Software, Backend, Tool & Platform Systems IntegratorsBusiness Model, Methodology, and System(s) The Firm Fullrange services in Governance, Base of Experts, Risk & Compliance Advisory, Staffing & Consulting.
List of NATURAL Hazards i3Sq Displaced Persons q Drought q Earthquakes q Epidemics and other Health Threats q Extreme Temperatures q Floods q Global Climate Change q Hail q Hurricanes and Tropical Storms q Infestations/Invasive Species q Landslides q Power Outage q Structural Fire q Technological Hazards/HAZMAT q Terrorism and Civil Hazards q Thunderstorms and Lightning q Tornadoes q Wildfire q Winter Snow/Ice Storms
List of MAN-MADE Threats i3Sq Vindictive Behaviour q Weapons. Firearms. Chemicals. Explosives. q Hostage Situation. q Dacoit. q Ideology, Psychological and Behavioural Situations. q Selfish Behaviour q Petty Theft. q White Collar Entry. q Identity Theft / Fake Identity. q Fudged paperwork / documentation. q Unauthorised Vehicles vs Changed Licence Plates. q Removal of Assets. q CoOperative Behaviour q Cartels of Security + Staff + Others. q Lax systems. NOR Audit NOR Oversight.
Aspect. It s about . i3S1. Choice 1. Better to be ‘safe’ than ‘sorry’. 2. Insurance 1. If nothing is going to happen … you don’t need it. 3. Uncertainty 1. An attempt to Predict / Quantify the future. 4. The opposite of ‘Risky’ is ‘Secure’.
Priorities i3S1. Databases. 2. People logins. 3. Remote access. 4. Storage & Backup issues. 5. Down & Repair related issues.
Two sides of the same coin i3S Risky … • Greed • High risk – High rewards • Force Majeure. • Requires Insurance. • Contingency & Backup Plans. • Exit options. • Speculation vs Gambling. • Unknown threats / weaknesses. Security … • Safe • Average Returns. • Known threats / weaknesses.
Today s Reality i3S Intent to destruct. Sixth Sense. Investigation, Modus Intuition. Suspicious. Pattern. operandi, Witnesses, Suspects, Intelligence Gathering. What if Evidence, Forensics, Motive, …and IF. Word & Detective work, legal or Observations of others. illegal. Law & Constitution. Behavioural Patterns. Prepared Police. Courts. Jail. to die. PROFILING. Event, Incident, Crime, observable ‘physical’ or ‘virtual’ action takes place.
Track the WHOLE i3Spopulation? 1. CreateIdentify, Train, Motivate & Manage a base of PROFILERS. 2. Start with the Criminals in Jail. Of course you can PROFILE them. 3. Database of their accomplices. 4. Foreigners in INDIA. 5. Foreigners in INDIA STATE(s). 6. A risk metric on every TARGET. Keypatterns … 1. Lifestyle. 7. Do you want to know more about 2. Family, friends & relationships. who is IN? 3. Travel. 8. Do you want to know more about 4. Opinions & Beliefs. 5. Behavioural Assessment. who is OUT? 6. Observable Behaviour Profile. 9. Do you want to monitor or watch 7. Income & Sources. their movements? Monthly? 8. Spending on what. Weekly? Hourly? Realtime? 9. What do they possess? 10. Public? Households? Private? 10. What was; and is now not with them?
Going to be a criminal i3S1. Manual 24hour Surveillance. Detective work. Night Vision Binoculars. Photo & Video Cameras. Bugs & Microphones. Recorders. Telephone Taps. Your life was hardly threatened. Intuition, Sixth Sense, “I can feel it” & Behavioural Pattern Recognition. “I know this guy did it.” 2. Challenges today … Surveillance presence detection. CBRN Presence. Mobile phones. Internet. Radio monitoring. Encryption. Aspirational threat to Planning threat. Your own life is threatened if you challenge OR become a part of the “situation”. Intuition, Sixth Sense, “I can feel it” & Behavioural Pattern Recognition. “I know this guy is up to no good … but is that a Homeland Security threat?”.
Further challenges i3S1. There may yet be no infringement of the law. 2. Is it a lawenforcement, Police, State issue? 3. When is it a central, Defense or Homeland, Central issue? 4. Our man (or woman) … the whole range. Personal Values; Individual behaviour; Current Stress; triggerhappy; Moral issues … Human Rights; Encounters; Self defense; Whether armed; adequate protection; onthespot ‘manual’ or ‘automated’ information; informationon demand. Real time Decisionmaking
Threat nuances i3S1. What are the Force Majeure threats? 2. Are lives at stake? 3. Can Insurance solve it? 4. Airlines were downed for 3 days … so what. The city came to a standstill for 5 days … so what. The US economy is slumping … so what? The Delhi CWG games was a disaster … so what? 5. Katrina. Asian Tsunami. Gulf oil spill. Hungary toxic spill. Pakistan floods. What could have been done? Is something being done about other FUTURE such events? 6. Even if someone knew something was going to happen … Clairvoyants? Hollywood? Witches? Aliens? 7. And if it never happened … perhaps it was not going to happen at all. Who pays? How do you prove this?
