sample operational risk profile report -...

ISG Metrics LLC

Synchronized Compliance™

Operational Risk Profile Report

Measuring and Rating Legal Risk Exposures Due to Breaches of Information Security Governance

July 22, 2008

Sample Firm

1 ISG Metrics LLC 5100 Tamiami Trail North, Suite 105,

Naples, Florida 34103 T-239-777-4638 [email protected]

© Copyright

2008 All Rights Reserved.

ISG Metrics LLC


Operational Risk Profile Report

Measuring and Rating Legal Risk Exposures Due to

Breaches of Information Security Governance

Table of Contents:

3 About ISG Metrics LLC

4-5 Operational Risk Profile Report o Proxy Camels Compliance Rating o Audit Committee Summary o Strategy for Boards of Directors and Senior Management

6-7 Interconnected Fiduciary Breaches

8-10 SEC Section 10a Risks and Sarbanes Oxley 301

11-12 Summary of CAMELS Risk Profile

13 Holistic Definition of Information Security

14 Selected Regulatory Definitions

15-16 Director Scorecard: Setting Compliance Ratings on Legal Risks

17-18 Sample Firm Director Scorecard

18-19 Estimated Budget to convert Director Scorecard Rating of 4 to a Rating of 1 within 3-6 months

20-23 Addendum 1: Director Scorecard for Information Security Governance Risk Tolerances pr CAMELS Compliance rating Scale of 1 to 5.



© Copyright


http://www.americanbanker.com/redirect.html?url=http:%2F%2Fresearchvault.sourcemedia.com%2Fpagedisplay.html%3Fpg%3Disg%26sitecode%3DAB

http://www.americanbanker.com/redirect.html?url=http:%2F%2Fresearchvault.sourcemedia.com%2Fpagedisplay.html%3Fpg%3Disg%26sitecode%3DAB

ISG Metrics LLC


ISG Metrics LLC provides regulatory risk management services on information security for 16,000 federally insured institutions plus publicly traded firms subject to Sarbanes-Oxley and SEC Rule 13a-15f. The Operational Risk Profile Report for each firm:

o Identifies and remediates Illegal Acts per SEC Section 10a.

o Provides an independent, forward looking legal risk assessment or scenario analysis on interconnected regulations on information security.

o Empowers Boards of Directors to synchronize, measure, rate and manage legal risks on information security. Legal risks include fiduciary breaches, external fraud, and process management, outside of information technology, that are violations of regulations required for maintaining federal deposit insurance per the FDIC and NCUA.

o Features the Director Scorecard. The Scorecard enables Boards of Directors to set and manage legal risk tolerances on fiduciary breaches, external fraud, business disruption and process management per proxy CAMELS ratings selected by the Board.

o Features the firm’s current proxy CAMELS rating per publicly available information within the Director Scorecard. The ratings provide guidance on degrees of compliance with federal regulations required for maintaining federal deposit insurance and on safeguarding information assets from criminal acts that can have a material impact on financial reporting. o High risk ratings of 5, 4 and 3 indicate significant deficiencies that are

violations of Sarbanes-Oxley 404, SEC Rule 13a-15f, FDICIA and NUCA Rules § 741.202, § 715.

o Includes an estimated budget and in person meeting to discuss next steps to reach compliance per a proxy CAMELS Rating of 1. o The purchase price of this report will be credited towards the estimated

budget assuming agreement reached within 30 days.

o Encourages collaboration amongst public and private organizations to safeguard their information assets in a proactive manner leading to economies of scale plus operating efficiencies for capital and earnings.

Organizations reaching proxy CAMELS Rating of 1 by October 2, 2008 will be featured in the full day seminar in Washington DC presented by the American Banker with IS Governance Institute and ISG Metrics.

Proxy CAMELS Ratings will be featured in the future as part of a market-based solution to bring transparency on information security.



