't know.
Ø We can't do what we don't know.
Ø We won't know until we measure.
Ø We don't measure what we don't value.
Ø We don't value what we don't measure.
i3S Your personal data
1. Creditcard numbers. 2. CW2 security numbers. (back of creditcard). 3. Credit reports 4. Social Insurance numbers. 5. Driver’s License numbers. 6. ATM cards. 7. Telephone Calling Cards. 8. Mortgage details. 9. Date of birth. 10. Passwords, PIN’s. 11. Home address. 12. Phone numbers. 13. Address book and Personal contacts information.
i3S Corporate data
1. Trade secrets. Recipes & Formulations. Bill of Materials.
2. Cost information. Vendors; procurement costs; supplier chain information.
3. Price information. Customers; selling costs; customer relationship information.
4. Purchase track record – Sales History.
i3S Exposure cases
1. DSW, USA. Creditcard information from 108 stores; from 96,000 USA check transactions exposure of US $ 1.5 M.
2. CardSystems, USA. Cardinformation of Japan; HongKing; Phillipines; and Australia. Exposure US $ 40 M.
3. MphasisCitibank. Stolen US $ 350,000/ 4. Sumitomo Bank. Stolen passwords caught prior to stealing US $ 397 M. 5. Citibank UPS shipment of customer data; 123,690 Japanese customers;
exposure US $ 3.9 M. 6. Accura Bank; stolen microfilm data; exposing 26,400 customers. 7. Commonwealth Bank of Australia – ATM cashtransfers. Stolen US $ 17
M. 8. Central Bank of Russia. Bank transfer information sold online. 9. Michinoku Bank. Thrown CD’s retrieved of nearly all its customer
information; exposure US $ 1.3 M.
i3S Who s got it
1. Banks 2. Card companies. 3. Credit reference Agencies. 4. Merchants. 5. Government Agencies. 6. Phone companies. 7. Insurance Firms. 8. Data brokerage firms. List Managers. 9. Payment Processing Agencies. 10. Direct Marketing Agencies. 11. Market Research Firms.
i3S Priorities
1. Databases. 2. People logins. 3. Remote access. 4. Storage & Backup issues. 5. Down & Repair related issues.
i3S The only three
1. What you know. o Login ID. Passwords. PIN. Personal data.
Public and Private Keys. (PKI). 2. What you have.
o ID Card. Token number. Ticket. Boarding Pass. PKI Digital Certificate(s).
3. Who you are. o Signature. Fingerprint. Blood Group. Your
walk. Iris Pattern. Hand Geometry. Body language. Voice Recognition. DNA.
i3S AutoID : A key Technology
Device Device AutoID Smart Tag
AutoID Smart Tag 1. ID
2. Pull data 3. Push data
1. ID 2. Pull data 3. Push data Enormous
cloud of devices
i3S
Collective or Group Risk
i3S Mixed community Handling 1. Purple Zone
Residential Towers.
2. Orange Zone Manufacturing (EZ)
3. Green Zone Commercial Complexes
4. Cream Zone Retail Public Access
5. Red Zone Utilities. Admin. Control
Rooms.
i3S Mapped Systems 1. Perimeter Controls. 2. Roads. * 3. Conduits/Pipes. * 4. Water. Sewage. * 5. Power. * Lighting. 6. Sensors – Cameras. 7. KeyCards. Access Control. 8. Display Signage 9. Vehicle Parking. 10. Vehicle Movement. 11. Access Point(s Control. 12. Fibre Communications. 13. IT Infrastructure 14. CED Wireless Network. 15. Security Manpower
Information System. 16. Law Enforcement. * 17. Operational Systems. 18. Tactical Systems. 19. Emergency. Crises. 20. Miscellaneous
Manufacturing 21. Integrated Software
* Systems with likely Central, State, City or Municipal Authority.
i3S It SHOULD NOT be what most people think of as Security Today. 1. Security Staff
• 10, 50 … 200 ‘uniformed jokers’ floating around.
• Not empowered. • Not trained. • Not civil, nor helpful. • Gate Pass. InOut Register. ID
Card. Plate recording. • Happily outsource to socalled
‘exServices Experts’. 2. CCTV
• A bunch of cameras connected to a few TV’s.
• No one sees it. • If you see something, no action
is taken or actioned too late. • Footage not available when
needed. • Analog is ‘cheap’ but ‘dead’. • Inadequate Lighting. Poor
angles. Low coverage. You thought …….. BUT the reality.
i3S i3S Imperative Elements
Statutory Element(s) * Constitution Adherence * Federal Subject(s) * State Subject(s) * Statutory Reporting
Intelligence (Elements) * Doing the Best / Footwork * CCTV (Visual intelligence) * Sensory Intelligence / Alerts * Virtual Convergence World * IT aided Intelligence. * Automation.
Staffing Element(s) * Operational STATE Deployment. * Owned STAFF Deployment. * Outsource STAFF Deployment. * Stakeholder(s) STAFF – ADMIN – MGT.
Infrastructure Element(s) * FibreWired and Wireless Network. * Server(s), Client(s), CEDs, Handhelds etc. * Connectivity, Availability, Redundancy & Backup. * Devices, Cameras, Sensors, Lighting, PowerSupply etc. * Control Rooms, Access Points, Distribution Points etc.
i3S Roads vs IT analogy
Availability and usability to an end user.