Security Activity Monitoring i3STraditionally, security has focused on putting up a perimeter fence to keep others out, but it has evolved to monitoring activities and identifying patterns that would have been missed before. Information security professionals face the challenge of detecting malicious activity in a constant stream of discrete events that are usually associated with an authorized user and are generated from multiple network, system and application sources. At the same time, security departments are facing increasing demands for evergreater log analysis and reporting to support audit requirements. A variety of complimentary (and sometimes overlapping) monitoring and analysis tools help enterprises better detect and investigate suspicious activity – often with realtime alerting or transaction intervention. By understanding the strengths and weaknesses of these tools, enterprises can better understand how to use them to defend the enterprise and meet audit requirements.
High Risk High Rewards i3S Good … Bad … • Sound as a Bank. • Islamic Banking. • Ensure capital return. • Gambling. • The Markets • Speculation • EQUITY. • Throw good • DEBT money behind bad • COMMODITY • Ponzi Schemes. • CURRENCY • MLM • Safe as houses. • Property • Art & Antiques.
Staff at Risk Management i3SSteps 1. Identify the hazards 2. Decide who might be harmed and how 3. Evaluate the risks and decide on precaution 4. Record your findings and implement them 5. Review and update (if necessary)
Risk Factors i3S Risk_Metric R% = A% x T% x V% Asset(s) Threat Risk n al t er Ex Cost Vulnerability Internal
Choose .. i3S Ideas for implementation : Security • IT Policy Sharing • Intangible Assets • List. Cost. Manage. Usage. • Internal Patent System. • USA Defense Services Orange Book Integrity • Setup a MarComm, Communications, Documentation Division. • Establish a ‘VI’ practice. • Develop a partbranded ‘consumerusable’ line of products. • Design & Manage a Catalogue. • Push OR Pull ‘strategy’ …. Sharing + Security + Integrity = 100%
i3SRisk because of Information &Communications Technology
Six sigma credo i3SØ We dont know what we dont know. Ø We cant do what we dont know. Ø We wont know until we measure. Ø We dont measure what we dont value. Ø We dont value what we dont measure.
Your personal data i3S 1. Creditcard numbers. 2. CW2 security numbers. (back of creditcard). 3. Credit reports 4. Social Insurance numbers. 5. Driver’s License numbers. 6. ATM cards. 7. Telephone Calling Cards. 8. Mortgage details. 9. Date of birth. 10. Passwords, PIN’s. 11. Home address. 12. Phone numbers. 13. Address book and Personal contacts information.
Corporate data i3S1. Trade secrets. Recipes & Formulations. Bill of Materials. 2. Cost information. Vendors; procurement costs; supplier chain information. 3. Price information. Customers; selling costs; customer relationship information. 4. Purchase track record – Sales History.
Exposure cases i3S1. DSW, USA. Creditcard information from 108 stores; from 96,000 USA check transactions exposure of US $ 1.5 M. 2. CardSystems, USA. Cardinformation of Japan; HongKing; Phillipines; and Australia. Exposure US $ 40 M. 3. MphasisCitibank. Stolen US $ 350,000/ 4. Sumitomo Bank. Stolen passwords caught prior to stealing US $ 397 M. 5. Citibank UPS shipment of customer data; 123,690 Japanese customers; exposure US $ 3.9 M. 6. Accura Bank; stolen microfilm data; exposing 26,400 customers. 7. Commonwealth Bank of Australia – ATM cashtransfers. Stolen US $ 17 M. 8. Central Bank of Russia. Bank transfer information sold online. 9. Michinoku Bank. Thrown CD’s retrieved of nearly all its customer information; exposure US $ 1.3 M.
Who s got it i3S1. Banks 2. Card companies. 3. Credit reference Agencies. 4. Merchants. 5. Government Agencies. 6. Phone companies. 7. Insurance Firms. 8. Data brokerage firms. List Managers. 9. Payment Processing Agencies. 10. Direct Marketing Agencies. 11. Market Research Firms.
Priorities i3S1. Databases. 2. People logins. 3. Remote access. 4. Storage & Backup issues. 5. Down & Repair related issues.
The only three i3S1. What you know. o Login ID. Passwords. PIN. Personal data. Public and Private Keys. (PKI). 2. What you have. o ID Card. Token number. Ticket. Boarding Pass. PKI Digital Certificate(s). 3. Who you are. o Signature. Fingerprint. Blood Group. Your walk. Iris Pattern. Hand Geometry. Body language. Voice Recognition. DNA.
AutoID : A key Technology i3S AutoID AutoID Device Device Smart Smart Tag Tag 1. 1. ID ID Enormous 2. 2. Pull data Pull data cloud 3. 3. Push data Push data of devices
Mixed community Handling i3S 1. Purple Zone Residential Towers. 2. Orange Zone Manufacturing (EZ) 3. Green Zone Commercial Complexes 4. Cream Zone Retail Public Access 5. Red Zone Utilities. Admin. Control Rooms.