© Copyright


ISG Metrics LLC


Operational Risk Profile Report - Information Security Governance Fiduciary Breaches – FDI Act and FDICIA Rules July 22, 2008 Audit Committee Summary: Proxy CAMELS Compliance Rating of 4

Summary of Director Scorecard: Interconnected violations of laws and regulations at the Audit Committee level on information security governance for 16,000 federally insured financial firms equal a CAMELS 4 Compliance Rating or serious deficiencies due to the failure to safeguard information assets from criminal acts or identity theft. Information assets at risk include brands and sensitive customer information with identity theft of infringing domain names and related fake web sites, email spam and phishing sites, all “illegal acts”, being the root source of the interconnected risks. Violations of safety and soundness regulations include failure to fully comply with GLBA, failure to detect and report criminal acts against bank assets as suspicious activity reports, deceptive privacy statement claiming full compliance with GLBA and inadequate internal controls to manage these foregoing risks. These are “illegal acts” per SEC’s Section 10a.



© Copyright


ISG Metrics LLC


Strategy for Board of Directors and Senior Management: Convert interconnected fiduciary breaches on information security governance from a proxy CAMELS Compliance Rating of 4 to a 1 Rating to safeguard information Assets, Earnings, Capital, and federal deposit insurance while gaining a competitive advantage with stakeholders, including consumers. Interconnected fiduciary breaches include violations of Federal Deposit Insurance Act, Sec. 8 (a) TERMINATION OF INSURANCE.-- (2) INVOLUNTARY TERMINATION if an insured depository institution or the directors or trustees of an insured depository institution have engaged or are engaging in unsafe or unsound practices in conducting the business of the depository institution. These include failing to safeguard information assets from criminal acts. Strategy to Synchronize Compliance: o Education: Attend seminars on Information Security Governance by IS

Governance Institute, ISG Metrics LLC, SourceMedia, & Credit Union Journal 6/26/08 Information Security Governance 7/24/08 Fiduciary Breaches 8/21/08 External Fraud 9/15/08 Business Disruption 10/2/08 Process Management

o Proactive Solution: The Audit Committee of the Board of Directors selects,

manages and funds desired legal risk tolerances, vertically and horizontally within the organization, through proxy CAMELS Ratings in the Director Scorecard. The Scorecard synchronizes compliance on interconnected legal risks that include COSO, COSO’s ERM, GLBA, Sarbanes-Oxley, SEC Rule 13a-15f, SEC Section 10a, FDICIA, FDI Act, NCUA Rules, FTC Act, Basel II and CAMELS Compliance rating metrics. The Director Scorecard is enclosed.

o Feature proxy CAMELS Compliance Rating of 1, indicating full compliance

with federal regulations on Information Security for transparency.



© Copyright


http://www.fdic.gov/regulations/laws/rules/1000-900.html



http://researchvault.sourcemedia.com/pagedisplay.html?pg=isg&sitecode=AB

ISG Metrics LLC


Interconnected Fiduciary Breaches include violations of Federal Deposit Insurance Act, Sec. 8 (a) TERMINATION OF INSURANCE.-- (2) INVOLUNTARY TERMINATION if an insured depository institution or the directors or trustees of an insured depository institution have engaged or are engaging in unsafe or unsound practices in conducting the business of the depository institution.

Violations fall into 3 categories: o Failure to safeguard information assets from criminal acts. o Inadequate internal controls at the Board level to set and manage legal risks

on unsafe and unsound practices that threaten federal deposit insurance. o “Illegal Acts” per SEC Section 10a and Sarbanes-Oxley 301 that Boards of

Directors need to know about and remediate given their materiality as violations of regulations required for maintaining federal deposit insurance.

Violations of safety and soundness regulations (Section 10a risks) include: o Criminal acts, i.e., identity theft, against bank assets (Appendix A to Part 363,

GLBA 501(b), COSO, Suspicious Activity Reports) o GLBA violations against information assets (COSO, GLBA 501(b), GLBA

521) o Unfair Acts against consumers (COSO, FTC Act) o Deceptive Acts against consumers (COSO, § 332.5, FTC Act) o Failure to submit Suspicious Activity Reports (Appendix B to Part 364) o Corporate governance violations on safeguarding information assets that can

have a material impact on financial reporting. These include: lack of adequate internal controls to safeguard information assets from

criminal acts (COSO, Sec 39, Sarbanes-Oxley, SEC Rule 13a-15f) faulty risk management by relying on 1 dimensional IT Governance

models for Information Security Compliance. (Sec 39; COSO) Violations of convenants and representations and warranties in capital

market transactions on adequacy of internal controls per COSO, Sec 39, Sarbanes-Oxley, SEC Rule 13a-15f.

