Sunday, July 13, 2008

IT Policy Compliance Group Issues 2008 Report on Best Practices

(Courtesy of

The IT Policy Compliance Group just released their annual report on the state of affairs of what they refer to as IT governance, risk and compliance (IT GRC).

The goal of the group is to promote the development of research and information to assist IT and Finance professionals meet their organization's policy and regulatory compliance goals. They do this by providing information for organizations to improve compliance results by providing reports based on primary research.

If you take the time to check out their site, they have other items of interest to anyone charged with the ever growing responsibility of protecting systems from those who have the intent to compromise them.

The recently released report suggests that measuring the value delivered by IT has been traditionally associated with applications that have an impact on customer service, sales, expenses and profit. Unfortunately -- as more organizations have their data compromised -- the result of not protecting information can be a loss of revenue, added expenses (legal costs), and a loss of consumer trust.

This is especially true, if the compromise becomes a matter of public record.

Included in the report are an analysis of recent losses incurred by a large retailer ($530 million) and a large financial services firm ($100 million). The analysis takes into account the loss of revenue due to business disrruption, loss of consumer trust in addition to the harder costs, such as legal expenses. Other analysis includes losses suffered by a automotive manufacturer and a rental and leasing company.

IT departments are constantly being challenged to be up and running 100 percent of the time to maximize efficiency. While doing this, they need to protect their data and adhere to legal and regulatory requirements at the same time.

The challenge is to manage business opportunity and risk at the same time. The 2008 report shows that the firms with the most mature practices in compliance and risk management are doing better and spending less to achieve their goals. This translates into more revenue, profit and customer retention.

The report shows that continuous improvement in risk management and compliance with a focus on operational excellence is paying dividends. Organizations with a mature compliance process have evaluated their processes and made them part of the culture within an organization. While this encompasses the involvement of all facets of an organization, two key items are the support of senior management and training employees to embrace a culture of compliance.

The most mature firms have developed formalized training for their employees, supported by senior management, on subjects like ethics and codes of conduct, IT security and data protection policies, legal compliance, as well as, subjects like sexual harassment and discrimination. They have also developed processes and trained their employees how to deal with emergency situations.

The human factor is always the key to success in any organization. It makes sense that successful organizations focus their efforts through their most valuable resources, which are human beings. Very few exploits are successful without a healthy dose of social engineering.

Also of interest in this informative report is an analysis of results by industry and size. One shoe doesn't necessarily fit all and taking the time to examine all the different types of organizations that use technology to accomplish their goals makes the report a valuable read.

The report, which is located on, is only available to members of the site. Saying that, the site is soliciting new members and the sign-up process is simple.

Besides this report, the site has a lot of other valuable information on it, also. I would recommend the site and it's resources to anyone interested in the mysterious world of compliance because it takes it to the level of making sense and developing best practices that will benefit the overall objectives of any organization.

UC Irvine Staff Nails ID Thief in Texas

A former UnitedHealthCare worker, who stole the personal and financial information of at least 1100 University of California, Irvine students has been arrested in Dallas, Texas.

Michael Tyrone Thomas, of Fort Worth, was arrested at his home and is being held on $300,000 bail. The authorities are alleging Thomas stole the information while working at UnitedHealthCare in December 2007. They are also charging that Thomas used the information to fill out fraudulent tax returns using 163 identities stolen in the caper.

According to the Houston Chronicle, a spokesman for UnitedHealthCare didn't return their call concerning the arrest on Friday. I went to the UnitedHealthCare site and found nothing mentioned about this case as of this writing.

It appears that the investigation was initiated by the UC Irvine Police after students started complaining about identity theft in March. Specifically, they complained about someone using their information to fill out bogus tax returns. University computer experts took a look at their systems and found no signs of a breach. Subsequently, University Police investigating the case discovered all the students were enrolled in a insurance program administered by UnitedHealthCare.

A press release on the UC Irvine site gave credit to UCI Police Sergeants Tony Frisbee, Shaun Devlin and Corporal Caroline Altamirano for working closely on the case with the Dallas District Attorney's Office. The release indicates that they expect additional arrests and that the IRS will be investigating the tax fraud implications in the case.

Recently, the National Taxpayer Advocate, issued a report to Congress indicating that tax fraud involving the use of stolen identities has grown 644 percent in the past four years. In a lot of these cases, forged W-2's are used to claim an earned income credit, which can net the fraudster thousands of dollars per return.

