Tuesday, October 25, 2011

Hacking tool targets SSL vulnerability

By Steven Musil, CNET News, 25 October, 2011 09:47


Hackers have released a program they say will allow a single computer to take down a web server using a secure connection.

The THC-SSL-DOS tool, released on Monday, purportedly exploits a flaw in Secure Sockets Layer (SSL) renegotiation protocol by overwhelming the system with multiple requests for secure connections. SSL renegotiation allows websites to create a new security key over an already established SSL connection.

A German group known as Hackers Choice said it released the exploit to bring attention to flaws in SSL, which allows sensitive data to flow between websites and individual user's computers without being intercepted. "We are hoping that the fishy security in SSL does not go unnoticed," an unidentified member of the group said in a blog post.

Monday, October 17, 2011

The Criticality Of Risk Assessments: FISMA, HIPAA, And Other Regs

Risk assessments are a critical part of regulatory compliance, but many organizations don't implement them well Sep 04, 2011 | 09:19 AM | 3 Comments By Richard E. Mackey, Jr. Dark Reading One of the most important components in any security program is the risk assessment process. Regulations like FISMA, HIPAA, Red Flag Rules, and state privacy regulations require organizations to methodically assess risk and select security controls based on that assessment. The problem is that many organizations do not understand what it means to assess risk through a formal method. Worse yet, many IT people have a hard time understanding the practicality of formal assessments. What is a formal risk assessment? Formal risk assessments are processes that consider the value of the assets that are at risk, the business and technical threats to the assets, and the effectiveness of the business and technical controls that are designed to protect the asset. In the end, a risk assessment gives the organization an objective measure of the risk to an asset. The process forces the organization to acknowledge and accept the risk, eliminate the risk by terminating a business practice (e.g., stop offering access to the asset via the Web), transfer the risk by outsourcing or insurance, or, more often than not, select additional more effective business or technical controls to reduce the risk. Benefits Of Formal Risk Assessments Conducting formal assessments within a risk management program offers a number of benefits: 1. requires business and technical representatives to reason about risk in an objective, repeatable, way 2. requires consistent terminology and metrics to discuss and measure risk 3. justifies funding for needed controls 4. identifies controls that can be eliminated 5. provides documentation of threats that were considered and risks that were identified 6. requires business and IT to acknowledge the responsibility for ownership of risk 7. requires organizations to track risks and reassess them over time and as conditions change There is a good reason for so many regulations to include a requirement for risk assessment. It is only sensible that a regulatory body cannot dictate the controls that are necessary in every environment. What might be appropriate for a large company with a significant Web presence could be overkill for small organization with a few customers. If the threats are different and the environment is different, then it stands to reason that the controls might be different. It is interesting to note that even the most prescriptive standards (e.g., PCI DSS) require risk assessments to determine the need for and effectiveness of controls. On the less prescriptive side of the regulatory spectrum, HIPAA and FISMA have very few required controls but expect the entire program to be risk-based. This approach makes sense when one standard needs to apply to everyone. Choosing A Risk Management Framework If your organization needs to comply with FISMA, then your risk management approach should be based on NIST Special Publication 800-39. This document provides an overall description of the risk management life cycle. Risk assessment, which is one part of the risk management program, is described in NIST Special Publication 800-30 (which is being revised). SP 800-30 provides a stepwise method for assessing risk that can be customized for a given organization. Another good source of risk management documentation is provided by the OCTAVE project developed at Carnegie Mellon University. Both NIST and OCTAVE provide excellent sources for building a risk management program that helps organizations meet their security and regulatory requirements. Richard Mackey is vice president of consulting at SystemExperts Corp.

Wednesday, October 12, 2011

The SSL certificate industry can and should be replaced

October 12, 2011 The SSL certificate industry can and should be replaced A new alternative, called Convergence, is picking up steam By Ellen Messmer | Network World The SSL certificate authorities like Comodo that have had their security undermined by hackers shouldn't be trusted, and in fact, the way the entire SSL certificate industry of today works can and should be replaced with something better, says Moxie Marlinspike, a security expert who's come up with a plan he says will do that. Marlinspike's plan, unveiled last August at the Black Hat Conference, is called "Convergence," and it's gaining some momentum, particularly after the shocking hacker attacks on DigiNotar, GlobalSign, Comodo, and other SSL certificate authorities of late that resulted in fake certificates coming into use on the web, including a fake Google certificate, since revoked. Marlinspike's Convergence is radically different from the situation today where the Web of trust is based on a SSL server certificate signed by a certificate authority and recognized by the user's browser, based on recognition of the certificate authority that's programmed in by the browser vendors. Marlinspike thinks this whole system -- which props up the multi-million-dollar certificate authority business today -- should be dumped in favor of the idea of the user more directly controlling how the browser trusts certificates based on so-called Convergence "notaries" proving online feedback about what to trust. To work, the user needs to have Firefox browser plug-in for Convergence that Marlinspike makes available. "Originally, I was the only notary," says Marlinspike, noting that today there are more than 50 Convergence notaries, including Electronic Frontier Foundation and security vendor Qualys. The idea is that the Convergence notaries, based on the user's own selection of which ones they prefer, electronically inform the user if the SSL certificate is considered valid. Marlinspike says there are 30,000 active Convergence users today. Marlinspike's ideas are starting to get some support from the security industry. Qualys Director of Engineering Ivan Ristic says the research Qualys has done shows Convergence is a "viable alternative" to the general way the SSL ecosystem works today, "but in order for it to be successful, it will also need a critical mass." "We have been researching the SSL ecosystem for some time now — publishing our tools and documentation on the SSL Labs web site — so it was only natural that we took interest in Convergence, which aims to solve some of the inherent security issues in the way we currently determine trust," Ristic says. Instead of trying to fix today's weaknesses by "keeping existing arrangements," Ristic says, Convergence "is different; it's a proposal to try something completely different." Qualys wants to "play our part and assist in its growth, and give it a chance," he adds. Marlinspike, CTO at Whisper Systems, says Convergence is his personal project and he doesn't have expectations about how it can be a revenue-generating business. But he's scornful of the current arrangement in which browser vendors have somewhat "hardwired" in their support for the certificate authorities, particularly the big ones like VeriSign, Entrust, Thawte and Comodo. After the DigiNotar hack, for example, Microsoft made much of changing its browser to no longer support DigiNotar. DigiNotar itself was forced to declare bankruptcy as a direct repercussion of being hacked. Comodo is one-quarter to one-fifth of certificates on the Internet, and removing support for Comodo in the browser would be hugely disruptive operationally in this current system. But the underlying security for it all is just "an illusion," according to Marlinspike. He pointed out, "We've made a decision to trust Comodo forever, regardless of whether they continue to earn that trust." Marlinspike continued, "What happened to DigiNotar is the kind of thing that happens every day. It was an accident anyone ever noticed. If the hackers hadn't been stupid, no one would have ever noticed." Marlinspike points out that Convergence is "totally backward compatible" with the current SSL certificate system and the "user experience is exactly the same as now." It's simply in the Convergence model, the notaries you contact tells you if they believe the certificate is valid or not. Through multiple answers to that question, there's an increase in the validation through consensus. Business can keep getting signed certificates if they want, but the validation for them changes according to what the user trusts. Read more about wide area network in Network World's Wide Area Network section. Network World is an InfoWorld affiliate.

Tuesday, September 20, 2011

NHS loses CD of 1.6 MILLION patients' records

'We reassure you it was old data'. Sure, my DOB's changed By Guardian Healthcare Network Posted in Government, 20th September 2011 An NHS trust has told patients that it is acting to improve its data handling practices after a rebuke from the Information Commissioner's Office (ICO) for losing a CD containing details on 1.6 million people. Chief executive of NHS Kent and Medway Ann Sutton said that information is now more secure following the implementation of encryption systems to replace the use of floppy discs and CDs. Last week the trust was handed an undertaking by the information watchdog after sending the personal information to a landfill during an office move in March. The ICO said the data contained the names, addresses, dates of birth, NHS numbers and GP details of those affected. In a statement on the trust's website, Sutton said that the data had not been recovered and that the trust had accepted the ICO's report on the incident. She said: "While the breach was unfortunate, I would like to reassure patients that the data stored in the filing cabinet was not current - the most recent information was from 2002. Sutton added: "We have already strengthened our information governance policies, procedures and training on the basis of our internal investigation of the incident. The information commissioner's recommendations to improve them further will be implemented fully." ® This article was originally published at Guardian Professional. Join the Guardian Healthcare Network to receive regular emails on NHS innovation.