Mapped Systems i3S 1. Perimeter Controls. 2. Roads. * 3. Conduits/Pipes. * 4. Water. Sewage. * 5. Power. * Lighting. 6. Sensors – Cameras. 7. KeyCards. Access Control. 8. Display Signage 9. Vehicle Parking. 10. Vehicle Movement. 11. Access Point(s Control. 12. Fibre Communications. 13. IT Infrastructure 14. CED Wireless Network. 15. Security Manpower Information System. 16. Law Enforcement. * 17. Operational Systems. * Systems with likely Central, State, City 18. Tactical Systems. or Municipal Authority. 19. Emergency. Crises. 20. Miscellaneous Manufacturing
It SHOULD NOT be what most people i3Sthink of as Security Today. 1. Security Staff • 10, 50 … 200 ‘uniformed jokers’ floating around. • Not empowered. • Not trained. • Not civil, nor helpful. • Gate Pass. InOut Register. ID Card. Plate recording. • Happily outsource to socalled ‘exServices Experts’. 2. CCTV • A bunch of cameras connected to a few TV’s. • No one sees it. • If you see something, no action is taken or actioned too late. • Footage not available when needed. • Analog is ‘cheap’ but ‘dead’. • Inadequate Lighting. Poor angles. Low coverage. You thought …….. BUT the reality.
i3S Imperative Elements i3S Staffing Element(s) Statutory Element(s) * Operational STATE Deployment. * Constitution Adherence * Owned STAFF Deployment. * Federal Subject(s) * Outsource STAFF Deployment. * State Subject(s) * Stakeholder(s) STAFF – ADMIN – MGT. * Statutory Reporting Intelligence (Elements) * Doing the Best / Footwork * CCTV (Visual intelligence) * Sensory Intelligence / Alerts * Virtual Convergence World * IT aided Intelligence. Infrastructure Element(s) * Automation. * FibreWired and Wireless Network. * Server(s), Client(s), CEDs, Handhelds etc. * Connectivity, Availability, Redundancy & Backup. * Devices, Cameras, Sensors, Lighting, PowerSupply etc. * Control Rooms, Access Points, Distribution Points etc.
Roads vs IT analogy i3SNetwork Roads, number of Wired or wireless. lanes, number of Analog, Digital or checkpoints, signal IP. lights, flyovers. Servers Parking Lots. Car Data and Lifts. Parallel Information stored Parking. remote centrally Bandwidth Perhour vehicle Size and speed of capacity, Types and data transfer Speeds of cars, uphill, curves Connectivity Toll Gates, Exit Availability and Ramps, Security usability to an end Checks, Weather user. conditions, Sex (!), Age and Health of Driver, VIP intown
Connectivity Tap-Points i3S • Camera Station TO • CED (MobileHandheld) • Public Alarm • Action to i3S Policy • WorkStation Access • CED (MobileHandheld) FROM • Helpdesk Request • Subscriptions View • SelfService • Accountable Staff Internal Management; External Inputs and OutAccess; Inputs and Out
Accountability Transfer i3SWhose cash is it anyway? 1. Extremely INDUSTRY specific. • Compare. Automobiles vs Pharma. vs Music CD’s vs Bollywood Films vs Your Industry. 2. Manufacturer OR Distributor OR Retailer. 3. Investors. Shareholders. Stakeholders. 4. Banks. FI’s. Mutual Funds. 5. Mortgages. Loans. Leasing. Hirepurchase. 6. Purchase of risk. Intransit documents. Invoices. Payments. Letters of Credit. Hundi (in Asia). 7. Futures and Options.
Cost of FAILURE! i3S Indirect Costs Loss of Corporate Customer Liability Confidence Regulatory Action
Force Majeure i3S1. Those "physical" events that are foreseeable, although unpredictable, such as fires, floods or vandalism. 2. Those daytoday "business" events or governmental actions that cannot be forecast, but which are foreseeable, such as strikes or regulatory activities. This includes your service providers subcontractors and vendors not performing tasks possibly necessary to your providers performance under the agreement that your provider may claim are "beyond its reasonable control." 3. Those events that, although admittedly still pretty rare, are now unfortunately quite plausible in a world where commerce is easily touched by international politics, such as military actions, embargoes, rebellions and terrorism. 4. Those events caused by extraordinary elements of nature or "acts of God," which are truly unforeseeable force majeure events.
YELLOW QUADRANT 10 i3S Severity of Impact High severity RED QUADRANT Low Probability High severity High Probability Closely Monitor for increasing Real Trouble Probability Try to reduce Impact Probability of occurrence 0 10 Nuisance Problems not Problems significant GREEN QUADRANT GREY QUADRANT Low severity Low severity Low Probability High Probability 0
When risk happens . i3S1. Ontrack plan. (Backup, contingency) 2. Insurance, premiums & documentation. 3. Handling the Media (and fallout …) 4. Not repeating a mistake … 5. Factor #1 Probability. 6. Factor #2 Outcome or hazard.
Tools i3S1. Sensitivity Analysis. (What if …) 2. Statistics Normal Distribution.
The only three i3S1. What you know. 1. Login ID. Passwords. PIN. Personal data. Public and Private Keys. (PKI). 2. What you have. 1. ID Card. Token number. Ticket. Boarding Pass. PKI Digital Certificate(s). 3. Who you are. 1. Signature. Fingerprint. Retinal Pattern. Body language. Voice Pattern. DNA.
IT Best Practices i3S 1. Without SSL encryption, the integrity of data is compromised. 2. Without robust physical and network security, sensitive corporate data is at risk of intrusion 3. Building an effective inhouse PKI system will take considerable time and expense. Opt for managed PKI services. 4. Free software will crack your password in 30 minutes. 5. Email is leaking your business secrets. 6. Traditional access control solutions are either ineffective or costly 7. Your web site can be spoofed with a point and a click. 8. Testing in production is tempting fate. 9. The weakest link in your security is your people. 10. On the web, nobody knows if you are a Martian.