Toll Gates, Exit Ramps, Security Checks, Weather conditions, Sex (!), Age and Health of Driver, VIP intown
Connectivity
Size and speed of data transfer
Perhour vehicle capacity, Types and Speeds of cars, uphill, curves
Bandwidth
Data and Information stored remote centrally
Parking Lots. Car Lifts. Parallel Parking.
Servers
Wired or wireless. Analog, Digital or IP.
Roads, number of lanes, number of checkpoints, signal lights, flyovers.
Network
i3S Connectivity Tap-Points
FROM
TO • Camera Station • CED (MobileHandheld) • Public Alarm • Action to i3S Policy • WorkStation Access • CED (MobileHandheld) • Helpdesk Request • Subscriptions View • SelfService • Accountable Staff
External Access; Inputs
and Out
Internal Management; Inputs and Out
i3S
Financial
i3S Types 1. Cash.
1. Theft. Fraud. Loss. 2. Liquidity. Unavailability. 3. Bad Debt.
2. Assets. 1. Plant & Machinery / Office Equipment. 2. Nonperforming Assets. 3. Lower than planned ROI. 4. Depreciation. 5. Cost vs Performance. 6. Availability. Reliability. Maintainability.
3. IPR. 1. WTO. WIPO. GATTS. CountryStatutoryIndustry. 2. Patents. Copyrights. Trademarks. Secrets. 3. Appreciation.
4. Capital vs Expense. 5. Inventory
1. Overstock. Understock. Justintime. Carrying Costs. 2. Obsolescence. 3. Rework. Recycling. Inefficiencies. Quality issues. 4. Waste. Writeoff.
i3S Accountability Transfer Whose cash is it anyway? 1. Extremely INDUSTRY specific.
• Compare. Automobiles vs Pharma. vs Music CD’s vs Bollywood Films vs Your Industry.
2. Manufacturer OR Distributor OR Retailer. 3. Investors. Shareholders. Stakeholders. 4. Banks. FI’s. Mutual Funds. 5. Mortgages. Loans. Leasing. Hirepurchase. 6. Purchase of risk. Intransit documents.
Invoices. Payments. Letters of Credit. Hundi (in Asia).
7. Futures and Options.
i3S Cost of FAILURE!
Regulatory Action
Corporate Liability
Indirect Costs
Loss of Customer Confidence
i3S Force Majeure
1. Those "physical" events that are foreseeable, although unpredictable, such as fires, floods or vandalism.
2. Those daytoday "business" events or governmental actions that cannot be forecast, but which are foreseeable, such as strikes or regulatory activities. This includes your service provider's subcontractors and vendors not performing tasks possibly necessary to your provider's performance under the agreement that your provider may claim are "beyond its reasonable control."
3. Those events that, although admittedly still pretty rare, are now unfortunately quite plausible in a world where commerce is easily touched by international politics, such as military actions, embargoes, rebellions and terrorism.
4. Those events caused by extraordinary elements of nature or "acts of God," which are truly unforeseeable force majeure events.
i3S Business Continuity Factors vis-à-vis Information & Technology
1. Uptime (near 100%) 1. Backup, Housekeeping, Mirror, Geographical Spread,
Employee Standby, Hotfix, 24x7x365 service(s) availability.
2. Downtime (near 0%) 1. MTTR, MTBF, 24x7x365 service(s) availability.
3. Assess, Quantify, Measure 1. Information Costing. Investor, Vendor, Customer &
Coworker ‘impact’. Whatif scenarios. 4. Risk & Qualify. High, Medium, Low, No.
1. Insurance. Personnel standby. Internal & External Audits.
i3S
GREY QUADRANT Low severity High Probability
RED QUADRANT High severity High Probability
YELLOW QUADRANT High severity Low Probability
GREEN QUADRANT Low severity Low Probability
Real Trouble Try to reduce Impact
Nuisance Problems
Closely Monitor for increasing Probability
Problems not significant
0
0
10
10 Probability of occurrence
Severity of Impact
i3S When risk happens .
1. Ontrack plan. (Backup, contingency) 2. Insurance, premiums & documentation. 3. Handling the Media (and fallout …) 4. Not repeating a mistake …
5. Factor #1 Probability. 6. Factor #2 Outcome or hazard.
i3S Tools
1. Sensitivity Analysis. (What if …) 2. Statistics Normal Distribution.
i3S
Access Risks
i3S The only three
1. What you know. 1. Login ID. Passwords. PIN. Personal data.
Public and Private Keys. (PKI). 2. What you have.
1. ID Card. Token number. Ticket. Boarding Pass. PKI Digital Certificate(s).
3. Who you are. 1. Signature. Fingerprint. Retinal Pattern. Body
language. Voice Pattern. DNA.
i3S IT Best Practices
1. Without SSL encryption, the integrity of data is compromised.
2. Without robust physical and network security, sensitive corporate data is at risk of intrusion
3. Building an effective inhouse PKI system will take considerable time and expense. Opt for managed PKI services.
4. Free software will crack your password in 30 minutes. 5. Email is leaking your business secrets. 6. Traditional access control solutions are either ineffective or
costly 7. Your web site can be spoofed with a point and a click. 8. Testing in production is tempting fate. 9. The weakest link in your security is your people. 10. On the web, nobody knows if you are a Martian.
i3S Reality checklist
1. Almost everything is turning electronic & digital.
2. Applications will never be secure.
3. The perimeter is disappearing.
4. The determined hacker will get in, always.
5. Awareness training will help, only so much.
i3S ID Theft.