Hackers break SSL encryption used by millions of sites

By Dan Goodin in San Francisco Posted in ID, 19th September 2011 Researchers have discovered a serious weakness in virtually all websites protected by the secure sockets layer protocol that allows attackers to silently decrypt data that's passing between a webserver and an end-user browser. The vulnerability resides in versions 1.0 and earlier of TLS, or transport layer security, the successor to the secure sockets layer technology that serves as the internet's foundation of trust. Although versions 1.1 and 1.2 of TLS aren't susceptible, they remain almost entirely unsupported in browsers and websites alike, making encrypted transactions on PayPal, GMail, and just about every other website vulnerable to eavesdropping by hackers who are able to control the connection between the end user and the website he's visiting. At the Ekoparty security conference in Buenos Aires later this week, researchers Thai Duong and Juliano Rizzo plan to demonstrate proof-of-concept code called BEAST, which is short for Browser Exploit Against SSL/TLS. The stealthy piece of JavaScript works with a network sniffer to decrypt encrypted cookies a targeted website uses to grant access to restricted user accounts. The exploit works even against sites that use HSTS, or HTTP Strict Transport Security, which prevents certain pages from loading unless they're protected by SSL. The demo will decrypt an authentication cookie used to access a PayPal account, Duong said.

FISMA compliance to require monthly reports

FISMA compliance to require monthly reports Dan Kaplan September 19, 2011 Federal agencies soon will be required to report on their information security health on a monthly basis, instead of annually, according to a memo from the federal Office of Management and Budget. As part of their compliance with the Federal Information Security Management Act (FISMA), agencies must, beginning next month, submit data from their automated security management tools into CyberScope, an application that went online in 2009, and is used to securely and efficiently report security-related information and provide analysis. "This shift from the once-a-year FISMA reporting process to a monthly reporting of key metrics through CyberScope allows security practitioners to make decisions using more information – delivered more quickly than ever before," OMB Director Jacob Lew wrote in the memo, issued last week. The monthly requirements also include answering questions in CyberScope that address risk. They are meant to determine whether an agency effectively is implementing its security functionality. In addition, under the reporting mandates, agencies must work with government specialists through sessions and interviews to improve their security stance. Marcus Sachs, a former U.S. government cyber official, said increased reporting requirements, in both the private and public sector, tend to occupy man-hours that would be better served working the problem. But he said that forcing senior management to sign off on regular reports could shine a light on the need for more security resources. "I think it one sense, increasing the [reporting] burden does take away from the few people who are really good at cybersecurity," he told SCMagazineUS.com on Monday. "On the other hand, it does increase the awareness of the senior leaders. Nobody is going to sign off on it unless it's accurate."

Sunday, September 11, 2011

History of DOS -Denial of Service Attack


DigiNotar SSL Hack Diagram | Cyber Chatter

This is an ongoing diagram of the DigiNotar SSL Hack. I will update this as I work on it. I just think that this will help some people to understand the scope of this attack. This is from the spreadsheet I got from the TORProject… http://uscyberlabs.com/blog/?p=840

Email encryption for iPad and iPhone

Email encryption for iPad and iPhone

Sunday, May 15, 2011

Appache server en security

Some hints and tips on security issues in setting up a web server. Some of the suggestions will be general, others specific to Apache.

■ Keep up to Date
The Apache HTTP Server has a good record for security and a developer community highly concerned about security issues. But it is inevitable that some problems -- small or large -- will be discovered in software after it is released. For this reason, it is crucial to keep aware of updates to the software. If you have obtained your version of the HTTP Server directly from Apache, we highly recommend you subscribe to the Apache HTTP Server Announcements List where you can keep informed of new releases and security updates. Similar services are available from most third-party distributors of Apache software.

Of course, most times that a web server is compromised, it is not because of problems in the HTTP Server code. Rather, it comes from problems in add-on code, CGI scripts, or the underlying Operating System. You must therefore stay aware of problems and updates with all the software on your system.

Permissions on ServerRoot Directories
In typical operation, Apache is started by the root user, and it switches to the user defined by the User directive to serve hits. As is the case with any command that root executes, you must take care that it is protected from modification by non-root users. Not only must the files themselves be writeable only by root, but so must the directories, and parents of all directories. For example, if you choose to place ServerRoot in /usr/local/apache then it is suggested that you create that directory as root, with commands like these:

mkdir /usr/local/apache
cd /usr/local/apache
mkdir bin conf logs
chown 0 . bin conf logs
chgrp 0 . bin conf logs
chmod 755 . bin conf logs

It is assumed that /, /usr, and /usr/local are only modifiable by root. When you install the httpd executable, you should ensure that it is similarly protected:

cp httpd /usr/local/apache/bin
chown 0 /usr/local/apache/bin/httpd
chgrp 0 /usr/local/apache/bin/httpd
chmod 511 /usr/local/apache/bin/httpd

You can create an htdocs subdirectory which is modifiable by other users -- since root never executes any files out of there, and shouldn't be creating files in there.

If you allow non-root users to modify any files that root either executes or writes on then you open your system to root compromises. For example, someone could replace the httpd binary so that the next time you start it, it will execute some arbitrary code. If the logs directory is writeable (by a non-root user), someone could replace a log file with a symlink to some other system file, and then root might overwrite that file with arbitrary data. If the log files themselves are writeable (by a non-root user), then someone may be able to overwrite the log itself with bogus data.

Server Side Includes
Server Side Includes (SSI) present a server administrator with several potential security risks.

The first risk is the increased load on the server. All SSI-enabled files have to be parsed by Apache, whether or not there are any SSI directives included within the files. While this load increase is minor, in a shared server environment it can become significant.

SSI files also pose the same risks that are associated with CGI scripts in general. Using the exec cmd element, SSI-enabled files can execute any CGI script or program under the permissions of the user and group Apache runs as, as configured in httpd.conf.

There are ways to enhance the security of SSI files while still taking advantage of the benefits they provide.

To isolate the damage a wayward SSI file can cause, a server administrator can enable suexec as described in the CGI in General section.

Enabling SSI for files with .html or .htm extensions can be dangerous. This is especially true in a shared, or high traffic, server environment. SSI-enabled files should have a separate extension, such as the conventional .shtml. This helps keep server load at a minimum and allows for easier management of risk.

Another solution is to disable the ability to run scripts and programs from SSI pages. To do this replace Includes with IncludesNOEXEC in the Options directive. Note that users may still use <--#include virtual="..." --> to execute CGI scripts if these scripts are in directories designated by a ScriptAlias directive.

CGI in General
First of all, you always have to remember that you must trust the writers of the CGI scripts/programs or your ability to spot potential security holes in CGI, whether they were deliberate or accidental. CGI scripts can run essentially arbitrary commands on your system with the permissions of the web server user and can therefore be extremely dangerous if they are not carefully checked.

All the CGI scripts will run as the same user, so they have potential to conflict (accidentally or deliberately) with other scripts e.g. User A hates User B, so he writes a script to trash User B's CGI database. One program which can be used to allow scripts to run as different users is suEXEC which is included with Apache as of 1.2 and is called from special hooks in the Apache server code. Another popular way of doing this is with CGIWrap.

Non Script Aliased CGI
Allowing users to execute CGI scripts in any directory should only be considered if:

•You trust your users not to write scripts which will deliberately or accidentally expose your system to an attack.
•You consider security at your site to be so feeble in other areas, as to make one more potential hole irrelevant.
•You have no users, and nobody ever visits your server.
Script Aliased CGI
Limiting CGI to special directories gives the admin control over what goes into those directories. This is inevitably more secure than non script aliased CGI, but only if users with write access to the directories are trusted or the admin is willing to test each new CGI script/program for potential security holes.