FDIC Regulations – Safety and Soundness SEC. 39. Standards for Safety and Soundness (a) (1) (A) internal controls, information systems, and internal audit systems, in accordance with section 36; o SEC. 36(a)(2)(A) (i) or (b) Management Responsibility for Financial

Statements and Internal Controls o PART 363—ANNUAL INDEPENDENT AUDITS AND

REPORTING�REQUIREMENTS • Appendix A to Part 363 - Guidelines and Interpretations



© Copyright


o 9. Safeguarding of Assets (COSO)











ISG Metrics LLC


o 10. Standards for Internal Controls (COSO)

Part 364 – Standards for Safety and Soundness • Appendix A to Part 364 - Interagency Guidelines Establishing Standards

for Safety and Soundness o II. A. Internal controls and information systems.

• Appendix B to Part 364 - Interagency Guidelines Establishing Information Security Standards o Sections 501 and 505(b), 15 U.S.C. 6801 and 6805(b), of the Gramm-

Leach-Bliley Act o Obligation to file Suspicious Activity Reports

• SEC. 521. Privacy Protection for Customer Information o GLBA 521: (a) Prohibition on Obtaining Customer Information by

False Pretenses. • Part 332 – Privacy of Consumer Information § 332.5 Accurate Annual privacy notice to customers. § 332.6 Information to be included in privacy notices.

• (c)6: Confidentiality and Security Statement



© Copyright










ISG Metrics LLC


SEC Section 10a Risks and Sarbanes Oxley 301 Sarbanes-Oxley 301

STANDARDS RELATING TO LISTED COMPANY AUDIT COMMITTEES, April 25, 2005 In this release, we implement Section 10A(m)(1) of the Exchange Act,13 as added by Section 301 of the Sarbanes-Oxley Act of 2002 (the "Sarbanes-Oxley Act"),14 which requires us to direct, by rule, the national securities exchanges15 and national securities associations16 (or "SROs") to prohibit the listing of any security of an issuer that is not in compliance with several enumerated standards regarding issuer audit committees. 13 15 U.S.C. 78j-1(m)(1). http://www.sec.gov/rules/final/33-8220.htm#P77_5902

Section 10a-1 Sec. 240.10A-1 Notice to the Commission Pursuant to Section 10A of the Act. (a)(1) If any issuer with a reporting obligation under the Act receives a report requiring a notice to the Commission in accordance with section 10A(b)(3) of the Act, 15 U.S.C. 78j-1(b)(3), the issuer shall submit such notice to the Commission's Office of the Chief Accountant within the time period prescribed in that section. The notice may be provided by facsimile, telegraph, personal delivery, or any other means, provided it is received by the Office of the Chief Accountant within the required time period. http://www.access.gpo.gov/nara/cfr/waisidx_04/17cfr240_04.html http://edocket.access.gpo.gov/cfr_2004/aprqtr/17cfr240.10A-1.htm

Section 78j-1. Sec. 78j-1. Audit requirements (a) In general Each audit required pursuant to this chapter of the financial statements of an issuer by a registered public accounting firm shall include, in accordance with generally accepted auditing standards, as may be modified or supplemented from time to time by the Commission-- (1) procedures designed to provide reasonable assurance of detecting illegal acts that would have a direct and material effect on the determination of financial statement amounts;



© Copyright


http://www.sec.gov/rules/final/33-8220.htm






http://www.access.gpo.gov/nara/cfr/waisidx_04/17cfr240_04.html

http://edocket.access.gpo.gov/cfr_2004/aprqtr/17cfr240.10A-1.htm

ISG Metrics LLC


(f) Definitions As used in this section, the term ``illegal act'' means an act or omission that violates any law, or any rule or regulation having the force of law. http://www.access.gpo.gov/uscode/title15/chapter2b_.html http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=browse_usc&docid=Cite:+15USC78j-1

SEC Staff Accounting Bulletin:�No. 99 – Materiality

The Auditor's Response to Intentional Misstatements

Section 10A(b) of the Exchange Act requires auditors to take certain actions upon discovery of an "illegal act."41 The statute specifies that these obligations are triggered "whether or not [the illegal acts are] perceived to have a material effect on the financial statements of the issuer . . . ." Among other things, Section 10A(b)(1) requires the auditor to inform the appropriate level of management of an illegal act (unless clearly inconsequential) and assure that the registrant's audit committee is "adequately informed" with respect to the illegal act.