24%
16%
15% 11%
7%
5%
4%
18%
CreditCard Fraud
Phone or Utilities Fraud
Bank Fraud
Employmentrelated Fraud
Govt. documents fraud
Attempted ID Theft
Loan Fraud
Other Identify Theft
i3S
Our offer
i3S Your Physical Lobby
DMZ on Extranet
i3S The proposal
1. Approach your ‘I.T.’ as you would your physical office. You have a centralised reception area.
2. You have physical security. You have cameras. You have offoffice hours infrastructure.
3. You have a backgate for materials. In/Out registers. Documentation.
4. You also have Policies, Rules & Regulations, Guidelines, Methods, Processes & Systems.
5. There is ‘Human Decision Making’ in terms of outofpolicy, contingency & crises.
i3S The Service
Business Continuity is a matter of Practice and includes : 1. Study of Existing Systems. 2. Desired State Definition.. 3. Gap Analysis. 4. Budgets & Costs Allocation. 5. Design & Plan. 6. Implement.
a. Buyout, License, Acquire, Recruit. b. Integrate, Implement, Train, Setup, Establish. c. Intensive Monitoring Services. (Typically 3 months). d. Regular Monitoring Services. (Annual Contracts).
7. Review, Feedback, Correction.
i3S Possible Scope of Supply
From your Indiabased establishment … as your Worldwide SinglePoint Source ….
1. Study of Existing Systems. 2. Desired State Definition.. 3. Gap Analysis. 4. Budgets & Costs Allocation. 5. Design & Plan. 6. Implement.
a. Buyout, License, Acquire, Recruit. b. Integrate, Implement, Train, Setup, Establish. c. Intensive Monitoring Services. (Typically 3 months). d. Regular Monitoring Services. (Annual Contracts).
7. Review, Feedback, Correction.
i3S including
1. Top Management ‘Interaction’ & ‘Support’. 2. Design & Management of your ‘Red Book’ 3. Physical Manning at all physical server locations. 4. 24x7x365 Manned Monitoring 5. 24x7.x365 Automated ‘Sniffiing’ & ‘Snooping’ Conrols. 6. Hardware & Software Firewalls. 7. Internal Audit(s). Infrastructure, Administrators & I.T.
Departments of Internal, Vendors, Customers, Investor & Coworker Groups access.
8. External Audit Support 9. Downtime Services. 10. Crises Services. 11. Choice of Technologies. 12. Online Certificate Design, Method & Systems.
i3S If I.T. down assessment
1. If Hardware, Networking, Storage goes down ….
2. If Systems Software goes down … 3. If Application(s) Software goes down …
Bugs, Staging, Testing, Y2K type scenarios ….
4. If Data goes down … 5. If Information unavailable … 6. If unable to findout what has gone down
…
i3S Security Policy
1. Written General Security Policy. 2. Written IT Security Policy.
1. IP’s. Listed & Controlled. 2. Allow & Deny. Group, individual & others. 3. Logs. Logs backup. Logs Analyses. Decisions. 4. Disaster Recovery. 5. DOS, DDOS etc.
3. Client ‘transparent’ document. 4. Internal audit. 5. External audit.
i3S Information or Intelligence Domain
i3S
Central Intelligence
•Gather Information, OR Intelligence.
•Data. Images. Audio. Video.
•Store. Retrieve. Analyze. Pattern Recognition. Intuition. Assign Field Work. •Gather MORE information. •Sort. Extract. Merge. Collate. Integrate. Consolidate. Automate.
• Efficiencies. ROI. TCO.
i3S Disseminate. Execute. Act. Assist. Support. Help. Facilitate.
• Assign Work
• Intelligence on Demand.
• Verification. Authentication, Fact Checks.
• Friend or Foe Decision Making.
i3S
People Risk
The ‘Human Being’ behind every ‘Risk’ related event.
i3S
Shrinkage
One word for Risk, Safety, Security, Surveillance, Graft, Corruption,
Negligence; Stupidity; Ignorance; ill informed; uneducated; Theft. Fraud;
Counterfeit; Negligence; Attrition …???
PRAY (People Risk Assessment & Yield) Model
i3S Risk from People
People Actions Costs
Employees
Suppliers
Customers
TEMPS
Catering Staff
Housekeeping
Security Staff
Drivers
Ghost Employees
Order Acceptance
Procurement
Wrong Vendor
Wrong Hiring
Poor Decisions
Direct OR Indirect
Fixed OR Variable
Liable for Litigation Negligence
Graft (CORRUPTION)
Cartel
Behavioural
Not Insured
100% Revenue Loss
Increased Cost
Lower Profits
High Risk Behavour
Stopped Learning
Ego – AlphaMale
Long term consequence
Personal Debt
Greed
Clinical Problem(s)
No Succession Planning
Poor DueDiligence
Obsolescence
Rework & Waste
i3S New Economy Organisational Design
Delivery / Production / Manufacturing
People
Commercial
Sales
Customer Contact
Marketing
Contract Staff
Our Staff
External Outside Control
Internal Our Control
Modern Organisations do not work from one premises. All Staff may not be homogenous; not from one area; community; state or even country. Wireless allows into and out of any location; voice, video & definitely data.