Most sites choose this option over the non script aliased CGI approach.

Other sources of dynamic content
Embedded scripting options which run as part of the server itself, such as mod_php, mod_perl, mod_tcl, and mod_python, run under the identity of the server itself (see the User directive), and therefore scripts executed by these engines potentially can access anything the server user can. Some scripting engines may provide restrictions, but it is better to be safe and assume not.

Protecting System Settings
To run a really tight ship, you'll want to stop users from setting up .htaccess files which can override security features you've configured. Here's one way to do it.

In the server configuration file, put

AllowOverride None

This prevents the use of .htaccess files in all directories apart from those specifically enabled.

Protect Server Files by Default
One aspect of Apache which is occasionally misunderstood is the feature of default access. That is, unless you take steps to change it, if the server can find its way to a file through normal URL mapping rules, it can serve it to clients.

For instance, consider the following example:

# cd /; ln -s / public_html
Accessing http://localhost/~root/

This would allow clients to walk through the entire filesystem. To work around this, add the following block to your server's configuration:

Order Deny,Allow
Deny from all

This will forbid default access to filesystem locations. Add appropriate Directory blocks to allow access only in those areas you wish. For example,

Order Deny,Allow
Allow from all

Order Deny,Allow
Allow from all

Pay particular attention to the interactions of Location and Directory directives; for instance, even if denies access, a directive might overturn it.

Also be wary of playing games with the UserDir directive; setting it to something like ./ would have the same effect, for root, as the first example above. If you are using Apache 1.3 or above, we strongly recommend that you include the following line in your server configuration files:

UserDir disabled root

Watching Your Logs
To keep up-to-date with what is actually going on against your server you have to check the Log Files. Even though the log files only reports what has already happened, they will give you some understanding of what attacks is thrown against the server and allow you to check if the necessary level of security is present.

A couple of examples:

grep -c "/jsp/source.jsp?/jsp/ /jsp/source.jsp??" access_log
grep "client denied" error_log | tail -n 10

The first example will list the number of attacks trying to exploit the Apache Tomcat Source.JSP Malformed Request Information Disclosure Vulnerability, the second example will list the ten last denied clients, for example:

[Thu Jul 11 17:18:39 2002] [error] [client foo.example.com] client denied by server configuration: /usr/local/apache/htdocs/.htpasswd

As you can see, the log files only report what already has happened, so if the client had been able to access the .htpasswd file you would have seen something similar to:

foo.example.com - - [12/Jul/2002:01:59:13 +0200] "GET /.htpasswd HTTP/1.1"

in your Access Log. This means you probably commented out the following in your server configuration file:

Order allow,deny
Deny from all

Available Languages: en | ko | tr

Copyright 2011 The Apache Software Foundation.
Licensed under the Apache License, Version 2

Wednesday, May 4, 2011

Data Breaches: 3 Lessons for Leaders

Healthcare Information Security ArticlesMay 4, 2011 - Upasana Gupta, Contributing Editor

In March, RSA, a trusted name in the security industry, suffered a major security breach of its SecurID product, proving that no organization is immune to such incidents.
Then, in April, the Epsilon e-mail breach exposed the risks of data security managed by a third-party service provider.

Two weeks later, Sony Corp announced that hackers had stolen names, addresses and possibly credit card details from 77 million user accounts of its PlayStation Network and Qriocity online service.

RSA, Epsilon and Sony: Three major security incidents that dominated the headlines and sent ripples throughout security organizations worldwide.

No one feels the pressure of such breaches more than the chief information security officer, who ultimately is responsible for protecting and securing the organization. How an organization plans for and responds to such incidents can make or break a CISO's career.

In the wake of these three high-profile breaches, we spoke to two global information security leaders -- Alessandro Moretti, executive director of IT security risk management at UBS Investment Bank, and Abbas Kudrati, head of information risk and security director for the kingdom of Bahrain -- and asked for their biggest lessons learned. Here's what they shared. [For more on leadership and incident response, see Why CISOs Must Care About Sony Breach.]

#1: Build Trust with Senior Management
An incident as significant as the RSA breach requires leaders to be agile and have the ability to redirect investment, projects and security controls within the shortest possible time if needed, says Moretti. This transition can only happen when IT security leaders have built trust with the business owners by establishing an open line of communication in which they discuss pervasive and forward- thinking issues on a continuous basis. Example: how to respond to unique events such as the recent Japanese earthquake or the RSA breach. Moretti picks up the phone and speaks with his executives at the bank as often as needed, bringing to their attention the risks, investment and options to be pursued within the threat landscape. "Leaders have to focus on how they get information across to senior management to do something more proactive," he says.
#2: Enhance Security Awareness
These high-profile breaches have reinforced the need for comprehensive employee training programs designed to help organizations build a more security conscious workforce. "It is still a big challenge for most organizations to implement a thorough security awareness program in their companies, as they lack insight into employee behavior and where, what and how to protect their information assets," says Kudrati. "This means awareness remains low, understanding of the risks stays incomplete, risk is not properly assessed, and the need for regulation is not created."
His response to these incidents has been to initiate a detailed awareness program, including providing the necessary education and tools to employees for a heightened awareness of corporate policies, procedures and guidelines; customizing email policy for different departments based on usage; conducting frequent social engineering and anti-phishing exercises to enable employees to carefully consider the security implications of their online activities. He also has automated regular checks on technical controls, infrastructure and internal vulnerabilities, allowing the organization to reduce the risk of exposing sensitive information and ultimately strengthening the risk management and data loss prevention policies.

"We are working progressively in reducing risks by pushing the basics, expanding our knowledge of threats and vulnerabilities and educating our employees," Kudrati says.

#3: Manage Risk with Vendors
IT security leaders can no longer just focus on controls and contracts in dealing with vendors that provide software, applications, network and core infrastructure solutions. Leaders have to ensure that "vendor management is built into the risk framework, so these providers know what risks they are managing for you," Moretti says. One must categorize vendors before assessing vendor risk, as not all service providers are the same. Also, IT leaders need to ensure they have a contingency plan in place to support their business should the worst happen to the vendor supporting their mission-critical systems and infrastructure .
Moretti says he has changed his attitude from a control mindset and instead works with vendors as partners of the organization in making them understand the impact of managing risks. The dialogue is now on risk management and mitigation.

Ultimately, Moretti says, "A leader's passive attitude to a security incident outside of their organization is no longer acceptable."

Thursday, April 21, 2011

IT-afdelingen vooral bezig met compliance (Infosecurity.net)

20-04-2011 - IT-afdelingen zijn steeds vaker bezig met het oplossen van zaken die zich buiten de computerruimte afspelen. Vooral compliance neemt veel tijd in beslag. Dit constateert de beroepsorganisatie ISACA in een onderzoek.

Branche: Automatisering
Volgens de Information Systems Audit and Control Association (ISACA), een beroepsorganisatie voor onder andere IT-managers, IT-beveiligingsspecialisten, audit-specialisten en IT-vezekeringsspecialisten, zijn IT-adelingen steeds vaker voornamelijk bezig met zaken die buiten de algemene beheertaken zich afspelen. Vooral reguleringswerkzaamheden, zoals compliance, governance en beveiligingsbeheer, een enorme druk op het huidige IT-personeel. Volgens ISACA komt dit doordat het aantal wettelijke regels toeneemt door meer gevallen van gegevendiefstal en de opkomst van nieuwe technologie als cloudcomputing en het gebruik van persoonlijke mobiele devices op de werkvloer. In de toekomst zullen juist cloudcomputing, mobiel devicebeheer, virtualisatie en business intelligence veel van de IT-beheerders gaan eisen.