Reality checklist i3S 1. Almost everything is turning electronic & digital. 2. Applications will never be secure. 3. The perimeter is disappearing. 4. The determined hacker will get in, always. 5. Awareness training will help, only so much.
i3SID Theft. CreditCard Fraud 18% Phone or Utilities Fraud 24% Bank Fraud 4% Employmentrelated Fraud 5% Govt. documents fraud 7% 16% Attempted ID Theft 11% Loan Fraud 15% Other Identify Theft
The proposal i3S1. Approach your ‘I.T.’ as you would your physical office. You have a centralised reception area. 2. You have physical security. You have cameras. You have offoffice hours infrastructure. 3. You have a backgate for materials. In/Out registers. Documentation. 4. You also have Policies, Rules & Regulations, Guidelines, Methods, Processes & Systems. 5. There is ‘Human Decision Making’ in terms of outofpolicy, contingency & crises.
The Service i3SBusiness Continuity is a matter of Practice and includes : 1. Study of Existing Systems. 2. Desired State Definition.. 3. Gap Analysis. 4. Budgets & Costs Allocation. 5. Design & Plan. 6. Implement. a. Buyout, License, Acquire, Recruit. b. Integrate, Implement, Train, Setup, Establish. c. Intensive Monitoring Services. (Typically 3 months). d. Regular Monitoring Services. (Annual Contracts). 7. Review, Feedback, Correction.
Possible Scope of Supply i3S From your Indiabased establishment … as your Worldwide SinglePoint Source …. 1. Study of Existing Systems. 2. Desired State Definition.. 3. Gap Analysis. 4. Budgets & Costs Allocation. 5. Design & Plan. 6. Implement. a. Buyout, License, Acquire, Recruit. b. Integrate, Implement, Train, Setup, Establish. c. Intensive Monitoring Services. (Typically 3 months). d. Regular Monitoring Services. (Annual Contracts). 7. Review, Feedback, Correction.
including i3S1. Top Management ‘Interaction’ & ‘Support’. 2. Design & Management of your ‘Red Book’ 3. Physical Manning at all physical server locations. 4. 24x7x365 Manned Monitoring 5. 24x7.x365 Automated ‘Sniffiing’ & ‘Snooping’ Conrols. 6. Hardware & Software Firewalls. 7. Internal Audit(s). Infrastructure, Administrators & I.T. Departments of Internal, Vendors, Customers, Investor & Coworker Groups access. 8. External Audit Support 9. Downtime Services. 10. Crises Services. 11. Choice of Technologies. 12. Online Certificate Design, Method & Systems.
If I.T. down assessment i3S1. If Hardware, Networking, Storage goes down …. 2. If Systems Software goes down … 3. If Application(s) Software goes down … Bugs, Staging, Testing, Y2K type scenarios …. 4. If Data goes down … 5. If Information unavailable … 6. If unable to findout what has gone down …
i3SSecurity Policy 1. Written General Security Policy. 2. Written IT Security Policy. 1. IP’s. Listed & Controlled. 2. Allow & Deny. Group, individual & others. 3. Logs. Logs backup. Logs Analyses. Decisions. 4. Disaster Recovery. 5. DOS, DDOS etc. 3. Client ‘transparent’ document. 4. Internal audit. 5. External audit.
i3SDisseminate. Execute. Act.Assist. Support. Help.Facilitate. • Assign Work • Intelligence on Demand. • Verification. Authentication, Fact Checks. • Friend or Foe Decision Making.
i3SPeople Risk The ‘Human Being’ behind every ‘Risk’ related event.
i3SShrinkage One word for Risk, Safety, Security, Surveillance, Graft, Corruption, Negligence; Stupidity; Ignorance; ill informed; uneducated; Theft. Fraud; Counterfeit; Negligence; Attrition …??? PRAY (People Risk Assessment & Yield) Model
Risk from People i3S People Actions Costs Behavioural Employees Order Acceptance Direct OR Indirect Stopped Learning TEMPS Procurement Fixed OR Variable Ego – AlphaMale Ghost Employees Wrong Vendor Not Insured Wrong Hiring No Succession Planning Obsolescence Suppliers Catering Staff Poor DueDiligence Rework & Waste High Risk Behavour Housekeeping Liable for Litigation Personal Debt Negligence Security Staff Greed Graft (CORRUPTION) Drivers 100% Revenue Loss Clinical Problem(s) Cartel Increased Cost Customers Poor Decisions Lower Profits Long term consequence
New Economy i3S Organisational Design Sales Commercial Contract Internal Staff Our Control People Our Staff Customer Contact External Outside Control Marketing Delivery / Production / Manufacturing Modern Organisations do not work from one The Enterprise has to be MORE premises. All Staff may not be homogenous; not in control while being forced from one area; community; state or even country. OUTOFCONTROL by the Wireless allows into and out of any location; voice, pace of Technology.video & definitely data.
Types / Categories of i3SWorkforce Class A 1. Board, Committee, Association. 2. Our Staff. Permanent. 3. Key Owners, Managers, Stakeholders of Members. 4. VIP’s. Statutory Authorities. Preapproved Guests/Visitors. 5. Outsourced Security KeyManagers, Authorised Staff. Class B 1. Our Security Staff 2. Outsourced Permanent Security Staff. Class C 1. OUR or external Parttime OR Temporary Security Staff. Class D 1. Staff of ‘MemberUnits’. Permanent. 2. Temporary Staff. TEMPS. 3. ServiceProvider. Utilities. Supplies. Catering. Transport Drivers + SupportStaff. 4. Any new Employee / Regular LESS than one year of Regularity. Class E 1. Contractor. Staff. Labourforce. Contractor Suppliers. Contractor Services. 2. Trade or Manufacturing. Goods Inward and Goods Outward. 3. Waste Disposal. IN and OUT movement.
