i3S

White Paper & Solution(s) options © Casper Abraham, FEB 2010 http://www.edgevalue.com

Email : casper@edgevalue.com Cellphone : +91 98450 61870

i3S Integrated S afety, S urveillance & S ecurity

Physical, Virtual, People, Cash & Information Security

Base of Experts, Advisory, Staffing & Consulting.

The Firm

Software, Backend, Tool & Platform

Business Model, Methodology, and System(s)

Full­range services in Governance, Risk & Compliance

Systems Integrators

i3S

General

i3S List of NATURAL Hazards q Displaced Persons q Drought q Earthquakes q Epidemics and other Health Threats q Extreme Temperatures q Floods q Global Climate Change q Hail q Hurricanes and Tropical Storms q Infestations/Invasive Species q Landslides q Power Outage q Structural Fire q Technological Hazards/HAZMAT q Terrorism and Civil Hazards q Thunderstorms and Lightning q Tornadoes q Wildfire q Winter Snow/Ice Storms

i3S List of MAN-MADE Threats

q Vindictive Behaviour q Weapons. Firearms. Chemicals. Explosives. q Hostage Situation. q Dacoit. q Ideology, Psychological and Behavioural Situations.

q Selfish Behaviour q Petty Theft. q White Collar Entry. q Identity Theft / Fake Identity. q Fudged paperwork / documentation. q Unauthorised Vehicles vs Changed Licence Plates. q Removal of Assets.

q Co­Operative Behaviour q Cartels of Security + Staff + Others. q Lax systems. NOR Audit NOR Oversight.

i3S Aspect. It s about .

1. Choice 1. Better to be ‘safe’ than ‘sorry’.

2. Insurance 1. If nothing is going to happen … you don’t need it.

3. Uncertainty 1. An attempt to Predict / Quantify the future.

4. The opposite of ‘Risky’ is ‘Secure’.

i3S Priorities

1. Databases. 2. People logins. 3. Remote access. 4. Storage & Backup issues. 5. Down & Repair related issues.

i3S Two sides of the same coin Risky …

• Greed • High risk – High rewards • Force Majeure. • Requires Insurance. • Contingency & Backup Plans. • Exit options. • Speculation vs Gambling. • Unknown threats / weaknesses.

Security …

• Safe • Average Returns. • Known threats / weaknesses.

i3S Today s Reality

Event, Incident, Crime, observable ‘physical’ or ‘virtual’ action takes place.

Investigation, Modus operandi, Witnesses, Suspects, Evidence, Forensics, Motive, Detective work, legal or illegal. Law & Constitution. Police. Courts. Jail.

Intent to destruct. Sixth Sense. Intuition. Suspicious. Pattern.

Intelligence Gathering. What if …and IF. Word &

Observations of others. Behavioural Patterns. Prepared

to die. PROFILING.

i3S Track the WHOLE population?

1. Create­Identify, Train, Motivate & Manage a base of PROFILERS.

2. Start with the Criminals in Jail. Of course you can PROFILE them.

3. Database of their accomplices. 4. Foreigners in INDIA. 5. Foreigners in INDIA STATE(s).

6. A risk metric on every TARGET.

7. Do you want to know more about who is IN?

8. Do you want to know more about who is OUT?

9. Do you want to monitor or watch their movements? Monthly? Weekly? Hourly? Real­time?

10. Public? Households? Private?

Key­patterns … 1. Lifestyle. 2. Family, friends & relationships. 3. Travel. 4. Opinions & Beliefs. 5. Behavioural Assessment. 6. Observable Behaviour Profile. 7. Income & Sources. 8. Spending on what. 9. What do they possess? 10. What was; and is now not with them?

i3S Going to be a criminal

1. Manual 24­hour Surveillance. Detective work. Night Vision

Binoculars. Photo & Video Cameras. Bugs & Microphones. Recorders. Telephone Taps.

Your life was hardly threatened. Intuition, Sixth Sense, “I can feel it” & Behavioural

Pattern Recognition. “I know this guy did it.” 2. Challenges today …

Surveillance presence detection. CBRN Presence. Mobile phones. Internet. Radio monitoring. Encryption.

Aspirational threat to Planning threat. Your own life is threatened if you challenge OR become

a part of the “situation”. Intuition, Sixth Sense, “I can feel it” & Behavioural

Pattern Recognition. “I know this guy is up to no good … but is that a Homeland Security threat?”.

i3S Further challenges

1. There may yet be no infringement of the law.

2. Is it a law­enforcement, Police, State issue? 3. When is it a central, Defense or Homeland,

Central issue? 4. Our man (or woman) … the whole range.

Personal Values; Individual behaviour; Current Stress; trigger­happy; Moral issues … Human Rights; Encounters; Self­ defense; Whether armed; adequate protection; on­the­spot ‘manual’ or ‘automated’ information; information­on­ demand. Real time Decision­making

i3S So how real is a threat?

i3S Threat nuances 1. What are the Force Majeure threats? 2. Are lives at stake? 3. Can Insurance solve it? 4. Airlines were downed for 3 days … so what. The

city came to a stand­still for 5 days … so what. The US economy is slumping … so what? The Delhi CWG games was a disaster … so what?

5. Katrina. Asian Tsunami. Gulf oil spill. Hungary toxic spill. Pakistan floods. What could have been done? Is something being done about other FUTURE such events?

6. Even if someone knew something was going to happen … Clairvoyants? Hollywood? Witches? Aliens?

7. And if it never happened … perhaps it was not going to happen at all. Who pays? How do you prove this?

i3S Security Activity Monitoring

Traditionally, security has focused on putting up a perimeter fence to keep others out, but it has evolved to monitoring activities and identifying patterns that would have been missed before. Information security professionals face the challenge of detecting malicious activity in a constant stream of discrete events that are usually associated with an authorized user and are generated from multiple network, system and application sources. At the same time, security departments are facing increasing demands for ever­greater log analysis and reporting to support audit requirements. A variety of complimentary (and sometimes overlapping) monitoring and analysis tools help enterprises better detect and investigate suspicious activity – often with real­time alerting or transaction intervention. By understanding the strengths and weaknesses of these tools, enterprises can better understand how to use them to defend the enterprise and meet audit requirements.

i3S

Financial Risk

i3S High Risk High Rewards

Good … • Sound as a Bank. • Ensure capital return. • The Markets

• EQUITY. • DEBT • COMMODITY • CURRENCY

• Safe as houses. • Property • Art & Antiques.