In hetzelfde onderzoek breekt ISACA ook een lans voor het beter profileren van IT-afdelingen ten opzichte van het algemene management. Volgens het gehouden onderzoek denken algemene managers dat IT-afdelingen nog in een van de zakelijke kant van het bedrijf afgesloten omgeving werken. De ISACA-leden geven op hun beurt aan dat het algemeen management vaak weinig leiding geeft aan een strategie voor het beschermen van de ICT. Volgens een meerderheid, tachtig procent, van de onderzochte ISACA-leden ziet een dergelijke strategie als het grootste belang voor een bedrijf of organisatie. Ook op het gebied van disaster recovery zouden algemene managers meer betrokkenheid moeten tonen. Meer dan 87 procent van de ISACA-leden geeft aan dat hun algemeen management weinig initiatief toont voor het in werking houden van de belangrijkste IT-functionaliteit tijdens een crisissituatie.

Tuesday, April 19, 2011

Courthouse News Service

Courthouse News Service

Testy 9th Circuit Hears Whistleblower Case Boeing

Monday, April 18, 2011Last Update: 12:55 PM PT

Testy 9th Circuit Hears Whistleblower Case


SEATTLE (CN) - Two Boeing employees who were fired after providing a newspaper reporter information about alleged ethics violations asked the 9th Circuit to reconsider a federal judge's ruling that the Sarbanes-Oxley Act does not prohibit termination for disclosures to the media. No court has yet addressed whether employees can be fired under federal whistleblower laws for providing non-confidential information about potential fraud to the press.
Nicholas Tides and Matthew Neumann worked in Boeing's corporate audit department and made several complaints to supervisors about the company's violations of auditing requirements under Sarbanes-Oxley, according to their original federal complaint.
Congress enacted Sarbanes-Oxley after the Enron accounting scandal.
Tides and Neumann provided a reporter at the Seattle Post-Intelligencer with information and documents about the alleged fraud. They were fired after Boeing learned of the disclosures.
U.S. District Judge John Coughenour ruled that Sarbanes-Oxley "does not prohibit termination for disclosures to the media" and upheld the firings.
During oral arguments on Friday, attorney Stephen Kohn, whose National Whistleblowers Center filed a friend of the court brief, argued the case with the plaintiffs' attorney, John Tollefsen.
As soon as Kohn began his arguments, he was interrupted by a skeptical Judge Andrew Kleinfeld.
"This case concerns a per se rule prohibiting whistleblowers from contacting the press," Kohn said.
Judge Kleinfeld disagreed. "I have difficulty seeing it that way," Kleinfeld said. "It looks to me as though what it concerns is a statute that prohibits retaliation against whistleblowers provided that their disclosures are one of three classes of recipients of the information. I don't see where the statute says anything about the press."
Kohn replied that that was a "misreading" of Sarbanes-Oxley.
"Does the stature mention the press?" Judge Kleinfeld asked.
"It does not, your Honor," Kohn replied.
Kleinfeld then said that the law allowed whistleblowers to provide information to federal regulatory or law enforcement, congress and the employee's supervisors.
"That's all she wrote," the judge said.
But Kohn said that the wording "cause to be provided" in Sarbanes-Oxley could be read as going through the media, and that the language is "substantially similar" to other whistleblower protection laws, "all of which were interpreted as protecting contacts with the press."
Tollefsen said Sarbanes-Oxley does not place limits on how one contacts Congress, and that contacting the press is one of the most effective ways to get the attention of Congress.
"You would be the first court ever to interpret any of these statutes - and we cited four of the whistleblower statutes where you're allowed to use the media as a mode of communication," Tollefsen said.
Judge Kleinfeld countered, "You can use this for blackmail."
Tollefsen, raising his voice, said, "We're not talking about blackmail. We're talking about - that's the kind of thing that Enron's lawyers would have said."
Kleinfeld replied: "I must be a bad fellow because I asked you a question that you think Enron's lawyers might have raised."
Both Judge Kleinfeld and Judge Barry Silverman noted that whistleblower protection for federal employees placed no restrictions on whom the employees could contact, unlike Sarbanes-Oxley.
Tollefsen said that Congress intended for Sarbanes-Oxley to have the same protections as federal employees.
"Now, why they didn't use the exact language as the federal employee statute, I don't know," Tollefsen said.
"That's a major problem, isn't it, for you?" Judge Silverman asked.
In a short argument, Boeing's attorney Eric Wolff claimed that the case was "a very straightforward case of statutory interpretation."

Monday, April 18, 2011

The Role of FCPA Compliance in Contractual Responsibilities

We often discuss the impact of the Foreign Corrupt Practices Act (FCPA) on companies in
relation to their third parties. Topics can include due diligence of third parties, contracting terms
and conditions, and management of these relationships. However, just as all US companies are
subject to the FCPA and therefore are required to implement compliance programs which meet
the strictures of the FCPA, many non-US companies are required to have compliance programs
in place to meet contractual requirements.
We considered the relationship of these non-US companies when we recently read the article
“Compliance Programs Redefined: Elevating Contractual Responsibilities to Their Proper
Place” by Steven Lauer, published in CCH, Corporate Governance Guide, Issue 551, March 21,
2011. Indeed when reviewing or discussing FCPA compliance programs, one part of the
discussion which is often overlooking by US companies is their own contractual obligations to
have such a program in place. Lauer posits that a “compliance program offers a company…a
truly positive benefit” in relation to its counter-parties. While his article is not specifically FCPA
focused, we found it to be an excellent perspective for companies to consider their overall
compliance program.
Lauer believes that there are two general forms of contracting compliance. The first is process
and the second is substantive. Process compliance encompasses all events leading up to contract
execution. Substantive compliance comes into play after execution when parties are obligated to
honor their respective contractual commitments.
An example of process compliance is where one contract may require a company to violate the
terms and conditions of a previously executed agreement. Lauer gives the example of a company
which enters into a foreign joint venture and pledges certain physical assets but the same
company has previously agreed with a lender not to limit the lender’s right to encumber any
company assets. A more recent example has been with BP and its attempts to enter into a
business relationship with Rosneft. BP’s joint venture partners from TNK-BP, claimed that such
agreement violated the terms of their joint venture agreement and successfully sued to enjoin the
action in the British courts.
Under the compliance terms and conditions of a Master Service Agreement or Master
Construction Agreement, it is not usual for a Company to require a Contractor to make the same
FCPA terms and conditions to all of the Contractor’s subcontractors who may perform work
under the Master Agreement for the Company. Failure to do so by the Contractor would violate
the FCPA compliance terms and conditions of the Master Agreement. This can be problematic
for a contractor initially entering the international arena and may not have FCPA compliance
program in place.
Lauer acknowledges that compliance with compliance terms and conditions in an agreement are
a subset of obligations which a company has to outsiders. Such outsiders can include
governmental authorities and lenders. However, contract requirements “may be the most specific
and relevant on a day-to-day basis.” Therefore, from the substantive contract compliance prong,
a company must ensure proper performance of its agreements and that individuals administering
the agreement understand its obligations. Once again in the context of FCPA compliance, it may
require a Contractor to require its subcontractors to have compliance program in place; require a
Contractor to train its subcontractors employee’s on basic FCPA compliance; and to audit a
subcontractor’s FCPA compliance component.
William Athanas has recently written an article advocating the proactive use of the results of a
company’s FCPA compliance program, in his article “Demonstrating “Systemic Success” in
FCPA Compliance: Identifying and Maintaining Evidence to Respond to Government
Investigations . . . Before They Begin.” He makes clear that if your compliance program does not
document its successes there is simply no evidence that it has succeeded. Just as this would be
true in any Department of Justice investigation, it would be equally true if a Contractor is audited
by its contracting counter-parties. So as always, the key is to document, document and document.
Lauer notes that an effective compliance department should not replicate other corporate
functions; rather, it creates mechanisms that implement and then track the performance of those
other units in respect of those activities regarding a company’s compliance with the various
behavioral expectations that apply to its operations. Some of those expectations arise externally
and others are created internally. FCPA compliance terms and conditions can arise from these
external expectations.
Lauer ends by stating his belief that by creating an ongoing FCPA compliance-assurance
mechanism a company can, among other things, strengthen its competitive posture and improve
the overall ethical culture of an organization. Further these benefits will serve as more than
simply a preventative; it will allow a compliance department to better realize its company’s
business objective and continue the company’s revenue stream.
We believe that Lauer’s article points out some issues which are not often considered in regard to
FCPA compliance. We hope his article will give you pause for thought on yet another role for
your compliance department.
This publication contains general information only and is based on the experiences and research
of the author. The author is not, by means of this publication, rendering business, legal advice,
or other professional advice or services. This publication is not a substitute for such legal advice
or services, nor should it be used as a basis for any decision or action that may affect your
business. Before making any decision or taking any action that may affect your business, you
should consult a qualified legal advisor. The author, his affiliates, and related entities shall not
be responsible for any loss sustained by any person or entity that relies on this publication. The
Author gives his permission to link, post, distribute, or reference this article for any lawful
purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2011