Risk Level Rating of People i3S1. 0 to 9 : 9 = no risk; 1 VERY HIGH RISK. 0 = unknown / not assigned. 2. Everyone is assigned a Level 5. Has to earn by time, inputs, selfservice, behaviour, references, feedback to lower the Risk LEVEL. PRAY (People Risk Assessment & Yield) Model
Negligent Hiring i3S1. What is negligent hiring? 2. Should all companies be expected to have a screening policy? 3. Does every employee need to be screened? 4. How much should a company expect to pay for screening? 5. What can it cost a company should they chose not to have a screening program? 6. Do you have enough ‘Johariwindow’ information to make an offer? 7. Are all screening companies alike?
Negligent Hiring Problems i3S1. Shrinkage. Theft. Robbery. White collar crime. 2. Security Staff are compromised! 3. Cartels / Organised Crime are formed! 4. IT, data, Information & knowhow leaks. 5. Rapists! Women’s Issues. 6. Pornography. VideoCam. Exploitation. 7. Pedophiles. Children abuse. (Where applicable). 8. Fellowworkers being blackmailed. 9. Paperwork fudging albeit for personal gain.
People Risk examples i3S1. Ghost Employees. Not on your payroll, not coming to work being paid maybe electronically. 2. Cartel of Security, Catering, Housekeeping & Admin. in waste (and other) removal from the premises. 3. Labour (HR or line Staff) taking a ‘cut’ in recruitment, placement, promotions. 4. Poor DecisionMaking. Order Acceptance, Vendor Identification, Technology duediligence, Loan disbursement. Based on wrong or Inadequate data or information. 5. Highrisk behaviour in their personal, private life. Gambling. Drugs. Debt. Wine. Women/Men. 6. Timeallocation. Priorities, motivation, interests in a different direction or area. Nonprofessionalism. 7. Travel + Stay when it could have been done with Video conferencing.
Some Solution(s) Step(s) i3S1. Rating : Keep a simple scorecard. On a scale of 1 to 9 everyone is a 5 till proved otherwise based on Actions and Performance. 2. Internal FIR : Maintain a database of any and all incidents (tangible and intangible) transparent ensuring personal privacy; warnings; letoffs; rewards & recongition. 3. PMS : Perform periodic Reviews. Behavioural as important as Performance. 4. Voperty : The modernorganisation is no longer on onepremises. It is virtual and online as much as offline. Intellectual Property is as important as Property. Tradesecrets, diagrams, customer or supplier databases. 5. Infrastructure Enhancement & Technology Support. 6. KRI : Acquire, implement, maintain and manage a set of Key Risk Indicators. 7. Process, Methodology, Workflow. Checklists. Visual Maps. Step accountability.
Infrastructure i3SRecommendations 1. Singlewindow Access Control System. (Staff, Catering, Housekeeping, Temps, Security). Audited Attendance. 2. Eyes and Ears on the ground. Networked Cameras; Adequate Lighting; Sensors for required needs. 3. Tripleplay convergent digital networks. 4. Things monitoring. Raw materials & Finished Goods. Consumables. Fixed and Mobile Assets. Repairmen kits. Catering, Housekeeping, Waste removal. 5. Centralised Servers + Platform for Intergrated, Realtime, Remote & Localised Routine Reporting, Audits and Alert/Alarm Systems. 6. Transparency, Convenience, Easeofuse, Ergonomics, Managed Queues, Systems, Peopleflow.
Infrastructure i3SFunctionality Information or Intelligence DomainCentral Intelligence Disseminate. Execute. Act. Assist. Support. Help. Facilitate. •Gather Information, OR • Assign Work Intelligence. • Intelligence on Demand. •Data. Images. Audio. Video. • Verification. Authentication, Fact •Store. Retrieve. Analyze. Checks. Pattern Recognition. Intuition. Assign Field • Friend or Foe Decision Work. Making. •Gather MORE information. •Sort. Extract. Merge. Collate. Integrate. Consolidate. Automate. • Efficiencies. ROI. TCO.
Managed Services i3S1. Choose to work with Riskpro India. (http://riskpro.in) Typically a minimum of 15month contract. 2. Study, Report, KRIset & GRC (Governance, Risk & Compliance) Roadmap within one month. 3. Put in place our clextra Software Platform. 4. Identify and Train the ‘Taskforce’ on GRC Roadmap. 5. Maintain, Monitor, Manage, Analyze. ‘Routine’ and ‘Alert’ Reporting to Management.