As noted, an intentional misstatement of immaterial items in a registrant's financial statements may violate Section 13(b)(2) of the Exchange Act and thus be an illegal act. When such a violation occurs, an auditor must take steps to see that the registrant's audit committee is "adequately informed" about the illegal act. Because Section 10A(b)(1) is triggered regardless of whether an illegal act has a material effect on the registrant's financial statements, where the illegal act consists of a misstatement in the registrant's financial statements, the auditor will be required to report that illegal act to the audit committee irrespective of any "netting" of the misstatements with other financial statement items. http://www.sec.gov/interps/account/sab99.htm#body40

Section 10b-5 Sec. 240.10b-5 Employment of manipulative and deceptive devices. It shall be unlawful for any person, directly or indirectly, by the use of any means or instrumentality of interstate commerce, or of the mails or of any facility of any national securities exchange, (a) To employ any device, scheme, or artifice to defraud, (b) To make any untrue statement of a material fact or to



© Copyright


http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=browse_usc&docid=Cite:+15USC78j-1

http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=browse_usc&docid=Cite:+15USC78j-1

http://www.sec.gov/interps/account/sab99.htm

http://www.sec.gov/interps/account/sab99.htm

ISG Metrics LLC


omit to state a material fact necessary in order to make the statements made, in the light of the circumstances under which they were made, not misleading, or (c) To engage in any act, practice, or course of business which operates or would operate as a fraud or deceit upon any person, in connection with the purchase or sale of any security. (Sec. 10; 48 Stat. 891; 15 U.S.C. 78j)

http://edocket.access.gpo.gov/cfr_2004/aprqtr/17cfr240.10b-5.htm



© Copyright


http://edocket.access.gpo.gov/cfr_2004/aprqtr/17cfr240.10b-5.htm

ISG Metrics LLC


Summary of CAMELS Risk Profile: Management’s non-compliance with federal regulations on information security enables federal crimes against bank assets, i.e., Identity Theft, 18 U.S.C. § 1028, of information assets that negatively impacts Asset quality (loan/credit card fraud), Earnings (billion dollar Identity theft losses), Capital (enterprise values at risk per legal/compliance risks), and Liquidity (potential loss of federal deposit insurance).

Compliance Risk Factors High Moderate Low CAMELS Ratings 5, 4, 3 2 1 Capital Adequacy x Asset Quality x Management X Earnings x Liquidity x Sensitivity to Risk

Compliance Composite Rating Critically Deficient

5 Rating Financial institutions in this group exhibit extremely unsafe and unsound practices or conditions;

Serious Deficiencies

4 Rating Financial institutions in this group generally exhibit unsafe and unsound practices or conditions. There may be significant noncompliance with laws and regulations.

Supervisory Concerns

3 Rating These financial institutions may be in significant noncompliance with laws and regulations.

Fundamentally Sound

2 Rating These financial institutions are in substantial compliance with laws and regulations.

Strongest 1 Rating These financial institutions are in substantial compliance with laws and regulations.



© Copyright


Management Rating: The capability of the board of directors and management, in their respective roles, to identify, measure, monitor, and control the risks of an institution’s activities and to ensure a financial institution’s safe, sound, and efficient operation in compliance with applicable laws and regulations is reflected in this rating.

Critically Deficient

5 Rating A rating of 5 indicates critically deficient management and board performance or risk management practices.

Serious 4 Rating A rating of 4 indicates deficient management and

http://www.fdic.gov/news/news/financial/1996/fil96105.pdf

ISG Metrics LLC


Deficiencies board performance or risk management practices

that are inadequate considering the nature of an institution’s activities. The level of problems and risk exposure is excessive.

Supervisory Concerns

3 Rating A rating of 3 indicates management and board performance that need improvement or risk management practices that are less than satisfactory given the nature of the institution’s activities.

Fundamentally Sound

2 Rating A rating of 2 indicates satisfactory management and board performance and risk management practices relative to the institution’s size, complexity, and risk profile.

Strongest 1 Rating A rating of 1 indicates strong performance by management and the board of directors and strong risk management practices relative to the institution’s size, complexity, and risk profile.