The Role of FCPA Compliance in Contractual Responsibilities | Thomas Fox - JDSupra

The Role of FCPA Compliance in Contractual Responsibilities | Thomas Fox - JDSupra

Security fears still an obstacle to cloud adoption

Security fears still an obstacle to cloud adoption

Monday, April 4, 2011

Multiple vulnerabilities in IBM Tivoli Directory Server

Multiple vulnerabilities in IBM Tivoli Directory Server

Basel III kan concurrentiepositie grote Nederlandse banken aantasten

Gebaseerd op: Banking Review (februari/maart 2011)

Langzaamaan wordt duidelijk wat de effecten van Basel III zijn op het bancaire landschap. Voor Nederland betekent het bijvoorbeeld dat de banken onder de hoogste kapitaaleisen van Basel III vallen. En dat wil zeggen dat de concurentiepositie van de Nederlandse banken mogelijk aangetatst wordt.

De aangscherpte kapitaaleisen van het Basel III-akkoord heeft grote implicaties voor banken wereldwijd en zal an ook een impact hebben op strategische besluitvorming. Mogelijke gedragsalternatieven voor banken zijn dan ook: het aantrekken van nieuw aandelenkapitaal; vermindering van de activa op de balans (bijvoorbeeld door verkoop van bedrijfsonderdelen); het veranderen van bedrijfsonderdelen of de onderlinge relatie met dochterondernemingen en minderheidsbelangen; herverdelingen aan de activa zijde van de balans, waarbij risicovollere investeringen worden omgezet in veiliger, lager renderende investeringen.

Een ander gevolg is dat de grootste banken wellicht niet de grote winnaars zijn van al deze ontwikkelingen. Toezichthouders werken nog steeds aan het probleem van `too big to fail`en zullen mogelijk de grootste banken ontmoedigen verder te groeien door acquisities. En dat heeft weer gevolgen voor de grote Nederlandse banken.

Nieuwe boekhoudregels (IFRS) kost sector miljarden

04 apr 2011 -

Leven-, schade- en zorgverzekeraars denken dat de invoering van nieuwe wereldwijde boekhoudregels de sector miljarden gaat kosten. Maar vooral de consument zal de rekening van de invoering van IFRS betalen.


Nog lang geen IFRS, maar trainers plukken wel de vruchten
IFRS voor niet-beursgenoteerde ondernemingen
Dat leidt DFT af uit het KPMG rapport The New World for Insurance. De nieuwe standaard voor financiële verslaggeving onder International Financial Reporting Standards (IFRS) is bedoeld om de resultaten van verzekeraars uit meer dan 120 landen gemakkelijker te kunnen vergelijken. De richtlijn, die vermoedelijk in juni wordt gepresenteerd, verplicht verzekeraars cijfers te rapporteren en de onderneming op marktwaarde weer te geven.

Verzekeringsverplichtingen moeten op elke rapportagedatum geactualiseerd worden naar de laatste inzichten rond sterftetrends, kosten, rendementsgaranties en rentecurve. De huidige methode gaat uit van de originele tariefgrondslag en een vaste disconteringsvoet

Sunday, April 3, 2011

What Basel III Means for Corporates

Jaco Boere, Zanders, Treasury & Finance Solutions - 31 Mar 2011
This article examines the Basel III agreement and looks at what this might mean for corporates who primarily use bank finance for their funding.

How useful was this article?
1 2 3 4 5

People who read this article also recently read:
Payment Factory Trends in Europe

The Role of A/R in Optimising Working Capital

How Can Corporates Gain End-to-end Visibility Over Cash Flows?

Focus on Receivables and Payables to Enhance Cash Position

Supply Chain Finance Blog: Part 8

Email this article
recipient email:

Comment on this Article:
Add your question/ comment

Following the financial crisis, it became clear that the concept of Basel II, which became effective in February 2008, had severe shortcomings and that there was a need for greater change in banking regulation and supervision. On 12 September 2010, the Basel Committee on Banking Supervision (BCBS) endorsed a new regulatory capital and liquidity regime - Basel III.

Addressing Liquidity Risk
The focus of the new regime is mostly on the liability side of the bank’s balance sheet. It will address the issues revealed under Basel II, including over-leverage and liquidity risk caused by mismatches of the asset tenor relative to the funding tenor. Basel III will also change the requirements for the bank’s core capitalisation, which will have to be maintained at a level relative to their risk weighted assets (RWAs).

Table 1 provides an overview of the differences between Basel II and Basel III for the minimum required levels of capital.

Table 1: Basel II Versus Basel III

Using a phased approach, the additional requirements don't just affect capital quality and capital requirements, but leverage, liquidity and net stable funding ratio requirements will also be introduced for banks. The objective is to increase the loss-absorbing capital capacity of the banks relative to their RWAs and to strengthen the banks' balance sheets so that they are better able to withstand periods of economic downturn.

Although the definition for capitalisation will be strengthened and the ratios will also be raised under Basel III, the definition of RWA is largely based on the current Basel II requirement, except for some elements of counterparty credit risk and equity. In essence, the RWA definition means that the banks will have to maintain higher degrees of capital buffers against riskier assets according to risk weights. Low-risk assets could be held with minimum capital levels and therefore allow a higher gearing. However, ratings and risk weightings have not always proved to be reliable in assessing true underlying credit risk - as shown by the structured finance and securitisation bubble.

The new standards will be implemented and become effective through a staged approach between 2013 and 2019.

What Effect Will Basel III Have on Corporates?
The effect of Basel III for an individual bank, and how it will translate into products and pricing offered, will be dependent on its current capitalisation ratios, as well as its business profile and the composition of its asset portfolios. In general, banks will likely have to allocate more capital (deleverage) and liquid assets across their business, as well as use more stable sources of funding, to meet the new Basel III requirements. This is expected to lead to a general increase in capital and funding costs for banks. Although banks may try to improve their operational efficiency, fine tune their models and optimise their asset segmentation, it's likely that they will pass some of the additional cost to their customers to preserve the same level of returns. This will imply that, for corporates, on and off balance sheet banking products that require a higher capital allocation or have a relative higher weighting in the ratios for a bank will likely become more expensive. However, it can also be argued that Basel III requirements will alter and reduce the risk profile of a bank and therefore they may settle for lower returns.

Corporate treasurers may be affected by the consequences of Basel III on banks in a number of ways, obviously mostly on the borrowing side, but other product categories will also be affected.

An interesting point may be that bond financing or, more generally speaking, non-bank financing for corporates may gain further attractiveness under Basel III relative to bank financing. This is a trend that has already been observed during the recent crisis.

First, there is a difference in the liquidity treatment for the determination of the liquidity coverage ratio (LCR). Banks will have to hold 30 days liquidity net cash outflow in liquid assets. High-quality corporate bonds are considered to be liquid assets in the context of the LCR, since they can be easily converted into cash, whereas bank or non-public debt is less liquid and therefore is treated less favourably.

Second, the LCR may also have an unfavourable effect on the revolving style of corporate credit and liquidity facilities. Commitment for stand-by revolving committed credit facilities is expected to become more expensive, particularly liquidity back-stop facilities for commercial paper programmes given their unfavourable treatment under the LCR, which can require banks to hold up to a 100% liquid assets buffer for any undrawn part, depending on the nature of the facility.