Risk of No Information i3S Risk of No Information & Communications Technology Supply Side Supply Side E D C B A Source Interface Distribution Interface Request SERVERS WebPipe EtherSpace Local ISP CLIENTS 1.4 90% plus 1.3 6089% 1 Relevance 1.2 Ok 1.1 Less than 50% 2.4 Predictive 2 Timeliness 2.3 Intime 2.2 Yesterday 2.1 Postmortem 3.4 DataHouse 3.3 Database 3 Quantity 3.2 11500 Pages 3.1 110 Page 4.4 Video 4.3 Audio 4 Media 4.2 Visuals 4.1 Text 5.3 Sharing 5 Quality 5.2 Integrity 5.1 Security 5.3 Backup Infrastruc 6 5.2 Hardware ture 5.1 Power
Any IT-record in your i3SBusiness 1. Tangible Assets Master 2. Buy Purchase Orders Master 3. Main Metrics 4. Expenses Master 5. Firms Master 6. Inventory Master 7. Invoices Master 8. Mfg. JobWork Orders Master 9. Intangible Assets Transactions 10. Intangible Assets : Library : Info.Units 11. Owners : Contacts Customers Vendors 12. Individual Employee Master : Login II 13. Teams Master 14. Unit Master 15. RFID Hardware etc. 16. Seats Management Database 17. Individual Users Master : Login I 18. Vehicle Master
User definable #1/3 i3SA000,FORCE MAJEURE C005,Central Labour Compliance A001,Unpredictable C006,Local Labour Compliance A002,Political Forces C007,Local Safety Compliance A003,Terrorism D000,LEGAL A004,Genuine D001,Major Lawsuit B000,FINANCE D002,minor Lawsuit B001,Cash Liquidity D003,Loss of original documents B002,Market valuation of Equity D004,Legal fees B003,Audit D005,Stay order Costs B004,Financial duediligence D006,Stay order Time B005,Technology duediligence E000,PLANNING B006,Theft of cash E001,Vendor Base. (Contractual and Moral) B007,Misuse of cash E002,Customer Base. (Affinity and Purchasing). B008,Misuse of documents E003,Sales Projections B009,nonPerforming Assets E004,Expenses Projections B010,Tax E005,Cashflow Projections B011,External Audit E006,Meeting Manpower Plans B012,Internal Audit F000,HR B013,Depreciation FA00,INVESTORS B014,Credit Risk FA01,The Head of the Board B015,Bad Debt FA02,The Board B016,Book Value of EquityShares FA03,The CEO B017,Market Value of EquityShares FA04,The CEOs Team B018,Bullrun FA05,Investors ROI needs B019,Bearrun FA06,Investors Values C000,COMPLIANCE FB00,EMPLOYEES C001,Regulatory Compliance FB01,Absenteeism C002,Central Compliance FB02,Nonperformance C003,SOX Compliance FB03,QualityC004,StockExchange Compliance
User definable #3/3 i3SG012,Transit Spoilage K000,MARKETING G013,I. PURCHASE RISKS . KA00,EXTERNAL G014,Quality. Rework KA01,Customer understanding G015,Wastage and writeoff. KA02,Customer need specifications G016,Shortsupply KA03,Quantity of Reach H000,MANUFACTURING KA04,Quality of Reach H001,Line Downtime KA05,Too much communications H002,Partial Downtime KA06,Too little communications H003,Shopfloor Accidents KA07,Market segmentation H004,Labour unionism KA08,Choice of channels H005,Capacity availability KA09,DeliveryInstallCommissioning H006,Output efficiency KA10,Training H007,Inlogistics Space KA11,Customer Usage H008,OutLogistics Space KA12,After Market Services H009,PowerEnergy availability KA13,Product Lifecycle Revenue H010,Water availability KA14,Product Lifecycle Expenses H011,Flow constraints KA15,Product Lifecycle Profit H012,Process inefficiency KA16,Reputation Risk H013,Safety Systems KA17,Brand Dispersion Risk J000,REDUNDANCY BACKUP KB00,PUBLICITY J001,Duplication KB01,Bad Press due to internal incidences J002,Backup KB02,Bad Press due to extraneous incidences J003,Alternate System KB03,Investor relations. J004,mismatched capacities KB04,exemployee relations. J005,Absenteeism KB05,Customer relations. J006,People Training KB06,Vendor relations. J007,Use of ConsultantsAdvisors KB07,Press relations. KB08,Political relations.
Define & Manage Sets i3S Set 1 Set 2 Set 3 Set 4 Set 64 Set 65 Set 7821 A000,FORCE MAJEURE a A001,Unpredictable A002,Political Forces A003,Terrorism a A004,Genuine B000,FINANCE B001,Cash Liquidity a a B002,Market valuation of Equity a B003,Audit a B004,Financial duedilligence a B005,Technology duedilligence a B006,Theft of cash a B007,Misuse of cash a B008,Misuse of documents B009,nonPerforming Assets B010,Tax B011,External Audit B012,Internal Audit B013,Depreciation B014,Credit Risk B015,Bad Debt a B016,Book Value od EquityShares a B017,Market Value of EquityShares a B018,Bullrun B019,Bearrun a a A set can have any number of userdefinable metrics.
Assign Set to a Record i3S 1 Tangible Assets 2 Buy Purchase Orders 3 Main Metrics 4 Expenses 5 Firms 6 Inventory 7 Invoices 8 Mfg. JobWork Orders 9 Intangible Assets Transactions 10 Intangible Assets : Library : Info.Units 11 Contacts Customers – Vendors – Agents – Drivers Traders 12 Level II login users : Employee, Customer, Doctor, Patient, Student 13 Teams 14 Unit – Group – Household (In addition to Teams). 15 RFID Hardware etc. Gates, Doors and Access Equipment. 16 Seats Workstations – Desks etc. 17 Level I login users 18 Vehicle
Each Metric includes i3S 1. Cost. On a scale of 0 (nocost) to 10 (very high); this is the means to ‘level’ ANY and ALL Threats to a business. 2. Vulnerability On a scale of 0 (none) to 10 (definite) Internal weaknesses and under reasonable control factors. 3. Threat On a scale of 0 (none) to 10 (definite) External factors perhaps with minimal or no control. 4. Percentage This is a percentage for leveling. P = C x V x T (Multiplication and Percentage of the above earlier 3 parameters). 5. Statistical Chance Independent of the above, a Standard Market statistical percentage of an occurrence for this type of risk. Allows upto 4 decimal places. Ie. 1 in 10,000 chance of occurrence.
