Security as a Subset of Risk Management

Published on January 3, 2013 in Security. 3 Comments
Posted by

What does Risk Management mean to you?  If you have read my blog you know that I focus on topics like Security or Compliance.  You may have noticed, as well, that my title is Chief Risk Officer and you may have wondered how this fits together.  Compliance cannot exist without the appropriate controls (security) in place.  Moreover, Risk Management can be said to be the art of balancing the value of the cost of a control versus the value of the benefit derived from the control.

I have spent most of my career dealing with security controls and compliance.  After a while, it occurred to me that in order to convince someone, usually an executive, of the need for spending money on a control, I had to convince that executive of the value derived from implementing that control.  The value of the cost for a control can have multiple factors.  The most obvious being the cost to initially acquire the control, whether that is software, processes, personnel or any other number of costs.  One sometimes ignored component of the cost of a control is the cumulative cost effect.  Just about every control has costs associated with acquisition, administration, maintenance, and regression testing to name a few.  Every time you add an additional control, the costs for administration, maintenance, testing and complexity are at a value greater than if the control were stand alone.  This is because some controls conflict with others or make administration more complex.

Many executives see security professionals demonstrate this concept repeatedly.  The rational used for justifying these costs are Fear, Uncertainty and Doubt (FUD).  Claims of utter destruction and the end of the world (with all due respect to those that thought the Mayans were doing just that) are often used to generate FUD.  These security professionals are often frustrated that executives do not support their programs or believe their claims.

Another perspective taken is that with more controls, you reduce your risks from the negative effect of attacks, calamities and such.  Although this is true, to a degree, bringing those risks down to a negligible level often requires many controls.  Now we circle back to the ever increasing costs of controls.  Even if FUD is used successfully for the initiation of a security program, it can neither be sustained nor repeated for it would leave the executive out on a limb on the tree of FUD.

What is the best way to avoid FUD, put in enough controls and not spend too much on them?  Consider the chart below.  Life is never quite this simple but if we accurately articulate the costs of controls AND the associated reduction in potential losses, achieving the answer is always easy.  Never spend more on a control than you would lose if you did not have the control.

Recognize that the value of the benefits is multi-faceted.  Increased productivity, opportunity costs, competitive advantages are just some of the values that need to be factored in.  By keeping this perspective in mind, good and effective security controls will play a vital part in your risk management program.

Fear, Uncertainty and Doubt (FUD)

 

Jeff Reich, Layered Tech Chief Risk OfficerAbout the Author: As Chief Risk Officer at Layered Tech, Jeff Reich (@LayeredTechCRO+Jeff Reich) drives the company’s security and compliance services and guides risk mitigation efforts for clients. With more than 30 years of experience, Reich is a well-known risk management and security expert in the industry. He holds CRISC, CISSP and CHS-III certifications and is an ISSA Distinguished Fellow.

2012 Reflection and 2013 Road Ahead

Published on December 27, 2012 in Layered Technologies. Closed
Posted by

With the holiday season upon us and another year coming to a close, we wish to express appreciation to our clients, partners and shareholders for their continued support of Layered Tech.

PCI, HIPAA and FISMA compliant managed service provider, Layered TechWe had many accomplishments in 2012, all with the objective of setting the standard for what clients should expect from their PCI-, HIPAA- and FISMA-compliant managed service provider.  Our extraordinary team of security and compliance experts worked day and night to understand the goals of our clients and solve their business challenges.

2012 Highlights:

  • In February of 2012, we became the first cloud provider to offer a ‘Compliance Guarantee.’  This ensures all Layered Tech compliance services, including PCI and HIPAA, are guaranteed to pass 100 percent of every audit or assessment.
  • In August of 2012, Layered Tech acquired NEW WORLD APPS, Inc, which specializes in secure private cloud solutions for federal, state and local governments.  Our expertise in the PCI- and HIPAA-compliant cloud hosting markets along with NEW WORLD APPS’ federal FISMA hosting experience made this a perfect combination, resulting in a compelling platform to achieve rapid growth.
  • In September of 2012, we launched the Layered Tech Cloud Data Center, a next-generation cloud platform that combines complete management, security and compliance capabilities with self-service functionality, creating a more agile and secure cloud.  This allows enterprises to run their critical workloads in a cloud environment to accommodate complex security needs and meet PCI-DSS and HIPAA compliance requirements.
  • In November of 2012, Layered Tech and Microsoft announced the availability of Microsoft Dynamics Government Cloud business solutions, a FISMA-compliant cloud application platform on which federal agencies can build and deploy mission-critical solutions for their constituents. (see related article: Update on FISMA Compliant Cloud Offering for Microsoft)

We see 2013 as a new year full of opportunities as we continue to lead the way for compliant and secure hosting services.  Layered Tech very much appreciates the continued support of our valued partners and look forward to a successful year ahead.

Have a happy, healthy and secure holiday season!

Brad Hokamp, Layered Tech PresidentAbout the Author: As President of Layered Tech, Brad Hokamp (@bradhokamp) brings over 26 years experience working in the IT and networking industry to his role.  His responsibilities include leading our sales and marketing efforts, as well as product management, customer service and business development initiatives.

The Payment Processing Chain – Holistic Risk Management

Published on December 20, 2012 in Security. Closed
Posted by

ATM keypadA lot of people in the credit card industry focus on the compliance and security component of the payment processing chain that they control.  This is expected and is the right thing to do.  Most people do not have an appreciation of the steps needed for a successful transaction.  Some merchants, cards and banks could have varying processes but most transactions involve, at a minimum, a consumer, a merchant, a payment gateway or processor, the card brand and the bank issuing the card.  In order for a transaction to complete, the reverse path is taken to validate the transaction.  Add in credits, refunds and loyalty programs and that’s a lot of moving parts in a system that appears to act instantaneously.  The system works well and we all depend on that.