The Enterprise has to be MORE in control while being forced OUTOFCONTROL by the
pace of Technology.
i3S Out-sourcing
• Benefits 1. Required Skills. 2. Lower Costs. 3. Quicker Access. 4. Better Systems. 5. More Professional.
• Risks 1. Culture misfit 2. Increased Costs. 3. Less coordinated. 4. Integration issues. 5. Lessincontrol
i3S Types / Categories of Workforce Class A
1. Board, Committee, Association. 2. Our Staff. Permanent. 3. Key Owners, Managers, Stakeholders of Members. 4. VIP’s. Statutory Authorities. Preapproved Guests/Visitors. 5. Outsourced Security KeyManagers, Authorised Staff.
Class B 1. Our Security Staff 2. Outsourced Permanent Security Staff.
Class C 1. OUR or external Parttime OR Temporary Security Staff.
Class D 1. Staff of ‘MemberUnits’. Permanent. 2. Temporary Staff. TEMPS. 3. ServiceProvider. Utilities. Supplies. Catering. Transport Drivers +
SupportStaff. 4. Any new Employee / Regular LESS than one year of Regularity.
Class E 1. Contractor. Staff. Labourforce. Contractor Suppliers. Contractor
Services. 2. Trade or Manufacturing. Goods Inward and Goods Outward. 3. Waste Disposal. IN and OUT movement.
i3S Risk Level Rating of People
1. 0 to 9 : 9 = no risk; 1 VERY HIGH RISK. 0 = unknown / not assigned.
2. Everyone is assigned a Level 5. Has to earn by time, inputs, selfservice, behaviour,
references, feedback to lower the Risk LEVEL.
PRAY (People Risk Assessment & Yield) Model
i3S Negligent Hiring
1. What is negligent hiring? 2. Should all companies be expected to have a
screening policy? 3. Does every employee need to be screened? 4. How much should a company expect to pay
for screening? 5. What can it cost a company should they
chose not to have a screening program? 6. Do you have enough ‘Johariwindow’
information to make an offer? 7. Are all screening companies alike?
i3S Negligent Hiring Problems
1. Shrinkage. Theft. Robbery. White collar crime. 2. Security Staff are compromised! 3. Cartels / Organised Crime are formed! 4. IT, data, Information & knowhow leaks. 5. Rapists! Women’s Issues. 6. Pornography. VideoCam. Exploitation. 7. Pedophiles. Children abuse. (Where applicable). 8. Fellowworkers being blackmailed. 9. Paperwork fudging albeit for personal gain.
i3S People Risk examples
1. Ghost Employees. Not on your payroll, not coming to work being paid maybe electronically.
2. Cartel of Security, Catering, Housekeeping & Admin. in waste (and other) removal from the premises.
3. Labour (HR or line Staff) taking a ‘cut’ in recruitment, placement, promotions.
4. Poor DecisionMaking. Order Acceptance, Vendor Identification, Technology duediligence, Loan disbursement. Based on wrong or Inadequate data or information.
5. Highrisk behaviour in their personal, private life. Gambling. Drugs. Debt. Wine. Women/Men.
6. Timeallocation. Priorities, motivation, interests in a different direction or area. Nonprofessionalism.
7. Travel + Stay when it could have been done with Video conferencing.
i3S Some Solution(s) Step(s)
1. Rating : Keep a simple scorecard. On a scale of 1 to 9 everyone is a 5 till proved otherwise based on Actions and Performance.
2. Internal FIR : Maintain a database of any and all incidents (tangible and intangible) transparent ensuring personal privacy; warnings; letoffs; rewards & recongition.
3. PMS : Perform periodic Reviews. Behavioural as important as Performance.
4. Voperty : The modernorganisation is no longer on onepremises. It is virtual and online as much as offline. Intellectual Property is as important as Property. Tradesecrets, diagrams, customer or supplier databases.
5. Infrastructure Enhancement & Technology Support. 6. KRI : Acquire, implement, maintain and manage a set of Key Risk
Indicators. 7. Process, Methodology, Workflow. Checklists. Visual Maps. Step
accountability.
i3S Infrastructure Recommendations 1. Singlewindow Access Control System. (Staff, Catering,
Housekeeping, Temps, Security). Audited Attendance. 2. Eyes and Ears on the ground. Networked Cameras;
Adequate Lighting; Sensors for required needs. 3. Tripleplay convergent digital networks. 4. Things monitoring. Raw materials & Finished Goods.
Consumables. Fixed and Mobile Assets. Repairmen kits. Catering, Housekeeping, Waste removal.
5. Centralised Servers + Platform for Intergrated, Realtime, Remote & Localised Routine Reporting, Audits and Alert/Alarm Systems.
6. Transparency, Convenience, Easeofuse, Ergonomics, Managed Queues, Systems, Peopleflow.
i3S Infrastructure Functionality
Information or Intelligence Domain
Central Intelligence
•Gather Information, OR Intelligence.
•Data. Images. Audio. Video.
•Store. Retrieve. Analyze. Pattern Recognition. Intuition. Assign Field Work. •Gather MORE information. •Sort. Extract. Merge. Collate. Integrate. Consolidate. Automate.