ICT Best Practices i3S 1. Without SSL encryption, the integrity of data is compromised. 2. Without robust physical and network security, sensitive corporate data is at risk of intrusion 3. Building an effective inhouse PKI system will take considerable time and expense. Opt for managed PKI services. 4. Free software will crack your password in 30 minutes. 5. Email is leaking your business secrets. 6. Traditional access control solutions are either ineffective or costly 7. Your web site can be spoofed with a point and a click. 8. Testing in production is tempting fate. 9. The weakest link in your security is your people. 10. On the web, nobody knows if you are a Martian.
Incident areas andBibliography 1. clextra Cupboard dodocs 1. archival system for all periodic Reporting. 2. clextra Cupboard cdocs 1. archival system for all random Reporting. 3. Organisational Filing System. 1. Individual and/or Team based. 2. Selective access to everyone in the organisation. 3. Supports MS Office, schematics, multimedia and/or any other format. 4. Numbered email. PULL System. (No PUSH). 5. Multimedia File binning. 6. Technology permitting …. SMS, Mobile etc.
Coding System(s) : 2 of i3S10 s, dozens. 1. Location Code. Eg. inKAblrAZON01 (13 character code). 1. 2 chars – ISO country code. 2. 2 chars – Country State code. 3. 3 chars – City code. 4. 1 alpha – Zone code. 5. 3 chars – Preferably 9 or 81 directions N,E,W,S,C 6. 2 chars – Cna be subzones OR floors OR any other. 2. Device Code inKAblrAZON01rc000006 1. Device no. 6 Grouped treatment as a Particular type of Display, or Camera, or IN or OUT gate, reader, writer, sensor etc. 3. Also supported EPC codes; GPS codes and point maps on ANY image(s).
i3SInventory Shrinkage ... 1. Empty boxes or "hollow squares" in stacked goods. 2. Mislabeled boxes containing scrap, obsolete items or lower value materials. 3. Consigned inventory, inventory that is rented, or traded in items for which credits have not been issued. 4. Diluted inventory so it is less valuable (e.g., adding water to liquid substances). 5. Increasing or otherwise altering the inventory counts for those items the auditor did not test count. 6. Programming the computer to produce fraudulent physical quantity tabulations or priced inventory listings. 7. Manipulating the inventory counts/compilations for locations not visited by the auditor. 8. Doublecounting inventory in transit between locations. 9. Physically moving inventory and counting it at two locations.
Inventory More Shrinkage i3S1. Including in inventory merchandise recorded as sold but not yet shipped to a customer. 2. Arranging for false confirmations of inventory held by others. 3. Including inventory receipts for which corresponding payables had not been recorded. 4. Overstating the stage of completion of workinprocess. 5. Reconciling physical inventory amounts to falsified amounts in the general ledger. 6. Manipulating the "rollforward" of an inventory taken before the financial statement date.
i3S Inventory & shrinkage 1. Not retiring WIP and not classifying completed jobs as finished goods after dispatching them to customers. 2. Falsifying computer runs by overriding the WIP applications. 3. Including extraneous elements, like period costs, in WIP tabulations. 4. Excluding jobrelated direct costs, such as special purpose tools and jigs, from WIP tabulations. 5. Tinkering with process cost allocation and overhead calculation functions. 6. Including abnormal process losses in WIP. 7. Overstating the stage of completion of workinprocess. 8. Programming the computer to produce fraudulent physical quantity tabulations or priced inventory listings
Inventory i3SNot the final word on Shrinkage 1. Physically counted percentage factor. 2. Items requiring further audit scrutiny. 3. Surreptitious check(s) percentage factor. 4. Physical opening and caselabel match factor. 5. Increase in count factor from original plan due to findings. 6. Timegap between disparate location physical counts. 7. Factor of likely owned property/materials/stock. 8. Specialist factor. Does observer understand the inventory?
Loss of Original Documents i3S1. Litigation. 2. Direct cash loss. 3. Lack of control over your ‘Staff’. 4. Reduced Customer confidence. 5. The ‘good faith’ in which these were given to you in the first place. 6. Perception of ‘corruption’ and ‘deliberate’ act. 7. Negligence. 8. Inability to ‘store’, ‘monitor’ and ‘manage’ over long periods of time. (10+ years). 9. Inability to use technology such as Library Science methods, barcode, RFID etc. 10. Inability to cost perdocument storage and ROI, TCO for Document Management.
i3S Incident(s) Database i3S1. MANUAL and/or AUTOENTRY Recording of all incidents. 2. MANUAL cataloging and bibliography of incidents. 3. THEREFORE search of incidents. 4. Checklists for followup & Tracking. 5. Opening of a ‘Case’ for legal procedure. Information and evidence handling, court followup.
i3S Case(s) Tracking i3S1. If FIR is registered. 2. Case Development and Management. 3. Evidence and Support information. 4. Court dates and Followup. 5. Longterm tracking of all Cases. 6. Costs and Decision making related to each Case.