Third, it is also expected that corporate bank lending will face a relatively higher increase in interest margins compared to non-bank lending because of Basel III. Because the non-bank debt market may also attract other types of investors that are not subject to the new Basel III requirements, these investors may have a competitive advantage compared to banks. This may particularly impact the smaller corporates that either do not have access to this market or do not have a good credit standing, and therefore are predominantly dependent on bank debt as source of debt financing. For those corporates that do not have a credit rating it will become important to have an understanding how a bank perceives their credit risk and also make sure a bank perceives it correctly. They also should have notion about how a bank will price the associated credit risk in relation to the term and the characteristics of the credit facility, and the effect of collaterals and securities provided. The attractiveness of the deal will play an important role for the bank. In any case, bank finance will likely become more expensive, particularly for corporates that have a lower credit standing.

Corporate short-term investments will also be impacted by Basel III. In relation to the LCR and the net stable funding ratio (NSFR), a corporate bank deposit, depending on the conditions, is typically considered as a less stable type of funding for a bank and will have a lower weighting compared to other sources of funding for a bank. Therefore corporate deposits, especially the ones with a very short term, will likely be less attractive to banks under Basel III than previously.

The NSFR and the related matched funding requirement are also expected to lead to relatively higher prices for facilities and loans with longer terms.

Another product category that will be notably hit by the new requirements is off-balance sheet products, particularly trade finance products such as letters of credit (LCs). Any of these off-balance sheet commitments will have a high credit conversion factor against the threshold for the leverage ratio.

Overall there is uncertainty about the consequences of Basel III and how banks will respond to it. Banks shall alter their strategy and may redefine their 'sweet spots'. It will also very much depend on the extent a bank can already meet the additional Basel III requirements and whether or not it will have to raise additional capital. Also, non-bank financial institutions may start to play a more active role as they are beyond the scope of the Basel III requirements, which may give them a competitive advantage.

In response to Basel III, banks will increasingly assess the total return on a customer in relation to its credit risk position and the capital a bank will have to allocate. Using a bank’s asset side of the balance sheet under Basel III will likely come at a higher price for corporates, who will either have to be compensated by a higher interest margin or reward ancillary business to the credit providing banks. It will be likely that bank relations will be more and more driven by credit, particularly for corporates that (have to) rely heavily on bank finance as a source of overall funding. It will therefore become even more important for corporates to understand their total banking wallet and how these products affect the capital that banks have to allocate for Basel III.

SEPA: A Core Issue Checklist for Corporates

Karsten Becker, Deutsche Bank - 29 Mar 2011
This article is a back-to-basics approach on the core issues surrounding the single euro payments area (SEPA), explaining what corporates need to do when implementing a SEPA project.

How useful was this article?
1 2 3 4 5

People who read this article also recently read:
SEPA: What Corporates Should Expect From Their Banks

Payment Factory Trends in Europe

Companies Neglect Risks in Supplier Financing

SEPA Implementation for Corporates: A Chore or an Opportunity?

SEPA: Increasing Direct Debit Risk?

Email this article
recipient email:

Comment on this Article:
"Dear Mr. Becker, thank you for your interesting article. Is it possible to get in touch with you fo..."

Add your question/ comment

On 16 December 2010, the European Commission (EC) published a proposal for regulating the end dates for single euro payments area (SEPA) migration. Although still under review, the regulation is expected to come into force late this year or early next year, which would mean that existing domestic credit transfers could be decommissioned as early as 2012/13 and direct debits as early as 2013/14, effectively replaced by SEPA instruments.

With the end dates in sight, many corporates are asking fundamental questions:

•What does this mean for my company?
•When does my company need to be ready?
•What steps does my company need to take?
What has become clear is that no company will escape SEPA. However, the impact will vary from one company to the next - the project could be quick and easy, or complex and time consuming.

For example, a company that uses mainly domestic credit transfers may only need to obtain International Bank Account Numbers (IBANs) and Bank Identifier Codes (BICs), and its bank will provides format conversion services; whereas implementing SEPA Direct Debits (SDDs) requires more work. Companies active in a number of European countries will also face greater complexity because the process for obtaining IBANs/BICs will vary from country to country.

By going through a checklist of features that may be applicable, a company can get a sense of the project’s complexity.

Setting Up a SEPA Project Team
As a result of the proposed regulation, the industry is likely to be looking at rather tight implementation timeframes for SEPA Credit Transfers (SCTs) and for SDDs. Corporates should start planning and budgeting now, in order to get the project in this year’s budget cycle. A positive effect of a regulated end date is that it will be easier to get funding because the project is now a regulatory one, rather than one that requires a business case.

At the outset, a company should perform a high-level analysis and then put together a project team that is responsible for implementing SEPA migration.

Project Manager: Ensuring all potentially affected departments are involved

Finance department:

•Invoicing - add IBAN/BICs.
•Accounting, accounts receivable (A/R), accounts payable (A/P) - account reconciliation/capture IBANs and BICs/update database.
•Investigations (client inquiries).
•Treasury: enterprise resource planning (ERP) impact/liquidity management/bank relationships.
Other affected departments:

•Sales/procurement - inform business partners/potentially new contacts/new forms.
•Customer service - SEPA-specific client questions.
•Human resources (HR) - salary and benefit payments.
•Legal - mandate migration/change contracts if collection via SDD.
•External partners - e.g. call centres.
The SEPA Project Checklist
The following checklist is an illustration of potential considerations only and cannot outline all possible ‘to dos’. What a corporate needs to do will, of course, vary greatly from one company to the other.

Strategic analysis
When a corporate examines SEPA from a strategic perspective, this poses the question of whether to centralise payments and collections. SEPA is another driver that encourages the trend towards a centralised structure because it harmonises cross-border payment processes.

If a corporate does decide to create a payment or collection factory, then the project takes on a much larger dimension.

To dos:
•Analyse set-up of accounts and cash management structures and systems landscape in Europe.
•Check account centralisation and system consolidation potential.
•Assess and quantify benefits.
A second question has to do with timing - does the corporate want to be one of the first movers or the last? With the end date taking shape, that question is not posed as sharply. But most can’t migrate immediately because of the preparation needed in advance of migration. For this reason, the bulk of SCT migration is expected to occur in the second half of 2012.

To dos:
•Analyse migration complexity.
•Clarify SEPA-interest of business partners.
•Determine own migration strategy.
•Proactive, or wait-and-see?
•Credit transfers and direct debits together or separately?
•All countries at once, or one by one?
A third question revolves around a format strategy - does the company want to switch its payment formats to XML now, or continue to rely on bank conversion services? Today, all banks recommend XML as the format of the future, but this change has an impact on the corporate’s ERP systems and connectivity because XML files tend to be much larger than domestic equivalents.

To dos:
•Analyse which formats are currently in use.
•Set timing of XML migration or keep other global formats and adjust for SEPA.
•Assess availability of temporary solutions (banks’ conversion capabilities differ) - if required.
•Check if a new release is needed from external system provider to obtain the XML module.
The corporate should also map its infrastructural changes, particularly for pan-European companies that have grown through mergers and acquisitions (M&As). Often such a company will have many ERP systems or treasury workstations. A varied landscape makes it more difficult for a company to analyse whether all systems allow for IBANs, for example, or if the company needs to upgrade. A corporate could use this opportunity to streamline its systems landscape.

To dos:
•Identify affected systems.
•Check the preconditions for and the availability of SEPA-upgrades/modules with vendor(s).
•Is a new release required?
•Define specifications and timelines for own system adjustments.
•Interface analysis and plans for adjustments.
•Planning and conducting tests.
Another by-product of a SEPA migration project is the chance to reduce the number of banking relationships. The question of how many banking relationships are optimal grows in importance, because if a company can make local payments from a central account in another country, does it still need a local bank?

To dos:
•Check if and by when relationship banks will offer SCT and SDD.
•Compare SEPA requirements with banks’ SEPA capabilities - submit request for proposal (RFP) for SEPA transactions.
•Analyse what value-added services are on offer.
•Determine which banks to use in SEPA.
Migrating to IBAN and BIC
The first hurdle for most companies is the basic question of how to obtain IBANs and BICs. Should a company go directly to its counterparty if it only has a few, or should it use the format conversion services that banks or third parties offer?