Bad … • Islamic Banking. • Gambling. • Speculation • Throw good

money behind bad • Ponzi Schemes. • MLM

i3S Risk

1. Controllable – Manage it. – Eg. Forward Contracts / Commodities

Exchange. 2. Un­controllable

– Insurance – Force Majeure Management.

i3S Systems Thinking & Systems Dynamics related to Risk 1. Behavioural Systems Thinking. 2. Financial Systems Thinking. 3. Risk Systems Thinking.

4. Systems Dynamics Modeling. 5. Team, Systems, Practice, Instrument level

Systems flowcharts.

6. Mathematical Modeling. 7. Behavioural Modeling.

i3S ALM Flow Example

i3S Classical Risk Curve

i3S Staff at Risk Management Steps

1. Identify the hazards

2. Decide who might be harmed and how

3. Evaluate the risks and decide on precaution

4. Record your findings and implement them

5. Review and update (if necessary)

i3S Risk Factors

Asset(s)

Vulnerability

Threat Risk

Risk_Metric R% = A% x T% x V%

Internal

External

Cost

i3S Choose ..

Sharing

Integrity

Security Ideas for implementation :­ • IT Policy • Intangible Assets

• List. Cost. Manage. Usage. • Internal Patent System. • USA Defense Services Orange Book

• Setup a MarComm, Communications, Documentation Division. • Establish a ‘VI’ practice. • Develop a part­branded ‘consumer­usable’ line of products. • Design & Manage a Catalogue. • Push OR Pull ‘strategy’ ….

Sharing + Security+ Integrity= 100%

i3S Paper Wealth

i3S Built on shaky fundamentals

i3S

Risk because of Information & Communications Technology

i3S Six sigma credo

Ø We don't know what we don't know.

Ø We can't do what we don't know.

Ø We won't know until we measure.

Ø We don't measure what we don't value.

Ø We don't value what we don't measure.

i3S Your personal data

1. Credit­card numbers. 2. CW2 security numbers. (back of credit­card). 3. Credit reports 4. Social Insurance numbers. 5. Driver’s License numbers. 6. ATM cards. 7. Telephone Calling Cards. 8. Mortgage details. 9. Date of birth. 10. Passwords, PIN’s. 11. Home address. 12. Phone numbers. 13. Address book and Personal contacts information.

i3S Corporate data

1. Trade secrets. Recipes & Formulations. Bill of Materials.

2. Cost information. Vendors; procurement costs; supplier chain information.

3. Price information. Customers; selling costs; customer relationship information.

4. Purchase track record – Sales History.

i3S Exposure cases

1. DSW, USA. Credit­card information from 108 stores; from 96,000 USA check transactions exposure of US $ 1.5 M.

2. CardSystems, USA. Card­information of Japan; HongKing; Phillipines; and Australia. Exposure US $ 40 M.

3. Mphasis­Citibank. Stolen US $ 350,000/­ 4. Sumitomo Bank. Stolen passwords caught prior to stealing US $ 397 M. 5. Citibank UPS shipment of customer data; 123,690 Japanese customers;

exposure US $ 3.9 M. 6. Accura Bank; stolen micro­film data; exposing 26,400 customers. 7. Commonwealth Bank of Australia – ATM cash­transfers. Stolen US $ 17

M. 8. Central Bank of Russia. Bank transfer information sold on­line. 9. Michinoku Bank. Thrown CD’s retrieved of nearly all its customer­

information; exposure US $ 1.3 M.

i3S Who s got it

1. Banks 2. Card companies. 3. Credit reference Agencies. 4. Merchants. 5. Government Agencies. 6. Phone companies. 7. Insurance Firms. 8. Data brokerage firms. List Managers. 9. Payment Processing Agencies. 10. Direct Marketing Agencies. 11. Market Research Firms.

i3S Priorities

1. Databases. 2. People logins. 3. Remote access. 4. Storage & Backup issues. 5. Down & Repair related issues.

i3S The only three

1. What you know. o Login ID. Passwords. PIN. Personal data.

Public and Private Keys. (PKI). 2. What you have.

o ID Card. Token number. Ticket. Boarding Pass. PKI Digital Certificate(s).

3. Who you are. o Signature. Fingerprint. Blood Group. Your

walk. Iris Pattern. Hand Geometry. Body language. Voice Recognition. DNA.

i3S AutoID : A key Technology

Device Device AutoID Smart Tag

AutoID Smart Tag 1. ID

2. Pull data 3. Push data

1. ID 2. Pull data 3. Push data Enormous

cloud of devices

i3S

Collective or Group Risk

i3S Mixed community Handling 1. Purple Zone

Residential Towers.

2. Orange Zone Manufacturing (EZ)

3. Green Zone Commercial Complexes

4. Cream Zone Retail Public Access

5. Red Zone Utilities. Admin. Control

Rooms.

i3S Mapped Systems 1. Perimeter Controls. 2. Roads. * 3. Conduits/Pipes. * 4. Water. Sewage. * 5. Power. * Lighting. 6. Sensors – Cameras. 7. Key­Cards. Access Control. 8. Display Signage 9. Vehicle Parking. 10. Vehicle Movement. 11. Access Point(s Control. 12. Fibre Communications. 13. IT Infrastructure 14. CED Wireless Network. 15. Security Manpower

Information System. 16. Law Enforcement. * 17. Operational Systems. 18. Tactical Systems. 19. Emergency. Crises. 20. Miscellaneous

Manufacturing 21. Integrated Software

* Systems with likely Central, State, City or Municipal Authority.

i3S It SHOULD NOT be what most people think of as Security Today. 1. Security Staff

• 10, 50 … 200 ‘uniformed jokers’ floating around.

• Not empowered. • Not trained. • Not civil, nor helpful. • Gate Pass. In­Out Register. ID

Card. Plate recording. • Happily out­source to so­called

‘ex­Services Experts’. 2. CCTV

• A bunch of cameras connected to a few TV’s.

• No one sees it. • If you see something, no action

is taken or actioned too late. • Footage not available when

needed. • Analog is ‘cheap’ but ‘dead’. • Inadequate Lighting. Poor

angles. Low coverage. You thought …….. BUT the reality.

i3S i3S Imperative Elements

Statutory Element(s) * Constitution Adherence * Federal Subject(s) * State Subject(s) * Statutory Reporting

Intelligence (Elements) * Doing the Best / Footwork * CCTV (Visual intelligence) * Sensory Intelligence / Alerts * Virtual Convergence World * IT aided Intelligence. * Automation.