Typical Certification Areas i3S1. Access Control 2. Application Development Security 3. Business Continuity and Disaster Recovery Planning 4. Cryptography 5. Information Security Governance and Risk Management 6. Legal, Regulations, Investigations and Compliance 7. Operations Security 8. Physical (Environmental) Security 9. Security Architecture and Design 10. Telecommunications and Network Security
Features i3S1. Assuming 100’s of 1000’s of camera / eyes are deployed … 2. Primary thinking and application is deterrence. 3. Can’t CAPTURE, TRANSMIT and STORE ALL in highdefinition; 25 fps; Colour … the costs are astronomical. 4. Any ‘realtime’ alerts from streaminglive from multiple camera automation based on Pattern Recognition is WAY TOO EXPENSIVE and NOT REALISTIC. 5. Being proactive cannot imply predicting ‘what will happen’ or ‘the future’. 6. So what do you capture … 1. Assume lasthour or last 3days or whatever. 2. Prealert and postalert EXTRACT from the above stream. 3. CLEAR bibliography; date, time, physical location, camera, view, quality, quantity, length, guardonduty etc. etc. 4. Alerts can happen … 1. incamera – Motion Detection. Field of View. Range of programmable features. License Plat recognition. 2. noncamera – Sensors. Vibration. Tripwire. Light. Noise. RF. Optical etc. etc. etc. 3. Currency. Cheques. Documents or other Verification. 7. Intelligence on the Edge 1. Camera stores fullstreams locally. Discarding after preset lifecycles. 2. UPLOAD to central STORE any and all incidents. 3. Create an clextra bibliography record for every UPLOAD. 8. GuardServices Alert 9. Forensics. Evidence. Search. Analytics.
Guard Services i3S1. Guards have to watch 100’s at a time. NOT POSSIBLE. 2. Guards are human. Don’t expect them to watch even ONE all the time. 3. When an ALERT happens; must be able to localise; locate; have decisionoptions and mobilise to tackle the ALERT as appropriate. 4. Systems of ALERT prioritisation. 1. Fire. Earthquake. Flood. 2. Dacoity. Terrorist Threat. Bomb. 3. Single Incident. Armed vs Unarmed. 4. Small start threat. Smoke. Water. GasLead etc. 5. Tampering alert. Door. Window. Cables. Camera etc. 6. Client or Customer THEFT vs Employee THEFT. 7. System Authority. CEO. Police. Guards themselves. 8. Infringement. Person in nonauthorised zones. 9. Infringement. Animals. Dogs. Cats. Rodents. Pests. 5. Risk and Falsealarm RULES Management.
Not just your cameras i3Sthere are more 1. Storefronts 2. InStore Cameras. 3. Gas Stations 4. Police stations 5. Businesses 6. Government & Office Buildings 7. Houses. Estates. Gate Security. Guard Security. 8. Traffic cams. Red light cams. 9. Taxi companies – Most taxis nowadays have dash cams, and a driver can manually trigger them 10. Any witnesses with cellphones 11. Any witnesses with digital cameras, camcorders 12. Any witnesses. Record their statements with your onhand camera.
Someone should want to i3S1. Pay for it. 2. Look at it. 3. Use it. 4. Make it count. 5. Just evidence. Seeing is believing. 6. Use it as evidence in a court of law. 7. Save a life. 8. Save property. 9. Save time. 10. Do something … for someone.
i3SThe face of Information Security 1. There is someone looking over your shoulder. 2. Uniform & Authority Matter. 3. He is trained and tough. 4. This person is authorised ‘internal’ and ‘by law’ to act on our behalf. 5. This person is Technically Qualified and aware. 6. If you ‘cross the line’ … you are in trouble. 7. You can ask me as to ‘what the line is’. 8. Honestly; I am here to help you do your job ‘honestly’.
Counterfeit Management i3S1. Identifying counterfeit NOTES and COINS requires a combination of AUTOMATION & PEOPLE skills. 1. Automation Concerns 1. Automated kiosks DO NOT have this luxury and have to be able to standalone and independently decide to ACCEPT or REJECT. 2. Reject in many instances can mean loss of Business and Consumer confidence. 3. Automated kiosks can be misused for moneylaundering; coin hoarding; highernote disposal etc. 2. Manual Concerns 1. Remove the drudgery of counting. 2. ONUS on protecting and endofshift settlement. 3. Know how to be able to identify counterfeit.
The Solution i3S1. Coin operated Vending Machines. 2. Coin or Cash based Media Dispensing. 3. Ticketing kiosks. 4. Utilities Bill Payment by Cash and/or Smartcards and/or Debit and/or Credit Cards. 5. GPS, GIS, GRPS, GSM, RFID based Tracking. 6. Touch screen based interaction. 7. Network integration with central computing facilities. 8. Local alarms & alerts; including automated and manual video surveillance. 9. Supply of HARDWARE, SOFTWARE, SYSTMES PROCESSMETHODOLOGY starting with Awareness Training. 10. PreSale; InSale and PostSale Staff & User training.
Who needs this i3S1. Any business handling cash. 2. Banks. Cash deposit. Cash withdrawal. 3. Cointocash and cashtocoin exchangers. 4. Retail operations. 5. Notes and/or Coins counting. 6. Government Utilities. Receipt Printing. 7. Parking. Ticketing. Events. Journey slips. 8. Vehicle Parking. 9. Toll Gates and payperuse applications. 10. Currency Exchange.
Software, Backend, Tool & Platform Systems IntegratorsBusiness Model, Methodology, and System(s) The Firm Fullrange services in Governance, Base of Experts, Risk & Compliance Advisory, Staffing & Consulting.