• Efficiencies. ROI. TCO.
Disseminate. Execute. Act. Assist. Support. Help. Facilitate.
• Assign Work
• Intelligence on Demand.
• Verification. Authentication, Fact Checks.
• Friend or Foe Decision Making.
i3S Managed Services
1. Choose to work with Riskpro India. (http://riskpro.in) Typically a minimum of 15month contract.
2. Study, Report, KRIset & GRC (Governance, Risk & Compliance) Roadmap within one month.
3. Put in place our clextra Software Platform. 4. Identify and Train the ‘Taskforce’ on GRC
Roadmap. 5. Maintain, Monitor, Manage, Analyze.
‘Routine’ and ‘Alert’ Reporting to Management.
i3S
Risk Management
i3S Based on the COSO model
i3S Another Model
i3S IT Risk Model
i3S Risk of No Information Risk of No Information & Communications Technology
E D C B A Source Interface Distribution Interface Request SERVERS WebPipe EtherSpace Local ISP CLIENTS
1.4 90% plus 1.3 6089% 1.2 Ok 1.1 Less than 50%
2.4 Predictive 2.3 Intime 2.2 Yesterday 2.1 Postmortem
3.4 DataHouse 3.3 Database 3.2 11500 Pages 3.1 110 Page
4.4 Video 4.3 Audio 4.2 Visuals 4.1 Text
5.3 Sharing 5.2 Integrity 5.1 Security
5.3 Backup 5.2 Hardware 5.1 Power
Supply Side Supply Side
1
2
Relevance
Timeliness
3
4
5
6 Infrastruc
ture
Quantity
Media
Quality
i3S Any IT-record in your Business 1. Tangible Assets Master 2. Buy Purchase Orders Master 3. Main Metrics 4. Expenses Master 5. Firms Master 6. Inventory Master 7. Invoices Master 8. Mfg. JobWork Orders Master 9. Intangible Assets Transactions 10. Intangible Assets : Library : Info.Units 11. Owners : Contacts Customers Vendors 12. Individual Employee Master : Login II 13. Teams Master 14. Unit Master 15. RFID Hardware etc. 16. Seats Management Database 17. Individual Users Master : Login I 18. Vehicle Master
i3S User definable #1/3 A000,FORCE MAJEURE A001,Unpredictable A002,Political Forces A003,Terrorism A004,Genuine B000,FINANCE B001,Cash Liquidity B002,Market valuation of Equity B003,Audit B004,Financial duediligence B005,Technology duediligence B006,Theft of cash B007,Misuse of cash B008,Misuse of documents B009,nonPerforming Assets B010,Tax B011,External Audit B012,Internal Audit B013,Depreciation B014,Credit Risk B015,Bad Debt B016,Book Value of EquityShares B017,Market Value of EquityShares B018,Bullrun B019,Bearrun C000,COMPLIANCE C001,Regulatory Compliance C002,Central Compliance C003,SOX Compliance C004,StockExchange Compliance
C005,Central Labour Compliance C006,Local Labour Compliance C007,Local Safety Compliance D000,LEGAL D001,Major Lawsuit D002,minor Lawsuit D003,Loss of original documents D004,Legal fees D005,Stay order Costs D006,Stay order Time E000,PLANNING E001,Vendor Base. (Contractual and Moral) E002,Customer Base. (Affinity and Purchasing). E003,Sales Projections E004,Expenses Projections E005,Cashflow Projections E006,Meeting Manpower Plans F000,HR FA00,INVESTORS FA01,The Head of the Board FA02,The Board FA03,The CEO FA04,The CEOs Team FA05,Investors ROI needs FA06,Investors Values FB00,EMPLOYEES FB01,Absenteeism FB02,Nonperformance FB03,Quality
i3S User definable #2/3 FB04,Quantity FB05,Negligence FB06,Fraud FB07,Unionism FB08,Training FB09,Requisite Operational Skills FB10,Motivation FC00,MANAGERS FC01,Not a Manager FC02,Not a CoachLeader FC03,Manager Unionism FC04,Labour Unionism FC05,Fraud FC06,Planning FC07,Plan adherence FC08,Gap closure FC09,Training FC10,Requisite Operational Skills FC11,Motivation FD00,BEHAVIOURAL FD01,Narcissistic FD02,Nepotism FD03,Authoritarian FD04,Physical MaleFemale FD05,Verbal MaleFemale FD06,Submissive FD07,Sycophancy FD08,Destructive Intelligence FD09,StupidDumbIdiotic FD10,Handsoff
FD11,Handson FD12,Motivation FD13,Timewastage FD14,Gambling FD15,Other pursuits FD16,Indoor inclinations FD17,Outdoor inclinations FD18,Commitment to Quality FD19,Commitment to Quantity FD20,Personal problems FD21,Financial burden FD22,Family problems FD23,Personal Health FD24,Alcoholism FD25,DrugsChemicals effect FD26,Obsessive Compulsive Disorder FD27,Attention Deficiency FD28,Hyperactive Syndrome G000,INVENTORY G001,Book Valuation G002,Market Valuation G003,Physical Checking G004,Obsolescence G005,Overstocking G006,Understocking / Stockouts G007,H. LOGISTICS RISKS G008,Delayed inflow G009,Delayed outflow G010,Transit Damage G011,Transit Theft