Staffing Element(s) * Operational STATE Deployment. * Owned STAFF Deployment. * Outsource STAFF Deployment. * Stakeholder(s) STAFF – ADMIN – MGT.

Infrastructure Element(s) * Fibre­Wired and Wireless Network. * Server(s), Client(s), CEDs, Handhelds etc. * Connectivity, Availability, Redundancy & Backup. * Devices, Cameras, Sensors, Lighting, Power­Supply etc. * Control Rooms, Access Points, Distribution Points etc.

i3S Roads vs IT analogy

Availability and usability to an end­ user.

Toll Gates, Exit Ramps, Security Checks, Weather conditions, Sex (!), Age and Health of Driver, VIP in­town

Connectivity

Size and speed of data transfer

Per­hour vehicle capacity, Types and Speeds of cars, uphill, curves

Bandwidth

Data and Information stored remote centrally

Parking Lots. Car Lifts. Parallel Parking.

Servers

Wired or wireless. Analog, Digital or IP.

Roads, number of lanes, number of check­points, signal lights, flyovers.

Network

i3S Connectivity Tap-Points

FROM

TO • Camera Station • CED (Mobile­Handheld) • Public Alarm • Action to i3S Policy • WorkStation Access • CED (Mobile­Handheld) • Helpdesk Request • Subscriptions View • Self­Service • Accountable Staff

External Access; Inputs

and Out

Internal Management; Inputs and Out

i3S

Financial

i3S Types 1. Cash.

1. Theft. Fraud. Loss. 2. Liquidity. Un­availability. 3. Bad Debt.

2. Assets. 1. Plant & Machinery / Office Equipment. 2. Non­performing Assets. 3. Lower than planned ROI. 4. Depreciation. 5. Cost vs Performance. 6. Availability. Reliability. Maintainability.

3. IPR. 1. WTO. WIPO. GATTS. Country­Statutory­Industry. 2. Patents. Copyrights. Trademarks. Secrets. 3. Appreciation.

4. Capital vs Expense. 5. Inventory

1. Over­stock. Under­stock. Just­in­time. Carrying Costs. 2. Obsolescence. 3. Re­work. Re­cycling. Inefficiencies. Quality issues. 4. Waste. Write­off.

i3S Accountability Transfer Whose cash is it anyway? 1. Extremely INDUSTRY specific.

• Compare. Automobiles vs Pharma. vs Music CD’s vs Bollywood Films vs Your Industry.

2. Manufacturer OR Distributor OR Retailer. 3. Investors. Share­holders. Stake­holders. 4. Banks. FI’s. Mutual Funds. 5. Mortgages. Loans. Leasing. Hire­purchase. 6. Purchase of risk. In­transit documents.

Invoices. Payments. Letters of Credit. Hundi (in Asia).

7. Futures and Options.

i3S Cost of FAILURE!

Regulatory Action

Corporate Liability

Indirect Costs

Loss of Customer Confidence

i3S Force Majeure

1. Those "physical" events that are foreseeable, although unpredictable, such as fires, floods or vandalism.

2. Those day­to­day "business" events or governmental actions that cannot be forecast, but which are foreseeable, such as strikes or regulatory activities. This includes your service provider's subcontractors and vendors not performing tasks possibly necessary to your provider's performance under the agreement that your provider may claim are "beyond its reasonable control."

3. Those events that, although admittedly still pretty rare, are now unfortunately quite plausible in a world where commerce is easily touched by international politics, such as military actions, embargoes, rebellions and terrorism.

4. Those events caused by extraordinary elements of nature or "acts of God," which are truly unforeseeable force majeure events.

i3S Business Continuity Factors vis-à-vis Information & Technology

1. Uptime (near 100%) 1. Backup, Housekeeping, Mirror, Geographical Spread,

Employee Standby, Hotfix, 24x7x365 service(s) availability.

2. Downtime (near 0%) 1. MTTR, MTBF, 24x7x365 service(s) availability.

3. Assess, Quantify, Measure 1. Information Costing. Investor, Vendor, Customer &

Co­worker ‘impact’. What­if scenarios. 4. Risk & Qualify. High, Medium, Low, No.

1. Insurance. Personnel standby. Internal & External Audits.

i3S

GREY QUADRANT ­ Low severity ­ High Probability

RED QUADRANT ­ High severity ­ High Probability

YELLOW QUADRANT ­ High severity ­ Low Probability

GREEN QUADRANT ­ Low severity ­ Low Probability

Real Trouble Try to reduce Impact

Nuisance Problems

Closely Monitor for increasing Probability

Problems not significant

0

0

10

10 Probability of occurrence

Severity of Impact

i3S When risk happens .

1. On­track plan. (Backup, contingency) 2. Insurance, premiums & documentation. 3. Handling the Media (and fallout …) 4. Not repeating a mistake …

5. Factor #1 ­ Probability. 6. Factor #2 ­ Outcome or hazard.

i3S Tools

1. Sensitivity Analysis. (What if …) 2. Statistics ­ Normal Distribution.

i3S

Access Risks

i3S The only three

1. What you know. 1. Login ID. Passwords. PIN. Personal data.

Public and Private Keys. (PKI). 2. What you have.

1. ID Card. Token number. Ticket. Boarding Pass. PKI Digital Certificate(s).

3. Who you are. 1. Signature. Fingerprint. Retinal Pattern. Body

language. Voice Pattern. DNA.

i3S IT Best Practices

1. Without SSL encryption, the integrity of data is compromised.

2. Without robust physical and network security, sensitive corporate data is at risk of intrusion

3. Building an effective in­house PKI system will take considerable time and expense. Opt for managed PKI services.

4. Free software will crack your password in 30 minutes. 5. Email is leaking your business secrets. 6. Traditional access control solutions are either ineffective or

costly 7. Your web site can be spoofed with a point and a click. 8. Testing in production is tempting fate. 9. The weakest link in your security is your people. 10. On the web, nobody knows if you are a Martian.

i3S Reality checklist

1. Almost everything is turning electronic & digital.

2. Applications will never be secure.

3. The perimeter is disappearing.

4. The determined hacker will get in, always.

5. Awareness training will help, only so much.

i3S ID Theft.