Summary of CAMELS Risk Profile: Management’s non-compliance with federal regulations on information security enables federal crimes against bank assets, i.e., Identity Theft, 18 U.S.C. § 1028, of information assets that negatively impacts Asset quality (loan/credit card fraud), Earnings (billion dollar Identity theft losses), Capital (enterprise values at risk per legal/compliance risks), and Liquidity (potential loss of federal deposit insurance).



© Copyright


ISG Metrics LLC


HOLISTIC DEFINITION: Information Security is defined, per COSO and related federal regulations, as the safeguarding of Information Assets, i.e., brands and customer information, with adequate internal controls, including IT Governance, to prevent and detect unauthorized acquisition, use or disposition of the company’s information assets from identity theft, 18 U.S.C. § 1028, that could have a material effect on financial statements per COSO, Sarbanes-Oxley-404, SEC 13a-15f, FTC Act, FDICIA, FDI Act, NCUA Rules, GLBA and Basel II and 14 interrelated Legal/Operational Risks within the Director Scorecard on page 6. The Director Scorecard empowers Boards of Directors and C-Level executives to set and align risk tolerance levels, per CAMELS Ratings, with their risk appetite for legal risks connected with maintaining federal deposit insurance.

13 ISG Metrics LLC

5100 Tamiami Trail North, Suite 105, Naples, Florida 34103 T-239-777-4638

[email protected]

© Copyright


ISG Metrics LLC


Selected Regulatory Definitions: Identity Theft

The U.S.C. Code of federal law defines Identity theft, under Section 18, PART I—CRIMES, CHAPTER 47—FRAUD AND FALSE STATEMENTS, § 1028. (a) (7) as a person who, “knowingly transfers, possesses, or uses, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, or in connection with, any unlawful activity that constitutes a violation of Federal law, or that constitutes a felony under any applicable State or local law.”

Phishing Example

Respondent maintains a website at the <wellfargo-online.com> domain name that features links to third-party websites offering the financial services of both Complainant and Complainant’s competitors. Respondent’s website that resolves from the disputed domain name also contains a field that prompts Internet visitors to enter their e-mail address in an apparent attempt to get access to confidential personal information, a practice known as “phishing.”

Deceptive Act

Section 5 of the Federal Trade Commission Act (“FTC Act”) prohibits “unfair or deceptive acts or practices in or affecting commerce.” Under the FTC Act, the Commission has broad jurisdiction to prohibit unfair or deceptive practices by a wide variety of entities and individual operating in commerce. Prohibited practices include deceptive claims that companies make about privacy, including claims about the security they provide for consumer information. These actions alleged that the companies made explicit or implicit promises to take reasonable steps to protect sensitive consumer information, but because they allegedly failed to take such steps, their claims were deceptive.1

Unfair Act The FTC Act prohibits unfair practices. Practices are unfair if they cause or are likely to cause consumers substantial injury that is neither reasonably avoidable by consumers nor offset by countervailing benefits to consumers or competition. Such practices include, for example, unauthorized charges in connection with “phishing”, which are high-tech scams that use spam or pop-up messages to deceive consumers into disclosing credit card numbers, bank account information, social security numbers, passwords, or sensitive information.1

Federal Crimes

Identity Theft is a criminal act against bank assets that is a reportable event under Suspicious Activity Reports, Box 35u. Related criminal acts include terrorist funding, credit card fraud, mortgage loan fraud, computer fraud, bank fraud, wire fraud, all reportable events under Suspicious Activity Reports.

1FTC Testimony, Data Breaches and Identity Theft, 6/16/05



© Copyright


http://www.law.cornell.edu/uscode/html/uscode18/usc_sup_01_18_10_I_20_47.html

http://www.ftc.gov/os/2005/06/050616databreaches.pdf

ISG Metrics LLC


Director Scorecard: Setting Compliance Ratings on Legal Risks CAMEL Ratings Per NCUA CAMELS Rating Per FFIEC COMPLIANCE

Low Risk Factor Strongest Rating 1 Moderate Risk Factor Fundamentally Sound Rating 2

High Risk Factor Supervisory Concerns Rating 3 High Risk Factor Serious Deficiencies Rating 4 High Risk Factor Critically Deficient Rating 5

BASEL II OP LOSS

CAMELS Risk Rating Scale 5 4 3 2 1

5 Fiduciary Breaches:

Clients, Products, Business Practices

(Boards of Directors)

Information

Security Governance

Loss of Federal Deposit Insurance 1. Information Security Violations

-GLBA 501(b), GLBA 521 2. Deceptive Advertising

-GLBA 503 3. Suspicious Activity Reports

-Identity Theft Box 35u 4. Internal Controls to safeguard -

information assets per 7 5: Fiduciary Breaches, Negligence, Class Action Suits 6: Design of a Product/Product Liability 7: Unfair and/or Deceptive Acts

6 External Fraud (Identity

Theft 18 U.S.C.