i3S User definable #3/3 G012,Transit Spoilage G013,I. PURCHASE RISKS . G014,Quality. Rework G015,Wastage and writeoff. G016,Shortsupply H000,MANUFACTURING H001,Line Downtime H002,Partial Downtime H003,Shopfloor Accidents H004,Labour unionism H005,Capacity availability H006,Output efficiency H007,Inlogistics Space H008,OutLogistics Space H009,PowerEnergy availability H010,Water availability H011,Flow constraints H012,Process inefficiency H013,Safety Systems J000,REDUNDANCY BACKUP J001,Duplication J002,Backup J003,Alternate System J004,mismatched capacities J005,Absenteeism J006,People Training J007,Use of ConsultantsAdvisors
K000,MARKETING KA00,EXTERNAL KA01,Customer understanding KA02,Customer need specifications KA03,Quantity of Reach KA04,Quality of Reach KA05,Too much communications KA06,Too little communications KA07,Market segmentation KA08,Choice of channels KA09,DeliveryInstallCommissioning KA10,Training KA11,Customer Usage KA12,After Market Services KA13,Product Lifecycle Revenue KA14,Product Lifecycle Expenses KA15,Product Lifecycle Profit KA16,Reputation Risk KA17,Brand Dispersion Risk KB00,PUBLICITY KB01,Bad Press due to internal incidences KB02,Bad Press due to extraneous incidences KB03,Investor relations. KB04,exemployee relations. KB05,Customer relations. KB06,Vendor relations. KB07,Press relations. KB08,Political relations.
i3S Define & Manage Sets Set 1 Set 2 Set 3 Set 4 Set 64 Set 65 Set 7821
A000,FORCE MAJEURE a A001,Unpredictable A002,Political Forces A003,Terrorism a A004,Genuine B000,FINANCE B001,Cash Liquidity a a B002,Market valuation of Equity a B003,Audit a B004,Financial duedilligence a B005,Technology duedilligence a B006,Theft of cash a B007,Misuse of cash a B008,Misuse of documents B009,nonPerforming Assets B010,Tax B011,External Audit B012,Internal Audit B013,Depreciation B014,Credit Risk B015,Bad Debt a B016,Book Value od EquityShares a B017,Market Value of EquityShares a B018,Bullrun B019,Bearrun a a
A set can have any number of userdefinable metrics.
i3S Assign Set to a Record
1 Tangible Assets 2 Buy Purchase Orders 3 Main Metrics 4 Expenses 5 Firms 6 Inventory 7 Invoices 8 Mfg. JobWork Orders 9 Intangible Assets Transactions 10 Intangible Assets : Library : Info.Units 11 Contacts Customers – Vendors – Agents – Drivers Traders 12 Level II login users : Employee, Customer, Doctor, Patient, Student 13 Teams 14 Unit – Group – Household (In addition to Teams). 15 RFID Hardware etc. Gates, Doors and Access Equipment. 16 Seats Workstations – Desks etc. 17 Level I login users 18 Vehicle
i3S Each Metric includes
1. Cost. On a scale of 0 (nocost) to 10 (very high); this is the means to ‘level’
ANY and ALL Threats to a business. 2. Vulnerability
On a scale of 0 (none) to 10 (definite) Internal weaknesses and under reasonable control factors.
3. Threat On a scale of 0 (none) to 10 (definite) External factors perhaps with
minimal or no control. 4. Percentage
This is a percentage for leveling. P = C x V x T (Multiplication and Percentage of the above earlier 3 parameters).
5. Statistical Chance Independent of the above, a Standard Market statistical percentage of
an occurrence for this type of risk. Allows upto 4 decimal places. Ie. 1 in 10,000 chance of occurrence.
i3S ICT Best Practices
1. Without SSL encryption, the integrity of data is compromised.
2. Without robust physical and network security, sensitive corporate data is at risk of intrusion
3. Building an effective inhouse PKI system will take considerable time and expense. Opt for managed PKI services.
4. Free software will crack your password in 30 minutes. 5. Email is leaking your business secrets. 6. Traditional access control solutions are either ineffective or
costly 7. Your web site can be spoofed with a point and a click. 8. Testing in production is tempting fate. 9. The weakest link in your security is your people. 10. On the web, nobody knows if you are a Martian.
i3S Report : Screenshot
RFID and Physical Location based.
Checklist Approach
i3S Checklist Library(s)
Cycles Feature
hdocs
mdocs (Broadband Scalable )
i3S Inventory Approvals
Incident areas and Bibliography
1. clextra Cupboard dodocs 1. archival system for all periodic Reporting.
2. clextra Cupboard cdocs 1. archival system for all random Reporting.
3. Organisational Filing System. 1. Individual and/or Team based. 2. Selective access to everyone in the organisation. 3. Supports MS Office, schematics, multimedia and/or any
other format. 4. Numbered email. PULL System. (No PUSH). 5. Multimedia File binning. 6. Technology permitting …. SMS, Mobile etc.
i3S Coding System(s) : 2 of 10 s, dozens. 1. Location Code.
Eg. inKAblrAZON01 (13 character code). 1. 2 chars – ISO country code. 2. 2 chars – Country State code. 3. 3 chars – City code. 4. 1 alpha – Zone code. 5. 3 chars – Preferably 9 or 81 directions N,E,W,S,C 6. 2 chars – Cna be subzones OR floors OR any other.