24%

16%

15% 11%

7%

5%

4%

18%

Credit­Card Fraud

Phone or Utilities Fraud

Bank Fraud

Employment­related Fraud

Govt. documents fraud

Attempted ID Theft

Loan Fraud

Other Identify Theft

i3S

Our offer

i3S Your Physical Lobby

DMZ on Extranet

i3S The proposal

1. Approach your ‘I.T.’ as you would your physical office. You have a centralised reception area.

2. You have physical security. You have cameras. You have off­office hours infrastructure.

3. You have a back­gate for materials. In/Out registers. Documentation.

4. You also have Policies, Rules & Regulations, Guidelines, Methods, Processes & Systems.

5. There is ‘Human Decision Making’ in terms of out­of­policy, contingency & crises.

i3S The Service

Business Continuity is a matter of Practice and includes :­ 1. Study of Existing Systems. 2. Desired State Definition.. 3. Gap Analysis. 4. Budgets & Costs Allocation. 5. Design & Plan. 6. Implement.

a. Buy­out, License, Acquire, Recruit. b. Integrate, Implement, Train, Setup, Establish. c. Intensive Monitoring Services. (Typically 3 months). d. Regular Monitoring Services. (Annual Contracts).

7. Review, Feedback, Correction.

i3S Possible Scope of Supply

From your India­based establishment … as your Worldwide Single­Point Source ….

1. Study of Existing Systems. 2. Desired State Definition.. 3. Gap Analysis. 4. Budgets & Costs Allocation. 5. Design & Plan. 6. Implement.

a. Buy­out, License, Acquire, Recruit. b. Integrate, Implement, Train, Setup, Establish. c. Intensive Monitoring Services. (Typically 3 months). d. Regular Monitoring Services. (Annual Contracts).

7. Review, Feedback, Correction.

i3S including

1. Top Management ‘Interaction’ & ‘Support’. 2. Design & Management of your ‘Red Book’ 3. Physical Manning at all physical server locations. 4. 24x7x365 Manned Monitoring 5. 24x7.x365 Automated ‘Sniffiing’ & ‘Snooping’ Conrols. 6. Hardware & Software Firewalls. 7. Internal Audit(s). Infrastructure, Administrators & I.T.

Departments of Internal, Vendors, Customers, Investor & Co­worker Groups access.

8. External Audit Support 9. Downtime Services. 10. Crises Services. 11. Choice of Technologies. 12. Online Certificate Design, Method & Systems.

i3S If I.T. down assessment

1. If Hardware, Networking, Storage goes down ….

2. If Systems Software goes down … 3. If Application(s) Software goes down …

Bugs, Staging, Testing, Y2K type scenarios ….

4. If Data goes down … 5. If Information unavailable … 6. If unable to find­out what has gone down

…

i3S Security Policy

1. Written General Security Policy. 2. Written IT Security Policy.

1. IP’s. Listed & Controlled. 2. Allow & Deny. Group, individual & others. 3. Logs. Logs backup. Logs Analyses. Decisions. 4. Disaster Recovery. 5. DOS, DDOS etc.

3. Client ‘transparent’ document. 4. Internal audit. 5. External audit.

i3S Information or Intelligence Domain

i3S

Central Intelligence

•Gather Information, OR Intelligence.

•Data. Images. Audio. Video.

•Store. Retrieve. Analyze. Pattern Recognition. Intuition. Assign Field Work. •Gather MORE information. •Sort. Extract. Merge. Collate. Integrate. Consolidate. Automate.

• Efficiencies. ROI. TCO.

i3S Disseminate. Execute. Act. Assist. Support. Help. Facilitate.

• Assign Work

• Intelligence on Demand.

• Verification. Authentication, Fact­ Checks.

• Friend or Foe Decision Making.

i3S

People Risk

The ‘Human Being’ behind every ‘Risk’ related event.

i3S

Shrinkage

One word for Risk, Safety, Security, Surveillance, Graft, Corruption,

Negligence; Stupidity; Ignorance; ill­ informed; uneducated; Theft. Fraud;

Counterfeit; Negligence; Attrition …???

PRAY (People Risk Assessment & Yield) Model

i3S Risk from People

People Actions Costs

Employees

Suppliers

Customers

TEMPS

Catering Staff

Housekeeping

Security Staff

Drivers

Ghost Employees

Order Acceptance

Procurement

Wrong Vendor

Wrong Hiring

Poor Decisions

Direct OR Indirect

Fixed OR Variable

Liable for Litigation Negligence

Graft (CORRUPTION)

Cartel

Behavioural

Not Insured

100% Revenue Loss

Increased Cost

Lower Profits

High Risk Behavour

Stopped Learning

Ego – Alpha­Male

Long term consequence

Personal Debt

Greed

Clinical Problem(s)

No Succession Planning

Poor Due­Diligence

Obsolescence

Re­work & Waste

i3S New Economy Organisational Design

Delivery / Production / Manufacturing

People

Commercial

Sales

Customer Contact

Marketing

Contract Staff

Our Staff

External Outside Control

Internal Our Control

Modern Organisations do not work from one premises. All Staff may not be homogenous; not from one area; community; state or even country. Wireless allows into and out of any location; voice, video & definitely data.

The Enterprise has to be MORE in control while being forced OUT­OF­CONTROL by the

pace of Technology.

i3S Out-sourcing

• Benefits 1. Required Skills. 2. Lower Costs. 3. Quicker Access. 4. Better Systems. 5. More Professional.

• Risks 1. Culture mis­fit 2. Increased Costs. 3. Less co­ordinated. 4. Integration issues. 5. Less­in­control

i3S Types / Categories of Workforce Class A

1. Board, Committee, Association. 2. Our Staff. Permanent. 3. Key Owners, Managers, Stakeholders of Members. 4. VIP’s. Statutory Authorities. Pre­approved Guests/Visitors. 5. Out­sourced Security Key­Managers, Authorised Staff.

Class B 1. Our Security Staff 2. Out­sourced Permanent Security Staff.

Class C 1. OUR or external Part­time OR Temporary Security Staff.

Class D 1. Staff of ‘Member­Units’. Permanent. 2. Temporary Staff. TEMPS. 3. Service­Provider. Utilities. Supplies. Catering. Transport Drivers +

Support­Staff. 4. Any new Employee / Regular LESS than one year of Regularity.