Section 1028)

8: Identity Theft (Trademark) per SARS Box 35(u) 9: Identity Theft (Customer Info), SARS Box 35(u), Reg. E (EFT Act) 9-1: Business Banking Identity Theft Losses (Excluded-Regulation E) 10: Suspicious Activity Reports 11: Unfair and/or Deceptive Acts

7 Business Disruption

(Network Security)

Network Vulnerability 12: Theft of Funds/Information 13: Denial of service attacks 14: Cyber Executed Vandalism

8 Execution, Delivery, and

Process Management

15: Information Reporting Systems: Governance, Compliance & Risk 16: Internal Controls – COSO, SOX-404, SEC 13a-15f, FDICIA, NCUA



© Copyright


ISG Metrics LLC


DIRECTOR SCORECARD: Setting Compliance Ratings on Legal Risks CAMEL Ratings Per NCUA CAMELS Rating Per FFIEC COMPLIANCE





© Copyright


BASEL II OP LOSS

CAMELS Risk Rating Scale on Legal/Regulatory Risks

5 4 3 2 1 5 Fiduciary Breaches:



Information

Security Governance

Loss of Federal Deposit Insurance 1. Information Security Violations

-GLBA 501(b), GLBA 521 2. Deceptive Advertising

-GLBA 503 3. Suspicious Activity Reports


information assets 5: Fiduciary Breaches, Negligence, Class Action Suits 6: Design of a Product/Product Liability 7: Unfair and/or Deceptive Acts

SAFETY & SOUNDNESS Safeguarding information assets

from Identity Theft 8, 9, 9-1 Deceptive Privacy &

Security Statements, FTC ACT Failure to Submit Suspicious

Activity Reports Failure per COSO, SOX 404 to Safeguard Information Assets Fiduciary Breaches of Safe & Sound Banking Regulations

GLBA, FDICIA, FTC ACT, COSO Faulty Product Design/Marketing

Consumer Protection Laws

6 External Fraud

(Identity Theft

18 U.S.C. Section 1028)


Infringing Domain Names, Fake Web Sites, Email Spam, Phishing Sensitive Customer Information

Business banking clients at full risk

of $ losses due to phishing See 3. -Fake web sites, email spam, phishing -False Privacy/Disclosures Statements

7 Business Disruption (IT Network

Security)

Network Vulnerability 12: Theft of Funds/Information 13: Denial of service attacks 14: Cyber Executed Vandalism

IT Governance/COBIT IT Governance/COBIT IT Governance/COBIT IT Governance/COBIT

8 Execution, Delivery, and

Process Management


Faulty compliance, operational risk, operational loss results when GRC models only focus on IT Governance Non-compliance on Safeguarding Information Assets

ISG Metrics LLC


Sample Firm Director Scorecard: July 22, 2008 DIRECTOR SCORECARD: Setting Compliance Ratings on Legal Risks CAMEL Ratings Per NCUA CAMELS Rating Per FFIEC COMPLIANCE



BASEL II OP LOSS

CAMELS Risk Rating Scale on Legal/Regulatory Risks

5 4 3 2 1 5 Fiduciary Breaches:



Information

Security Governance

Loss of Federal Deposit Insurance 1. Information Security

Violations -GLBA 501(b), GLBA 521

2. Deceptive Advertising

-GLBA 503

3. Suspicious Activity Reports


information assets 5: Fiduciary Breaches, Negligence, Class Action Suits 6: Design of a Product/Product Liability 7: Unfair and/or Deceptive Acts

SAFETY & SOUNDNESS Safeguarding information assets from Identity Theft. Sample Firm is failing to

safeguard its trademarks from criminal acts per COSO and

Identity Theft 18 U.S.C. Section 1028 in the form of infringing

domain names, fake web sites and phishing sites that are

reportable events per FinCEN’s Identity Theft Box 35u.