There are local solutions in each country, which tend to be relatively inexpensive, but if a company has to convert in 30 countries, then it can become quite cumbersome to oversee 30 different processes. Therefore, it might be better to use a third party; however, vendors tend to be more expensive. Often Deutsche Bank recommends that clients use domestic conversion services for high volume countries because they are inexpensive, but if they have a few countries with relatively few IBANs, to use a vendor.

To dos:
•Determine how to obtain the corresponding IBANs and BICs: directly from counterparties (contact them) or indirectly via local conversion service?
•Decide how to communicate own IBAN and BIC.
•When and where should this information appear?
•Make the required changes to invoices and other forms.
•Prepare customer service to answer questions, such as: “What is an IBAN? Where do I find it? What is it used for?”
The next step is to determine the technical impact of converting, so a corporate needs to understand which of its current systems are able to handle IBANs and BICs.

To dos:
•Identify all systems that contain account numbers and bank codes.
•Adjust field lengths to IBAN and BIC.
•Decide how to enter IBAN and BIC into the systems.
•File uploads, document scans and/or manual input.
•Potentially develop IBAN checks to be applied during capture.
Payment detail field
Under SEPA, the payment detail field is only 140 characters long, which may be shorter than corporates are accustomed to today. Particularly in the B2B space, most companies include a lot of payment detail because they pay more than one invoice at a time. Corporates need to either adjust their payment patterns by breaking them down into more than one payment, or maybe think about how to shorten the information they provide.

To dos:
•Check the length of the payment details fields used by country.
•Adjust length and content.
•Allowed characters are numbers, letters and special signs.
•Think about using the orderer/creditor (end-to-end) reference field for certain information (e.g. contract number).
Optional originator/creditor reference field
SEPA payments also include an optional creditor reference field for the sender. If a creditor wants to receive specific information, for example an invoice number, this additional 35-character field can be used.

To dos:
•Determine if this field is needed.
•Define content.
•Allowed characters are numbers, letters and special signs.
•Establish reconciliation processes based on reference number.
Optional purpose codes
In addition, optional purpose codes can help the beneficiary identify the payment type, e.g. salary, phone bill, etc. This is relevant if the beneficiary asks for this information, in order to categorise incoming payments.

To dos:
•Check with your counterparties if they require purpose codes (and which ones).
•Find out if their bank supports purpose codes.
•Define own processes when receiving purpose codes.
Category purpose code
The category purpose code is another optional field, which allows the sender to designate the way that their payment is processed. For example, a company’s payments are normally all executed overnight with the standard SCT and maybe all booked individually. However, the company may want its salary payments to be executed the same day and booked in bulk.

Therefore, it could use the category purpose code for salary payments to indicate to its bank that these are salary payments. The company could set up a standing instruction so that when it sends a file with this category purpose code, then the bank knows to book them in bulk and execute on the same day.

The category purpose code is also optional for the bank, so a corporate needs to ensure that its bank offers this service.

To dos:
•Determine the need for special processing options, e.g. for salary payments.
•Indicate these options in the file.
Reference party field
Lastly, there is a reference party field - also called an ‘on behalf of’ field - which is relevant for payment/collection factories. For example, if Company ABC Germany is making a payment on behalf of its subsidiary in France, it has a separate field so it doesn’t need to fill up the limited space in the payment detail field.

To dos:
•Check if making on-behalf-of payments or collections today/want to use them in the future.
•If the information is supplied today, potentially migrate it to the new fields (maximum 70 characters).
•Define the processes and inform counterparties.
Additional Preparation for SCT Only
Execution and cut-off times
As a result of the Payment Services Directive (PSD), the execution time will change - so corporates need to be aware of this for time-sensitive payments, such as salaries. Currently, it is a maximum of two days for a SCT, but from 2012 it will be only one day. This should help in liquidity planning because the payee will be certain that the payment will reach the beneficiary by the next day.

Cut-off times may change in comparison to what corporates are accustomed to for domestic equivalents. They will vary from bank to bank, but it’s important for corporates to be aware that this is changing in case they have to submit payments earlier.

To dos:
•Analyse what time-critical transactions are made today (e.g. salary, benefit/social security, etc).
•Define whether processes for executing these payments need to be adjusted.
•Determine processing preferences.
•Adjust file-submission processes to account for different cut-off times.Additional Preparation for SDD Only
Mandate management
With SDD, corporates will need to manage received direct debit mandates. Today, some countries operate a debtor mandate flow, which means that the mandate goes to the debtor bank rather than the creditor. With SDD, it is a creditor mandate flow, which means that the creditor must physically keep the paper mandate. From an operational perspective, large direct debit users in countries such as France and Belgium must design internal processes to cope with these paper mandates. In addition, corporates will need to make the mandate data electronic, because certain mandate elements will have to be submitted with every SDD to the bank.

Mandate number
Corporates now need to give every mandate a number. They are free to generate the mandate number, with a maximum of 35 characters, however they want. It could be a contract number, a client number, or just an ascending or descending number. Deutsche Bank recommends using something that is similar to a client number, so it is easy to recognise which client’s mandate it is.

To dos:
•Generate the mandates.
•Determine mandate form.
•Create the text in required language(s).
•Potentially print and mail the mandates.
•Choose mandate reference (e.g. contract numbers, ascending numbers, etc).
•Generate mandate reference (maximum 35 characters).
•Add them to mandates or communicate them to clients afterwards.
•Check mandate-management options.
•Physical storage/scanning.
•Save mandate data in mandate database.
•Define processes for mandate administration (e.g. capture of new mandates, changes to existing mandates, ordering of copies, etc).
•Alternative: outsourcing.
Creditor identifier
Corporates also need to obtain a creditor identifier, which uniquely identifies each creditor through an alpha-numeric code, rather than relying on a name, which can vary. Where a corporate can get this ID varies from country to country - in Germany, for example, it is done through a central service by the central bank.

The combination of creditor identifier and mandate number allows each debtor bank to uniquely identify an incoming direct debit.

To dos:
•Obtain creditor identifier.
•One identifier or separate ones for different legal entities?
•Potentially use creditor business code within the ID to distinguish separate entities or departments so that only one ID is needed.
Submission deadlines
SDD submission deadlines are five days for the initial direct debit prior to due date, and then two days for recurring core SDDs. For business-to-business (B2B) SDDs, it is only one day before due date. This difference will have a significant impact on internal processes, in terms of when corporates will need to submit those files to their banks to ensure they make the due date.

It becomes even more complicated if corporates send mixed files with initial and recurring SDDs. Their banks may split them and the corporate could see two separate bookings.

The five-day submission deadline will be a pain point for online and point-of-sale (POS) retailers because in some countries, such as Germany, they can create a direct debit and submit it to their bank on one day, and it is settled the next day. The longer submission deadlines will impact liquidity and risk management around direct debits.

To dos:
•Setting of due date.
•Ensure the debtor is informed in advance.
•Define/adjust submission processes, taking into account the deadlines.
•Five days for first/one-off transactions; two days for recurring ones.
•Define/adjust booking processes/options.
Return transactions
For return transactions (R-transactions), SDDs have different codes on the account statement. Normally, a corporate sees the reason and then decides whether to generate a new direct debit, call the client, or a number of other actions. If an automated process is in place, they may have to re-program their system based on these new return reason codes.

To dos:
•Analyse the return reasons and compare with today’s situation.
•Adjust reconciliation process to account for the new text keys.
•Define strategy for each reason code:
•Contact debtor?
•Sell to collection agency?
Conclusion: There is No Escape from SEPA
SEPA will affect every company - but to what extent is dependent on a number of factors. Even for a company that only needs to obtain IBANs and BICs, which seems rather easy, that work still needs to be done. The company will need to enter IBANs and BICs into its treasury system in order to properly generate SEPA payment files.

For the majority of corporates, particularly the mid-tier and larger companies, a SEPA migration project may require a considerable amount of preparation.

Based on the above checklist, each corporate should go through its own project and analyse the relevant aspects to consider in its migration to SEPA. Once it has a laundry list of all the potential ‘to dos’, then it can start to plan how long it will take and how much it may cost. Corporates need to start on or accelerate their SEPA journey now that the end dates are in sight.

To read more from Deutsche Bank, please visit their gtnews microsite.