In my post on this story, I mentioned that the IRS has a dedicated page to assist identity theft victims when their information has been used to commit tax fraud. The Houston Chronicle article mentioned that UnitedHealthCare will be offering free credit monitoring and that UCI will be offering loans to the affected students. It also mentioned that UCI Police Chief, Paul Henisey doesn't think the rest of the names were used because the reports of identity theft dropped off in late June.

Free credit monitoring seems to be the standard offer to victims when a data breach is disclosed, but it doesn't necessarily reveal all forms of identity theft. Credit bureaus do not track what information is being used to file a tax return and would be worthless in the already known cases. Other examples when credit monitoring might not be the end-all solution to identity theft protection are medical benefit fraud, employment fraud, government benefit fraud, some forms of check fraud and last, but not least, when it is used to commit crimes of other than a financial nature.

If I were one of the affected UC Irvine students, I wouldn't turn down the free credit monitoring (it does help in a lot of instances), but I would also visit the Identity Theft Resource Center's Financial Identity Theft - More Complex Cases page to educate myself a little further.

So far as Chief Henisey's prediction that this case is over -- I certainly hope it is -- but it wouldn't be prudent for everyone to let their guard down just yet. Information is bought and sold in a lot of places (including over the Internet) for the purpose of identity theft. There is no way of telling, whether or not, any of this information was passed to someone else for a profit.

Saying that, it's refreshing to see the culprit caught in this case and the UC Irvine Police Department (along with other University staff) did an excellent job in their investigation. It isn't very often when one of these cases is traced to the person behind it.

DOD Analyst Convicted for Selling Information to China

Despite a lot of official denials, it seems pretty clear the Chinese have no qualms about stealing as much intellectual property as they can get their hands on.

On Friday, the Department of Justice announced that one Gregg William Bergersen of Alexandria, Virginia was sentenced to 57 months in prison (plus three years of supervised release) for disclosing secret information to a naturalized American citizen of Chinese descent (Tai Shen Kuo), who was then providing it to the People's Republic of China.

In his day job, Gregg Bergersen was a Department of Defense Analyst.

Kuo provided Bergersen with gifts, cash payments, dinners and gambling money in exchange for the information. The information involving military sales to Taiwan was then passed to Kuo's handler, an official of the People's Republic of China.

The official DOJ press release states that Bergersen didn't know the information was going to China. It would be interesting to discover, who he thought it was going to?

Kuo, who was found guilty on May 13th, is currently awaiting sentencing on August 8th and faces life in prison.

On May 28th, Yu Xin Kang, also of New Orleans pleaded guilty to aiding and abetting an unregistered agent of the People's Republic of China. According to court documents, Kang sometimes assisted Kuo in providing the stolen information to the unnamed foreign official. Kang faces ten years in prison.

Last year, another naturalized American citizen of Chinese descent, Chi Mak, was convicted of selling sensitive defense technology to China. This case was a family affair and Mak's sister in law and brother were caught by the FBI trying to board a plane to China with three encrypted CD's containing the stolen information.

The FBI site covered the Bergersen/Kuo case and another one involving a Boeing engineer, Dongfan “Greg” Chung, in a recent press release. Allegedly Chung was tied into the Mak case and sold information on the Space Shuttle and military aircraft to the People's Republic of China.

Although, the government isn't commenting much there is speculation that they are investigating information being stolen from Commerce Secretary Carlos M. Gutierrez's laptop during a recent visit to China. It is alleged that this information was used to hack into government computers.

Hacking incidents traced to the Chinese, although always denied by the PRC, have been reported all over North America, Europe and even Asia. A good place to learn about Chinese hacking activity is a site (maintained by a former DOD official) called The Dark Visitor (Information on Chinese Hacking) .

The Chinese are also suspected (in a lot of instances) of stealing corporate information. According to sources within the technology industry, it isn't recommended to carry laptops or other personal data storage devices when travelling in China.

On a personal note, I believe a lot of this is enabled by our free trade agreement with the People's Republic of China. While this agreement is lucrative for a few corporate entities -- the wholesale theft of intellectual property, counterfeiting, unsafe and defective products, as well as, all the human rights violations in China call for taking a hard and educated look at what is going on.

The problem is will special interests -- who represent the corporate entities making a lot of money from this -- prevent our leadership in Washington from taking effective action against what is becoming an alarming issue?

If you suspect anyone of selling government secrets, you can report them to the FBI by submitting an anonymous tip online.