Class E 1. Contractor. Staff. Labour­force. Contractor Suppliers. Contractor

Services. 2. Trade or Manufacturing. Goods Inward and Goods Outward. 3. Waste Disposal. IN and OUT movement.

i3S Risk Level Rating of People

1. 0 to 9 : 9 = no risk; 1 VERY HIGH RISK. 0 = unknown / not assigned.

2. Everyone is assigned a Level 5. Has to earn by time, inputs, self­service, behaviour,

references, feedback to lower the Risk LEVEL.

PRAY (People Risk Assessment & Yield) Model

i3S Negligent Hiring

1. What is negligent hiring? 2. Should all companies be expected to have a

screening policy? 3. Does every employee need to be screened? 4. How much should a company expect to pay

for screening? 5. What can it cost a company should they

chose not to have a screening program? 6. Do you have enough ‘Johari­window’

information to make an offer? 7. Are all screening companies alike?

i3S Negligent Hiring Problems

1. Shrinkage. Theft. Robbery. White collar crime. 2. Security Staff are compromised! 3. Cartels / Organised Crime are formed! 4. IT, data, Information & know­how leaks. 5. Rapists! Women’s Issues. 6. Pornography. Video­Cam. Exploitation. 7. Pedophiles. Children abuse. (Where applicable). 8. Fellow­workers being blackmailed. 9. Paper­work fudging albeit for personal gain.

i3S People Risk examples

1. Ghost Employees. Not on your payroll, not coming to work being paid maybe electronically.

2. Cartel of Security, Catering, Housekeeping & Admin. in waste (and other) removal from the premises.

3. Labour (HR or line Staff) taking a ‘cut’ in recruitment, placement, promotions.

4. Poor Decision­Making. Order Acceptance, Vendor Identification, Technology due­diligence, Loan disbursement. Based on wrong or Inadequate data or information.

5. High­risk behaviour in their personal, private life. Gambling. Drugs. Debt. Wine. Women/Men.

6. Time­allocation. Priorities, motivation, interests in a different direction or area. Non­professionalism.

7. Travel + Stay when it could have been done with Video­ conferencing.

i3S Some Solution(s) Step(s)

1. Rating : Keep a simple score­card. On a scale of 1 to 9 everyone is a 5 till proved otherwise based on Actions and Performance.

2. Internal FIR : Maintain a database of any and all incidents (tangible and intangible) transparent ensuring personal privacy; warnings; let­offs; rewards & recongition.

3. PMS : Perform periodic Reviews. Behavioural as important as Performance.

4. Voperty : The modern­organisation is no longer on one­premises. It is virtual and on­line as much as off­line. Intellectual Property is as important as Property. Trade­secrets, diagrams, customer or supplier databases.

5. Infrastructure Enhancement & Technology Support. 6. KRI : Acquire, implement, maintain and manage a set of Key Risk

Indicators. 7. Process, Methodology, Workflow. Checklists. Visual Maps. Step­

accountability.

i3S Infrastructure Recommendations 1. Single­window Access Control System. (Staff, Catering,

House­keeping, Temps, Security). Audited Attendance. 2. Eyes and Ears on the ground. Networked Cameras;

Adequate Lighting; Sensors for required needs. 3. Triple­play convergent digital networks. 4. Things monitoring. Raw materials & Finished Goods.

Consumables. Fixed and Mobile Assets. Repair­men kits. Catering, Housekeeping, Waste removal.

5. Centralised Servers + Platform for Intergrated, Real­time, Remote & Localised Routine Reporting, Audits and Alert/Alarm Systems.

6. Transparency, Convenience, Ease­of­use, Ergonomics, Managed Queues, Systems, People­flow.

i3S Infrastructure Functionality

Information or Intelligence Domain

Central Intelligence

•Gather Information, OR Intelligence.

•Data. Images. Audio. Video.

•Store. Retrieve. Analyze. Pattern Recognition. Intuition. Assign Field Work. •Gather MORE information. •Sort. Extract. Merge. Collate. Integrate. Consolidate. Automate.

• Efficiencies. ROI. TCO.

Disseminate. Execute. Act. Assist. Support. Help. Facilitate.

• Assign Work

• Intelligence on Demand.

• Verification. Authentication, Fact­ Checks.

• Friend or Foe Decision Making.

i3S Managed Services

1. Choose to work with Riskpro India. (http://riskpro.in) Typically a minimum of 15­month contract.

2. Study, Report, KRI­set & GRC (Governance, Risk & Compliance) Roadmap within one month.

3. Put in place our clextra Software Platform. 4. Identify and Train the ‘Task­force’ on GRC

Roadmap. 5. Maintain, Monitor, Manage, Analyze.

‘Routine’ and ‘Alert’ Reporting to Management.

i3S

Risk Management

i3S Based on the COSO model

i3S Another Model

i3S IT Risk Model

i3S Risk of No Information Risk of No Information & Communications Technology

E D C B A Source Interface Distribution Interface Request SERVERS Web­Pipe Ether­Space Local ISP CLIENTS

1.4 90% plus 1.3 60­89% 1.2 Ok 1.1 Less than 50%

2.4 Predictive 2.3 In­time 2.2 Yesterday 2.1 Post­mortem

3.4 DataHouse 3.3 Database 3.2 11­500 Pages 3.1 1­10 Page

4.4 Video 4.3 Audio 4.2 Visuals 4.1 Text

5.3 Sharing 5.2 Integrity 5.1 Security

5.3 Backup 5.2 Hardware 5.1 Power

Supply Side Supply Side

1

2

Relevance

Timeliness

3

4

5

6 Infrastruc

ture

Quantity

Media

Quality

i3S Any IT-record in your Business 1. Tangible Assets Master 2. Buy Purchase Orders Master 3. Main Metrics 4. Expenses Master 5. Firms Master 6. Inventory Master 7. Invoices Master 8. Mfg. Job­Work Orders Master 9. Intangible Assets Transactions 10. Intangible Assets : Library : Info.Units 11. Owners : Contacts ­ Customers ­ Vendors 12. Individual Employee Master : Login II 13. Teams Master 14. Unit Master 15. RFID Hardware etc. 16. Seats Management Database 17. Individual Users Master : Login I 18. Vehicle Master

i3S User definable #1/3 A000,FORCE MAJEURE A001,Unpredictable A002,Political Forces A003,Terrorism A004,Genuine B000,FINANCE B001,Cash Liquidity B002,Market valuation of Equity B003,Audit B004,Financial due­diligence B005,Technology due­diligence B006,Theft of cash B007,Mis­use of cash B008,Mis­use of documents B009,non­Performing Assets B010,Tax B011,External Audit B012,Internal Audit B013,Depreciation B014,Credit Risk B015,Bad Debt B016,Book Value of Equity­Shares B017,Market Value of Equity­Shares B018,Bull­run B019,Bear­run C000,COMPLIANCE C001,Regulatory Compliance C002,Central Compliance C003,SOX Compliance C004,Stock­Exchange Compliance