Sample Firm Privacy Policy We maintain physical,

electronic, and procedural safeguards that comply with federal standards to guard

nonpublic personal information about you.

Failure to Submit Suspicious Activity Reports

Failure per COSO, SOX 404 to Safeguard Information Assets Fiduciary Breaches of Safe & Sound Banking Regulations

GLBA, FDICIA, FTC ACT, COSO

Consumer Protection Laws



© Copyright


ISG Metrics LLC


6 External

Fraud (Identity

Theft 18 U.S.C. Section 1028)


Infringing Domain Names, Fake Web Sites, Email Spam, Phishing Sensitive Customer Information

Business banking clients at full risk

of $ losses due to phishing See 3. -Fake web sites, email spam, phishing -False Privacy/Disclosures Statements

8 Execution, Delivery, and Process Management


Faulty compliance, operational risk, operational loss results when GRC models only focus on IT Governance Non-compliance on Safeguarding Information Assets

Estimated Budget to convert Director Scorecard Rating of 4 to a Rating of 1 within 3 to 6 months includes:

1. Board of Directors selecting a proxy CAMELS Rating of 1 within the Director Scorecard.

2. Scenario Analysis or a forward-looking legal risk assessment.

3. Independent legal risk verification of intellectual property risks and

compliance with COSO, SOX-404, SEC 13a-15f, FDICIA on safeguarding information assets, i.e., trademarks, from external fraud.

4. Trademark legal remediation services of Uniform Domain Name Dispute

Resolution Policy plus, if the bank selects this option, litigation for damages, federal injunctions and transfer of infringing domain names.

5. Domain Name registration of available and matching domain names

based on geographic business model and exposure to cyber criminals.

6. Detecting, monitoring and remediating new infringing domain names.

7. Analyzing under attorney-client privilege internal controls on managing and reporting suspicious activity reports to FinCEN and Boards of Directors on Identity Theft.

8. Reviewing quality of annual GLBA written program.



© Copyright


ISG Metrics LLC


9. Reviewing representations and warranties on adequacy of internal controls on safeguarding information assets from unauthorized use that can have a material impact on financial reporting within financial statements and capital market agreements.

10. Evaluating quality of network penetration and testing services along with

matching cyber insurance.

11. Monthly Board Reports noting changes, positive or negative, in the proxy CAMELS Rating based on events in 2-9 above.

12. Posting proxy CAMELS Rating for transparency to indicate degrees of

compliance for stakeholders.

13. Education through online seminars by IS Governance Institute and SourceMedia.

Estimated budget to achieve a proxy CAMELS Rating of 1 based on risks as of July 2, 2008 is $xx. Pooling of common risks as part of a common, collaborative remediation strategy may yield economies of scale depending on the number of participating firms and their risk profile. The 16 question Director Scorecard is included as Addendum 1. For additional information and to schedule a meeting at your office to discuss the findings and recommendations for safeguarding Sample Firm’s information assets and enterprise values, please contact ISG Metrics LLC. Respectfully submitted, Beckwith B. Miller CEO Addendum 1: Director Scorecard



© Copyright


ISG Metrics LLC


Director Scorecard for Information Security Governance Risk Tolerances per CAMELS Compliance Rating Scale of 1 to 5.

1. (First question on fiduciary risks addressing issues required for

maintaining Federal Deposit Insurance: FDI). Select rating on information security compliance per GLBA. (Compliance is required for maintaining FDI.) a. Rating 1 for Full Compliance b. Rating 2 for Fundamentally Sound c. Rating 3 for Supervisory Concerns d. Rating 4 for Serious Deficiencies e. Rating 5 for Critically Deficient

2. Select rating on accuracy of marketing material and privacy disclosures. (Compliance required for maintaining FDI.) a. Rating 1 for Full Compliance b. Rating 2 for Fundamentally Sound c. Rating 3 for Supervisory Concerns d. Rating 4 for Serious Deficiencies e. Rating 5 for Critically Deficient

3. Select rating on submitting suspicious activity reports. (Compliance required for maintaining FDI.) a. Rating 1 for Full Compliance b. Rating 2 for Fundamentally Sound c. Rating 3 for Supervisory Concerns d. Rating 4 for Serious Deficiencies e. Rating 5 for Critically Deficient