2. Device Code inKAblrAZON01rc000006 1. Device no. 6 Grouped treatment as a Particular type of
Display, or Camera, or IN or OUT gate, reader, writer, sensor etc.
3. Also supported EPC codes; GPS codes and point maps on ANY image(s).
i3S
Shrinkage, Risk, Security
Shrinkage Euphemism for Theft. Fraud; Counterfeit; Negligence;
Attrition;
i3S Inventory Shrinkage ... 1. Empty boxes or "hollow squares" in stacked goods. 2. Mislabeled boxes containing scrap, obsolete items or
lower value materials. 3. Consigned inventory, inventory that is rented, or traded
in items for which credits have not been issued. 4. Diluted inventory so it is less valuable (e.g., adding water
to liquid substances). 5. Increasing or otherwise altering the inventory counts for
those items the auditor did not test count. 6. Programming the computer to produce fraudulent
physical quantity tabulations or priced inventory listings. 7. Manipulating the inventory counts/compilations for
locations not visited by the auditor. 8. Doublecounting inventory in transit between locations. 9. Physically moving inventory and counting it at two
locations.
i3S Inventory More Shrinkage
1. Including in inventory merchandise recorded as sold but not yet shipped to a customer.
2. Arranging for false confirmations of inventory held by others.
3. Including inventory receipts for which corresponding payables had not been recorded.
4. Overstating the stage of completion of workinprocess. 5. Reconciling physical inventory amounts to falsified
amounts in the general ledger. 6. Manipulating the "rollforward" of an inventory taken
before the financial statement date.
i3S Inventory & shrinkage
1. Not retiring WIP and not classifying completed jobs as finished goods after dispatching them to customers.
2. Falsifying computer runs by overriding the WIP applications.
3. Including extraneous elements, like period costs, in WIP tabulations.
4. Excluding jobrelated direct costs, such as special purpose tools and jigs, from WIP tabulations.
5. Tinkering with process cost allocation and overhead calculation functions.
6. Including abnormal process losses in WIP. 7. Overstating the stage of completion of workinprocess. 8. Programming the computer to produce fraudulent
physical quantity tabulations or priced inventory listings
i3S Inventory Not the final word on Shrinkage
1. Physically counted percentage factor. 2. Items requiring further audit scrutiny. 3. Surreptitious check(s) percentage factor. 4. Physical opening and caselabel match factor. 5. Increase in count factor from original plan due to findings. 6. Timegap between disparate location physical counts. 7. Factor of likely owned property/materials/stock. 8. Specialist factor. Does observer understand the inventory?
i3S Loss of Original Documents
1. Litigation. 2. Direct cash loss. 3. Lack of control over your ‘Staff’. 4. Reduced Customer confidence. 5. The ‘good faith’ in which these were given to you
in the first place. 6. Perception of ‘corruption’ and ‘deliberate’ act. 7. Negligence. 8. Inability to ‘store’, ‘monitor’ and ‘manage’ over
long periods of time. (10+ years). 9. Inability to use technology such as Library
Science methods, barcode, RFID etc. 10. Inability to cost perdocument storage and ROI,
TCO for Document Management.
i3S Other fraud
1. Identify Theft. 2. Credit Card. 3. Password Theft. 4. TCPIP Theft. 5. Patent Infringement. 6. Copyright, Trademark Theft. 7. Industrial espionage. 8. Counterfeits and Knockoffs.
i3S
GPS etc.
Integrating GPS, GIS, GPRS, 3G, RFID, AutoID & related technologies
onto a Single Unified Integrated Realtime Remote Triple Play
Solution.
i3S Geography : 7 level Detail
i3S Map Tracks : Actual Path(s)
i3S Route Maps : Commute etc.
i3S Beats, Timings, Circuits
i3S i3S Incident(s) Database
1. MANUAL and/or AUTOENTRY Recording of all incidents.
2. MANUAL cataloging and bibliography of incidents.
3. THEREFORE search of incidents. 4. Checklists for followup & Tracking. 5. Opening of a ‘Case’ for legal procedure.
Information and evidence handling, court followup.
i3S i3S Case(s) Tracking
1. If FIR is registered. 2. Case Development and Management. 3. Evidence and Support information. 4. Court dates and Followup. 5. Longterm tracking of all Cases. 6. Costs and Decision making related to each
Case.
i3S i3S Storage Solution
i3S i3S Bibliography, Search etc.
i3S
Individual Risk
The ‘Human Being’
i3S Typical Certification Areas
1. Access Control 2. Application Development Security 3. Business Continuity and Disaster Recovery Planning 4. Cryptography 5. Information Security Governance and Risk
Management 6. Legal, Regulations, Investigations and Compliance 7. Operations Security 8. Physical (Environmental) Security 9. Security Architecture and Design 10. Telecommunications and Network Security
i3S
Video Analytics
i3S Features 1. Assuming 100’s of 1000’s of camera / eyes are deployed … 2. Primary thinking and application is deterrence. 3. Can’t CAPTURE, TRANSMIT and STORE ALL in highdefinition; 25 fps; Colour …
the costs are astronomical. 4. Any ‘realtime’ alerts from streaminglive from multiple camera automation based on
Pattern Recognition is WAY TOO EXPENSIVE and NOT REALISTIC. 5. Being proactive cannot imply predicting ‘what will happen’ or ‘the future’. 6. So what do you capture …
1. Assume lasthour or last 3days or whatever. 2. Prealert and postalert EXTRACT from the above stream. 3. CLEAR bibliography; date, time, physical location, camera, view, quality, quantity, length,
guardonduty etc. etc. 4. Alerts can happen …
1. incamera – Motion Detection. Field of View. Range of programmable features. License Plat recognition.