C005,Central Labour Compliance C006,Local Labour Compliance C007,Local Safety Compliance D000,LEGAL D001,Major Lawsuit D002,minor Lawsuit D003,Loss of original documents D004,Legal fees D005,Stay order Costs D006,Stay order Time E000,PLANNING E001,Vendor Base. (Contractual and Moral) E002,Customer Base. (Affinity and Purchasing). E003,Sales Projections E004,Expenses Projections E005,Cashflow Projections E006,Meeting Manpower Plans F000,HR FA00,INVESTORS FA01,The Head of the Board FA02,The Board FA03,The CEO FA04,The CEOs Team FA05,Investors ROI needs FA06,Investors Values FB00,EMPLOYEES FB01,Absenteeism FB02,Non­performance FB03,Quality

i3S User definable #2/3 FB04,Quantity FB05,Negligence FB06,Fraud FB07,Unionism FB08,Training FB09,Requisite Operational Skills FB10,Motivation FC00,MANAGERS FC01,Not a Manager FC02,Not a Coach­Leader FC03,Manager Unionism FC04,Labour Unionism FC05,Fraud FC06,Planning FC07,Plan adherence FC08,Gap closure FC09,Training FC10,Requisite Operational Skills FC11,Motivation FD00,BEHAVIOURAL FD01,Narcissistic FD02,Nepotism FD03,Authoritarian FD04,Physical Male­Female FD05,Verbal Male­Female FD06,Submissive FD07,Sycophancy FD08,Destructive Intelligence FD09,Stupid­Dumb­Idiotic FD10,Hands­off

FD11,Hands­on FD12,Motivation FD13,Time­wastage FD14,Gambling FD15,Other pursuits FD16,Indoor inclinations FD17,Outdoor inclinations FD18,Commitment to Quality FD19,Commitment to Quantity FD20,Personal problems FD21,Financial burden FD22,Family problems FD23,Personal Health FD24,Alcoholism FD25,Drugs­Chemicals effect FD26,Obsessive Compulsive Disorder FD27,Attention Deficiency FD28,Hyperactive Syndrome G000,INVENTORY G001,Book Valuation G002,Market Valuation G003,Physical Checking G004,Obsolescence G005,Over­stocking G006,Under­stocking / Stock­outs G007,H. LOGISTICS RISKS G008,Delayed inflow G009,Delayed outflow G010,Transit Damage G011,Transit Theft

i3S User definable #3/3 G012,Transit Spoilage G013,I. PURCHASE RISKS . G014,Quality. Re­work G015,Wastage and write­off. G016,Short­supply H000,MANUFACTURING H001,Line Downtime H002,Partial Downtime H003,Shopfloor Accidents H004,Labour ­ unionism H005,Capacity availability H006,Output efficiency H007,In­logistics Space H008,Out­Logistics Space H009,Power­Energy availability H010,Water availability H011,Flow constraints H012,Process inefficiency H013,Safety Systems J000,REDUNDANCY ­ BACKUP J001,Duplication J002,Backup J003,Alternate System J004,mis­matched capacities J005,Absenteeism J006,People Training J007,Use of Consultants­Advisors

K000,MARKETING KA00,EXTERNAL KA01,Customer understanding KA02,Customer need specifications KA03,Quantity of Reach KA04,Quality of Reach KA05,Too much communications KA06,Too little communications KA07,Market segmentation KA08,Choice of channels KA09,Delivery­Install­Commissioning KA10,Training KA11,Customer Usage KA12,After Market Services KA13,Product Lifecycle Revenue KA14,Product Lifecycle Expenses KA15,Product Lifecycle Profit KA16,Reputation Risk KA17,Brand Dispersion Risk KB00,PUBLICITY KB01,Bad Press due to internal incidences KB02,Bad Press due to extraneous incidences KB03,Investor relations. KB04,ex­employee relations. KB05,Customer relations. KB06,Vendor relations. KB07,Press relations. KB08,Political relations.

i3S Define & Manage Sets Set 1 Set 2 Set 3 Set 4 Set 64 Set 65 Set 7821

A000,FORCE MAJEURE a A001,Unpredictable A002,Political Forces A003,Terrorism a A004,Genuine B000,FINANCE B001,Cash Liquidity a a B002,Market valuation of Equity a B003,Audit a B004,Financial due­dilligence a B005,Technology due­dilligence a B006,Theft of cash a B007,Mis­use of cash a B008,Mis­use of documents B009,non­Performing Assets B010,Tax B011,External Audit B012,Internal Audit B013,Depreciation B014,Credit Risk B015,Bad Debt a B016,Book Value od Equity­Shares a B017,Market Value of Equity­Shares a B018,Bull­run B019,Bear­run a a

A set can have any number of user­definable metrics.

i3S Assign Set to a Record

1 Tangible Assets 2 Buy Purchase Orders 3 Main Metrics 4 Expenses 5 Firms 6 Inventory 7 Invoices 8 Mfg. Job­Work Orders 9 Intangible Assets Transactions 10 Intangible Assets : Library : Info.Units 11 Contacts ­ Customers – Vendors – Agents – Drivers ­ Traders 12 Level II login users : Employee, Customer, Doctor, Patient, Student 13 Teams 14 Unit – Group – Household (In addition to Teams). 15 RFID Hardware etc. Gates, Doors and Access Equipment. 16 Seats ­ Workstations – Desks etc. 17 Level I login users 18 Vehicle

i3S Each Metric includes

1. Cost. On a scale of 0 (no­cost) to 10 (very high); this is the means to ‘level’

ANY and ALL Threats to a business. 2. Vulnerability

On a scale of 0 (none) to 10 (definite) Internal weaknesses and under reasonable control factors.