Like any complex ecosystem, components need occasional maintenance.  Operators for every component of the ecosystem should be cognizant of the controls in place for the entire ecosystem as well as recognizing their place in the system.  A credit card and its associated transactions will be as secure as the weakest spot in the processing chain.  The consumers that believe they should be able to depend on the security of payment processors and banks are correct in their assumptions.  In the same vein, banks and payment processors should be able to depend on the security practices of consumers and merchants.

What does this mean to all of us?  For the issuing banks, this means monitoring the behavior patterns of consumers to facilitate better and faster fraud detection.  Acquiring banks do the same for merchants.  For merchants, a demonstration of security and compliance competence is needed.  If merchants do not have this expertise, they should engage with a firm that does and allow them to do that.  Many merchants have not grown security and compliance expertise, focusing instead to grow their business on their core competency.  Banks have regulators for oversight and examiners for validation.

That leaves the consumer.  Every consumer plays a vital role in the risk management chain but many do not recognize that and do not utilize the tools available to them.  Some of these tools are:

  • Credit Card Statements
    • Perhaps the best tool available to consumers – address unexpected activity!
    • Use online statements to see current (very recent) activity.
    • Use SMS and email alerts for higher than expected volume or value of activity.
  • Credit Reports (things to look for are below)
    • Higher balances than expected
    • Unexpected new accounts opened
    • Unexpected accounts closed by credit grantor
  • ATM Machine Activity
    • In addition to being aware of ATM fees, make sure you trust the machine.
    • When using a machine for the first time, consider techniques such as entering an invalid PIN once to see if it is rejected.  If it is and the valid pin works, the machine is on your network.
    • Watch your surroundings.  If someone sees you enter your PIN, your chances of a compromise increase.
  • Utilize the security and control measures of your merchants and banks
    • If you cannot rely on them, ask them to change or move your business.

At any point in the chain, inspect the controls and ring the bell if they do not meet your standards.

Image Credit: Catatronic

Jeff Reich, Layered Tech Chief Risk OfficerAbout the Author: As Chief Risk Officer at Layered Tech, Jeff Reich (@LayeredTechCRO+Jeff Reich) drives the company’s security and compliance services and guides risk mitigation efforts for clients. With more than 30 years of experience, Reich is a well-known risk management and security expert in the industry. He holds CRISC, CISSP and CHS-III certifications and is an ISSA Distinguished Fellow.

Update on FISMA Compliant Cloud Offering for Microsoft

Published on December 13, 2012 in FISMA Compliance. Closed
Posted by

White HouseEarlier this year Microsoft Corporation contracted with Layered Tech to provide “Microsoft Dynamics for Government – Hosted by Layered Tech”; a FISMA compliant cloud offering for their Dynamics solutions.

Hosted by Layered Tech in top-tier data centers, Microsoft Dynamics Government Cloud business solutions provide any federal agency the opportunity to:

  • Modernize mission critical workloads in either a FISMA-compliant, single-tenant private cloud with dedicated physical resources, or a FISMA-compliant, federal-only community cloud.
  • Sharply reduce the Certification & Accreditation time for new services by leveraging platform certification documentation developed by Layered Tech.
  • Partner with Layered Tech’s security professionals during the NIST (National Institute of Science and Technology) audit process through to Authorization to Operate (ATO).

On November 15th, Microsoft issued their press release on this joint offering.  We have been working in partnership at product launch events, conferences, and now engaging their sales teams on a road show to further educate the 90 federal partners and 200 Microsoft federal employees to advocate our joint offering.  This partnership will allow Layered Tech to keep in step with the government’s intensifying need for the benefits of business solutions delivered through secure cloud computing.

The relationship between Microsoft and LT Government Solutions (formerly NEW WORLD APPS) spans four years and I’ve been fortunate to be involved from the beginning.  We have over 60 ISVs and SIs that we have architected cloud solutions and assisted in the marketing and sales of those productized offerings.  As the leader of the initiative, I am very proud of the joint contribution of both the Microsoft and Layered Tech executive, marketing and BD teams.

Image credit: Serge Melki

Teri EricksonAbout the Author:  Teri Erickson is the Senior Director of Cloud Services, Public Sector at LT Government Solutions.  Teri’s 13 years of experience in IT include the last four years at NEW WORLD APPS (a recent LT acquisition) and prior experience as a founding member and sales director at Current Analysis.

Intelligence in the Cloud – Security and Compliance

Published on November 28, 2012 in Cloud Computing and Events. Closed
Posted by

dciaWe hope you can join Layered Tech at the “Intelligence in the Cloud” workshop, which is a unique opportunity to understand the challenges of migrating secure multimedia assets to the cloud.  The workshop, jointly sponsored by the National Association of Broadcasters (NAB) and the Distributed Computing Industry Association (DCIA), will focus on how military and government agencies with responsibilities for intelligence gathering can safely leverage the benefits of cloud computing.

The day will include a fantastic lineup of panel discussions and case study presenters.  Our very own Jeff Reich, Chief Risk Officer, will present a private sector case study at 1:45pm about managing your cloud for security and compliance.  Do you need to learn how to adapt existing controls to make real-time cloud compliant?  Are you looking to develop a FISMA-compliant cloud solution or find a provider to offer one?  You won’t want to miss this discussion.

“Intelligence in the Cloud” will be held Tuesday December 4th at the NAB Headquarters in Washington D.C. from 8:00am – 5:00pm.  For more information, you can visit http://www.nabshow.com/2013/iitc/.