2. noncamera – Sensors. Vibration. Tripwire. Light. Noise. RF. Optical etc. etc. etc. 3. Currency. Cheques. Documents or other Verification.
7. Intelligence on the Edge 1. Camera stores fullstreams locally. Discarding after preset lifecycles. 2. UPLOAD to central STORE any and all incidents. 3. Create an clextra bibliography record for every UPLOAD.
8. GuardServices Alert 9. Forensics. Evidence. Search. Analytics.
i3S Guard Services 1. Guards have to watch 100’s at a time. NOT POSSIBLE. 2. Guards are human. Don’t expect them to watch even ONE
all the time. 3. When an ALERT happens; must be able to localise;
locate; have decisionoptions and mobilise to tackle the ALERT as appropriate.
4. Systems of ALERT prioritisation. 1. Fire. Earthquake. Flood. 2. Dacoity. Terrorist Threat. Bomb. 3. Single Incident. Armed vs Unarmed. 4. Small start threat. Smoke. Water. GasLead etc. 5. Tampering alert. Door. Window. Cables. Camera etc. 6. Client or Customer THEFT vs Employee THEFT. 7. System Authority. CEO. Police. Guards themselves. 8. Infringement. Person in nonauthorised zones. 9. Infringement. Animals. Dogs. Cats. Rodents. Pests.
5. Risk and Falsealarm RULES Management.
i3S Not just your cameras there are more 1. Storefronts 2. InStore Cameras. 3. Gas Stations 4. Police stations 5. Businesses 6. Government & Office Buildings 7. Houses. Estates. Gate Security. Guard Security. 8. Traffic cams. Red light cams. 9. Taxi companies – Most taxis nowadays have dash
cams, and a driver can manually trigger them 10. Any witnesses with cellphones 11. Any witnesses with digital cameras, camcorders 12. Any witnesses. Record their statements with your
onhand camera.
i3S Someone should want to
1. Pay for it. 2. Look at it. 3. Use it. 4. Make it count. 5. Just evidence. Seeing is believing. 6. Use it as evidence in a court of law. 7. Save a life. 8. Save property. 9. Save time. 10. Do something … for someone.
i3S The face of Information Security
1. There is someone looking over your shoulder.
2. Uniform & Authority Matter.
3. He is trained and tough. 4. This person is authorised
‘internal’ and ‘by law’ to act on our behalf.
5. This person is Technically Qualified and aware.
6. If you ‘cross the line’ … you are in trouble.
7. You can ask me as to ‘what the line is’.
8. Honestly; I am here to help you do your job ‘honestly’.
i3S
Cash Security
i3S Counterfeit Management
1. Identifying counterfeit NOTES and COINS requires a combination of AUTOMATION & PEOPLE skills. 1. Automation Concerns
1. Automated kiosks DO NOT have this luxury and have to be able to standalone and independently decide to ACCEPT or REJECT.
2. Reject in many instances can mean loss of Business and Consumer confidence.
3. Automated kiosks can be misused for moneylaundering; coin hoarding; highernote disposal etc.
2. Manual Concerns 1. Remove the drudgery of counting. 2. ONUS on protecting and endofshift settlement. 3. Know how to be able to identify counterfeit.
i3S The Solution
1. Coin operated Vending Machines. 2. Coin or Cash based Media Dispensing. 3. Ticketing kiosks. 4. Utilities Bill Payment by Cash and/or Smartcards and/or
Debit and/or Credit Cards. 5. GPS, GIS, GRPS, GSM, RFID based Tracking. 6. Touch screen based interaction. 7. Network integration with central computing facilities. 8. Local alarms & alerts; including automated and manual
video surveillance. 9. Supply of HARDWARE, SOFTWARE, SYSTMES
PROCESSMETHODOLOGY starting with Awareness Training.
10. PreSale; InSale and PostSale Staff & User training.
i3S Who needs this
1. Any business handling cash. 2. Banks. Cash deposit. Cash withdrawal. 3. Cointocash and cashtocoin exchangers. 4. Retail operations. 5. Notes and/or Coins counting. 6. Government Utilities. Receipt Printing. 7. Parking. Ticketing. Events. Journey slips. 8. Vehicle Parking. 9. Toll Gates and payperuse applications. 10. Currency Exchange.
Base of Experts, Advisory, Staffing & Consulting.
The Firm
Software, Backend, Tool & Platform
Business Model, Methodology, and System(s)
Fullrange services in Governance, Risk & Compliance
Systems Integrators
http://www.edgevalue.com http://www.clextra.in
[email protected] © JAN 1999 Edgevalue
62 B Modi Residency Miller Road
Bangalore 560 042 INDIA Phone : 91 (india) 80 (bangalore) 2595 0059
Cellphone : 98450 61870