3. Threat On a scale of 0 (none) to 10 (definite) External factors perhaps with

minimal or no control. 4. Percentage

This is a percentage for leveling. P = C x V x T (Multiplication and Percentage of the above earlier 3 parameters).

5. Statistical Chance Independent of the above, a Standard Market statistical percentage of

an occurrence for this type of risk. Allows upto 4 decimal places. Ie. 1 in 10,000 chance of occurrence.

i3S ICT Best Practices

1. Without SSL encryption, the integrity of data is compromised.

2. Without robust physical and network security, sensitive corporate data is at risk of intrusion

3. Building an effective in­house PKI system will take considerable time and expense. Opt for managed PKI services.

4. Free software will crack your password in 30 minutes. 5. Email is leaking your business secrets. 6. Traditional access control solutions are either ineffective or

costly 7. Your web site can be spoofed with a point and a click. 8. Testing in production is tempting fate. 9. The weakest link in your security is your people. 10. On the web, nobody knows if you are a Martian.

i3S Report : Screenshot

RFID and Physical Location based.

Checklist Approach

i3S Checklist Library(s)

Cycles Feature

hdocs

mdocs (Broadband Scalable )

i3S Inventory Approvals

Incident areas and Bibliography

1. clextra Cupboard dodocs 1. archival system for all periodic Reporting.

2. clextra Cupboard cdocs 1. archival system for all random Reporting.

3. Organisational Filing System. 1. Individual and/or Team based. 2. Selective access to everyone in the organisation. 3. Supports MS Office, schematics, multimedia and/or any

other format. 4. Numbered email. PULL System. (No PUSH). 5. Multimedia File binning. 6. Technology permitting …. SMS, Mobile etc.

i3S Coding System(s) : 2 of 10 s, dozens. 1. Location Code.

Eg. inKAblrAZON01 (13 character code). 1. 2 chars – ISO country code. 2. 2 chars – Country State code. 3. 3 chars – City code. 4. 1 alpha – Zone code. 5. 3 chars – Preferably 9 or 81 directions N,E,W,S,C 6. 2 chars – Cna be sub­zones OR floors OR any other.

2. Device Code inKAblrAZON01­rc000006 1. Device no. 6 Grouped treatment as a Particular type of

Display, or Camera, or IN or OUT gate, reader, writer, sensor etc.

3. Also supported EPC codes; GPS codes and point­ maps on ANY image(s).

i3S

Shrinkage, Risk, Security

Shrinkage Euphemism for Theft. Fraud; Counterfeit; Negligence;

Attrition;

i3S Inventory Shrinkage ... 1. ­ Empty boxes or "hollow squares" in stacked goods. 2. ­ Mislabeled boxes containing scrap, obsolete items or

lower value materials. 3. ­ Consigned inventory, inventory that is rented, or traded­

in items for which credits have not been issued. 4. ­ Diluted inventory so it is less valuable (e.g., adding water

to liquid substances). 5. ­ Increasing or otherwise altering the inventory counts for

those items the auditor did not test count. 6. ­ Programming the computer to produce fraudulent

physical quantity tabulations or priced inventory listings. 7. ­ Manipulating the inventory counts/compilations for

locations not visited by the auditor. 8. ­ Double­counting inventory in transit between locations. 9. ­ Physically moving inventory and counting it at two

locations.

i3S Inventory More Shrinkage

1. ­ Including in inventory merchandise recorded as sold but not yet shipped to a customer.

2. ­ Arranging for false confirmations of inventory held by others.

3. ­ Including inventory receipts for which corresponding payables had not been recorded.

4. ­ Overstating the stage of completion of work­in­process. 5. ­ Reconciling physical inventory amounts to falsified

amounts in the general ledger. 6. ­ Manipulating the "roll­forward" of an inventory taken

before the financial statement date.

i3S Inventory & shrinkage

1. ­ Not retiring WIP and not classifying completed jobs as finished goods after dispatching them to customers.

2. ­ Falsifying computer runs by overriding the WIP applications.

3. ­ Including extraneous elements, like period costs, in WIP tabulations.

4. ­ Excluding job­related direct costs, such as special­ purpose tools and jigs, from WIP tabulations.

5. ­ Tinkering with process cost allocation and overhead calculation functions.

6. ­ Including abnormal process losses in WIP. 7. ­ Overstating the stage of completion of work­in­process. 8. ­ Programming the computer to produce fraudulent

physical quantity tabulations or priced inventory listings

i3S Inventory Not the final word on Shrinkage

1. ­ Physically counted percentage factor. 2. ­ Items requiring further audit scrutiny. 3. ­ Surreptitious check(s) percentage factor. 4. ­ Physical opening and case­label match factor. 5. ­ Increase in count factor from original plan due to findings. 6. ­ Time­gap between disparate location physical counts. 7. ­ Factor of likely owned property/materials/stock. 8. ­ Specialist factor. Does observer understand the inventory?

i3S Loss of Original Documents

1. Litigation. 2. Direct cash loss. 3. Lack of control over your ‘Staff’. 4. Reduced Customer confidence. 5. The ‘good faith’ in which these were given to you

in the first place. 6. Perception of ‘corruption’ and ‘deliberate’ act. 7. Negligence. 8. Inability to ‘store’, ‘monitor’ and ‘manage’ over

long periods of time. (10+ years). 9. Inability to use technology such as Library

Science methods, barcode, RFID etc. 10. Inability to cost per­document storage and ROI,

TCO for Document Management.

i3S Other fraud

1. Identify Theft. 2. Credit Card. 3. Password Theft. 4. TCP­IP Theft. 5. Patent Infringement. 6. Copyright, Trademark Theft. 7. Industrial espionage. 8. Counterfeits and Knock­offs.

i3S

GPS etc.