4. Select rating on internal controls to safeguard information assets. (Compliance required for maintaining FDI.) a. Rating 1 for Full Compliance b. Rating 2 for Fundamentally Sound c. Rating 3 for Supervisory Concerns d. Rating 4 for Serious Deficiencies e. Rating 5 for Critically Deficient



© Copyright


ISG Metrics LLC


5. Select rating on complying with fiduciary obligations thus avoiding

negligence and class-action law suits. a. Rating 1 for Full Compliance b. Rating 2 for Fundamentally Sound c. Rating 3 for Supervisory Concerns d. Rating 4 for Serious Deficiencies e. Rating 5 for Critically Deficient

6. Select rating on product disclosures matching product deliverables. a. Rating 1 for Full Compliance b. Rating 2 for Fundamentally Sound c. Rating 3 for Supervisory Concerns d. Rating 4 for Serious Deficiencies e. Rating 5 for Critically Deficient

7. Select rating on compliance with FTC Act on preventing Unfair and Deceptive Acts against consumers. a. Rating 1 for Full Compliance b. Rating 2 for Fundamentally Sound c. Rating 3 for Supervisory Concerns d. Rating 4 for Serious Deficiencies e. Rating 5 for Critically Deficient

8. (First question for External Fraud: Basel II.) Select rating on safeguarding information assets, i.e., brands and trademarks from Identity Theft per GLBA in the form of infringing domain names, fake web sites, email-spam and phishing. a. Rating 1 for Full Compliance b. Rating 2 for Fundamentally Sound c. Rating 3 for Supervisory Concerns d. Rating 4 for Serious Deficiencies e. Rating 5 for Critically Deficient

9. Select rating on safeguarding information assets, i.e., customer information from identity theft per GLBA. a. Rating 1 for Full Compliance b. Rating 2 for Fundamentally Sound c. Rating 3 for Supervisory Concerns d. Rating 4 for Serious Deficiencies e. Rating 5 for Critically Deficient



© Copyright


ISG Metrics LLC


10. Select rating on submitting Suspicious Activity Reports on Identity

Theft to Boards of Directors and FinCEN. a. Rating 1 for Full Compliance b. Rating 2 for Fundamentally Sound c. Rating 3 for Supervisory Concerns d. Rating 4 for Serious Deficiencies e. Rating 5 for Critically Deficient

11. Select rating on preventing violations of the FTC Act in the form of Unfair and Deceptive Acts. a. Rating 1 for Full Compliance b. Rating 2 for Fundamentally Sound c. Rating 3 for Supervisory Concerns d. Rating 4 for Serious Deficiencies e. Rating 5 for Critically Deficient

12. (First question on Business Disruption, IT Governance.) Select rating on preventing theft of funds/information. a. Rating 1 for Full Compliance b. Rating 2 for Fundamentally Sound c. Rating 3 for Supervisory Concerns d. Rating 4 for Serious Deficiencies e. Rating 5 for Critically Deficient

13. Select rating on preventing denial of service attacks. a. Rating 1 for Full Compliance b. Rating 2 for Fundamentally Sound c. Rating 3 for Supervisory Concerns d. Rating 4 for Serious Deficiencies e. Rating 5 for Critically Deficient

14. Select rating on preventing cyber executed vandalism. a. Rating 1 for Full Compliance b. Rating 2 for Fundamentally Sound c. Rating 3 for Supervisory Concerns d. Rating 4 for Serious Deficiencies e. Rating 5 for Critically Deficient



© Copyright


ISG Metrics LLC


15. (First question on Process Management Risks: Basel II.) Select rating

on ability of Governance, Risk and Compliance models to address Information Security Governance. Note: GRC models centered on Information Technology address Business Disruption. a. Rating 1 for Full Compliance b. Rating 2 for Fundamentally Sound c. Rating 3 for Supervisory Concerns d. Rating 4 for Serious Deficiencies e. Rating 5 for Critically Deficient

16. Select rating on adequacy of Internal Controls per COSO to safeguard information assets from criminal acts that can have a material impact on financial reporting. a. Rating 1 for Full Compliance b. Rating 2 for Fundamentally Sound c. Rating 3 for Supervisory Concerns d. Rating 4 for Serious Deficiencies e. Rating 5 for Critically Deficient



© Copyright


sample operational risk profile report -...

Documents