Integrating GPS, GIS, GPRS, 3G, RFID, AutoID & related technologies

onto a Single Unified Integrated Real­time Remote Triple Play

Solution.

i3S Geography : 7 level Detail

i3S Map Tracks : Actual Path(s)

i3S Route Maps : Commute etc.

i3S Beats, Timings, Circuits

i3S i3S Incident(s) Database

1. MANUAL and/or AUTO­ENTRY Recording of all incidents.

2. MANUAL cataloging and bibliography of incidents.

3. THEREFORE search of incidents. 4. Checklists for follow­up & Tracking. 5. Opening of a ‘Case’ for legal procedure.

Information and evidence handling, court follow­up.

i3S i3S Case(s) Tracking

1. If FIR is registered. 2. Case Development and Management. 3. Evidence and Support information. 4. Court dates and Follow­up. 5. Long­term tracking of all Cases. 6. Costs and Decision making related to each

Case.

i3S i3S Storage Solution

i3S i3S Bibliography, Search etc.

i3S

Individual Risk

The ‘Human Being’

i3S Typical Certification Areas

1. Access Control 2. Application Development Security 3. Business Continuity and Disaster Recovery Planning 4. Cryptography 5. Information Security Governance and Risk

Management 6. Legal, Regulations, Investigations and Compliance 7. Operations Security 8. Physical (Environmental) Security 9. Security Architecture and Design 10. Telecommunications and Network Security

i3S

Video Analytics

i3S Features 1. Assuming 100’s of 1000’s of camera / eyes are deployed … 2. Primary thinking and application is deterrence. 3. Can’t CAPTURE, TRANSMIT and STORE ALL in high­definition; 25 fps; Colour …

the costs are astronomical. 4. Any ‘real­time’ alerts from streaming­live from multiple camera automation based on

Pattern Recognition is WAY TOO EXPENSIVE and NOT REALISTIC. 5. Being pro­active cannot imply predicting ‘what will happen’ or ‘the future’. 6. So what do you capture …

1. Assume last­hour or last 3­days or whatever. 2. Pre­alert and post­alert EXTRACT from the above stream. 3. CLEAR bibliography; date, time, physical location, camera, view, quality, quantity, length,

guard­on­duty etc. etc. 4. Alerts can happen …

1. in­camera – Motion Detection. Field of View. Range of programmable features. License Plat recognition.

2. non­camera – Sensors. Vibration. Trip­wire. Light. Noise. RF. Optical etc. etc. etc. 3. Currency. Cheques. Documents or other Verification.

7. Intelligence on the Edge 1. Camera stores full­streams locally. Discarding after pre­set life­cycles. 2. UPLOAD to central STORE any and all incidents. 3. Create an clextra bibliography record for every UPLOAD.

8. Guard­Services Alert 9. Forensics. Evidence. Search. Analytics.

i3S Guard Services 1. Guards have to watch 100’s at a time. NOT POSSIBLE. 2. Guards are human. Don’t expect them to watch even ONE

all the time. 3. When an ALERT happens; must be able to localise;

locate; have decision­options and mobilise to tackle the ALERT as appropriate.

4. Systems of ALERT prioritisation. 1. Fire. Earthquake. Flood. 2. Dacoity. Terrorist Threat. Bomb. 3. Single Incident. Armed vs Un­armed. 4. Small start threat. Smoke. Water. Gas­Lead etc. 5. Tampering alert. Door. Window. Cables. Camera etc. 6. Client or Customer THEFT vs Employee THEFT. 7. System Authority. CEO. Police. Guards themselves. 8. Infringement. Person in non­authorised zones. 9. Infringement. Animals. Dogs. Cats. Rodents. Pests.

5. Risk and False­alarm RULES Management.

i3S Not just your cameras there are more 1. Storefronts 2. In­Store Cameras. 3. Gas Stations 4. Police stations 5. Businesses 6. Government & Office Buildings 7. Houses. Estates. Gate Security. Guard Security. 8. Traffic cams. Red light cams. 9. Taxi companies – Most taxis nowadays have dash

cams, and a driver can manually trigger them 10. Any witnesses with cellphones 11. Any witnesses with digital cameras, camcorders 12. Any witnesses. Record their statements with your

on­hand camera.

i3S Someone should want to

1. Pay for it. 2. Look at it. 3. Use it. 4. Make it count. 5. Just evidence. Seeing is believing. 6. Use it as evidence in a court of law. 7. Save a life. 8. Save property. 9. Save time. 10. Do something … for someone.

i3S The face of Information Security

1. There is someone looking over your shoulder.

2. Uniform & Authority Matter.

3. He is trained and tough. 4. This person is authorised

‘internal’ and ‘by law’ to act on our behalf.

5. This person is Technically Qualified and aware.

6. If you ‘cross the line’ … you are in trouble.

7. You can ask me as to ‘what the line is’.

8. Honestly; I am here to help you do your job ‘honestly’.

i3S

Cash Security

i3S Counterfeit Management

1. Identifying counterfeit NOTES and COINS requires a combination of AUTOMATION & PEOPLE skills. 1. Automation Concerns

1. Automated kiosks DO NOT have this luxury and have to be able to stand­alone and independently decide to ACCEPT or REJECT.

2. Reject in many instances can mean loss of Business and Consumer confidence.

3. Automated kiosks can be mis­used for money­laundering; coin hoarding; higher­note disposal etc.

2. Manual Concerns 1. Remove the drudgery of counting. 2. ONUS on protecting and end­of­shift settlement. 3. Know how to be able to identify counterfeit.

i3S The Solution

1. Coin operated Vending Machines. 2. Coin or Cash based Media Dispensing. 3. Ticketing kiosks. 4. Utilities Bill Payment by Cash and/or Smartcards and/or

Debit and/or Credit Cards. 5. GPS, GIS, GRPS, GSM, RFID based Tracking. 6. Touch screen based interaction. 7. Network integration with central computing facilities. 8. Local alarms & alerts; including automated and manual

video surveillance. 9. Supply of HARDWARE, SOFTWARE, SYSTMES­

PROCESS­METHODOLOGY starting with Awareness Training.

10. Pre­Sale; In­Sale and Post­Sale Staff & User training.

i3S Who needs this

1. Any business handling cash. 2. Banks. Cash deposit. Cash withdrawal. 3. Coin­to­cash and cash­to­coin exchangers. 4. Retail operations. 5. Notes and/or Coins counting. 6. Government Utilities. Receipt Printing. 7. Parking. Ticketing. Events. Journey slips. 8. Vehicle Parking. 9. Toll Gates and pay­per­use applications. 10. Currency Exchange.

Base of Experts, Advisory, Staffing & Consulting.

The Firm

Software, Backend, Tool & Platform

Business Model, Methodology, and System(s)

Full­range services in Governance, Risk & Compliance

Systems Integrators

http://www.edgevalue.com http://www.clextra.in

casper@edgevalue.com © JAN 1999 Edgevalue

62 B Modi Residency Miller Road

Bangalore 560 042 INDIA Phone : 91 (india) 80 (bangalore) 2595 0059

Cellphone : 98450 61870