Twitter opportunities april 2011

By Whitson Gordon
Top 10 Uses for Twitter (That Aren't Self-Indulgent)
Since Twitter's inception, it's been looked down upon as a place for self-centered technophiles to share the mundane details of their lives. We at Lifehacker know better than that, though—here are our favorite ways to turn Twitter into a useful tool, without becoming one yourself.
We've shared some of our non-breakfast related Twitter uses before, but over the past few years Twitter has evolved, grown more popular, and we've just discovered more clever and productive uses for it. Some of these you may recognize, but even the ones we've discussed before may have been updated, so be sure to check them all out if you're looking to upgrade your Twitter usage.
10. Quickly Access Productivity Tools
We've mentioned before how easy it is to add tasks to Remember the Milk or send memos to Evernote using Twitter, which makes using our favorite productivity tools super quick and easy—almost like a productivity command line. Since then, we've discovered even faster ways to use this to our advantage, like performing those tasks straight from the address bar, or using Google Voice actions to just speak it to our phone. Twitter allows you far more than just one more access channel to your favorite productivity webapps. Since Twitter is everywhere these days, it opens up a ton of different options for super-quick access, so you can add a task to your to-do list and get on with your day.
9. Get Search Results for Timely News
As hard as news sites and blogs try to be up-to-the-second sources for news, the fact of the matter is that Twitter is just the best place to find out what just happened. Whether you want to keep up with this year's Oscar winners without sitting through the show, find out who got voted off American Idol, or finding out that Comcast's DNS went down (and how to get around it), all you need to do is hit up search.twitter.com. Within seconds you'll have all the information you need, even if it isn't up yet anywhere else on the internet.
8. Find a Job
We already know the internet is a great tool for the unemployed (or just unhappy at their current job), but you can actually find a good number of listings on Twitter. We've talked about how to do this with free service TweetMyJobs, which lets you pick the field your interested in and get real-time Twitter updates of job listings you might be interested in. Furthermore, reader AlphaGeek notes that you can just search Twitter for the hashtag #jobs, and perhaps a hashtag for your industry or city. You'd be surprised at what you can find. Again, it certainly won't be your only resource, but its another good one to add to your arsenal. Photo remixed from an original by Janet McKnight
7. Get Up to the Minute Updates on Your Favorite Software
One of my favorite Twitter uses is following my favorite software developers and finding out immediately when they update. Whether it's big programs like Firefox and XBMC or smaller ventures like Adium for the Mac, I've never gotten a faster notification than on Twitter. Not only will you find out as soon as a new update is ready, but you'll find out about the cool stuff coming up in future versions, nightly builds, and sometimes even handy tips you didn't know about.
6. Use it as a Quick-Access Cloud Notebook
If you aren't using something like Evernote, that doesn't mean you can't still use Twitter's quick-post nature as a notebook—reader Epell says its a great place to jot down ideas as soon as you think of them. Just protect your tweets, disallow discovery of your account by email address, and use it as your own personal notebook. If you're the more introspective type, you can use it as a short-post journal, too—whether public or private.
5. Discover News and Articles You Otherwise Wouldn't Have
Using Twitter for news is hardly a new idea—following accounts like @cnnbrk are Twitter 101 (plus, if any news starts breaking, the other folks you follow will probably be quick to talk about it). What I find especially cool about Twitter is that I find news and articles I otherwise wouldn't have discovered. Since you can follow anyone with just a click, you probably end up following more people (and a more diverse group of people) than you would on, say, Google Reader. As they tweet out interesting links (or retweet others you don't follow), you might find articles or blog posts that weren't hugely popular, but still useful or interesting. Sure, at a certain point this can get more "noisy" than helpful, but this is why you should routinely unfollow people to keep your feeds clutter-free.
4. Get Alerts and Inspiration on Pretty Much Anything
Aren't sure what you want to make for dinner tonight? @cookbook can give you a bit of inspiration with her 140-character recipes. Not sure what's good on TV tonight? @TVGuide can give you some ideas. There are a ton of Twitter accounts out there that send out useful alerts or inspiration for things in your daily life. Other examples include previously mentioned @queuenoodle, which alerts you to expiring movies on Netflix Instant, or @amazonmp3, which keeps you alerted to the best deals (and all the free tracks of the day) on Amazon MP3. Your local businesses might also have some cool accounts, too—a few of the local bars where I'm from will tweet out special drafts that aren't publicized anywhere else, so only their followers know to come in and ask for it specifically.
3. Control DIY Home Automation Projects
Whether you need to send a quick command or get alerts for something happening at home, Twitter has become a very popular tool for home automation projects. You can do something simple like control your PC from afar with TweetMyPC, or do a more complicated project like tell your coffee pot to start brewing, water your plants, or even dispense Halloween candy. With the Twitter API and an Arduino, there are pretty much no limits to what you can control.
2. Get Instant Customer Support
Lots of companies have taken to providing support on Twitter, and it's more than just a way to get in on the fad. @JetBlue and @ComcastCares are two accounts that have made the format popular, and with good reason—some people are getting faster responses via Twitter than they are the customer service phone line. Other companies using Twitter this way include Microsoft for the Xbox, Time Warner Cable, and Dell, though with a bit of searching you'll find a ton more.
1. Get Specific Answers and Advice from a Knowledgeable Pool
Those that follow us on Twitter know that one of our favorite uses is asking questions from you guys, and getting specific advice. Whether you're looking for the best app for a particular job, the best coffee in New York, or just advice on a good new band to listen to, the Twitterverse has opinions and they aren't afraid to share them. The more followers you have, the more answers you'll get, obviously—but if you can get a few more popular followers, you can often get your question retweeted and get a lot of good advice back.
These are some of our favorite clever uses we've discovered over the years, but there's bound to be more out there. So if you have a clever way of using Twitter (productive or not), be sure to share it with us in the comments below.

• Share this:

April 2nd, 2011 Top Stories

Celebrate April Fool's Day All Weekend with These DIY Projects

From the Tips Box: Firefox Back Button, Nail Biting, and Email Mistakes

This Week's Most Popular Posts

Remove Kinks in Cables with a Glass of Hot Water and Tape

April Fool's Day QR Code Scavenger Hunt
More Stories on Lifehacker »

Tuesday, March 22, 2011

Audit executives stand by Sarbox dd 22 March 2011

We're seeing some major efforts in Congress right now to roll back previously enacted reform efforts, like credit and debit card reform measures, the Dodd-Frank Act, the Patriot Act and the Obama Healthcare initiative. It remains to be seen if these efforts will ever prove successful.
But we can look to Sarbanes-Oxley for an example of how legislation that is reviled can sometimes emerge as something that regulated entities eventually support.
A new survey of more than 300 chief audit executives by Grant Thornton has found that the vast majority, nearly 90 percent, do not believe the Sarbanes-Oxley Act of 2002 should be repealed. There was a day when that number would have been a lot lower. Frankly, the act has never been this popular.
So, is this legislation showing the way for laws that are currently unpopular? Maybe.
Early on, people spared no insult for Sarbox, which ended up being very expensive for companies large and small. But after years of working through the issues, the big companies eventually cracked the nut and were able to impressively streamline their 404 processes. These days, they have the process down to a science.
As for small companies, Dodd-Frank gave them a permanent reprieve from 404(b). It may be that once companies take the initial hit on some reform measures, they might end up better off.
That said, this argument will likely not prove persuasive with those who are opposing problems with the current crop of new regulations.

Mac OS X 10.6.7 fixes security vulnerabilities

Mac OS X 10.6.7 fixes security vulnerabilities

The Day - FBI tapes target Nawaz at fraud trial | News from southeastern Connecticut

The Day - FBI tapes target Nawaz at fraud trial | News from southeastern Connecticut

Tuesday, March 8, 2011

Eight Breach Prevention Tips

Don't Overlook These Breach Prevention Measures
March 7, 2011 - Howard Anderson, Executive Editor, HealthcareInfoSecurity.com

Print Email Save Digg Delicious RedditPlease login or register to save this article.

To prevent healthcare information breaches, a growing number of organizations are encrypting information stored on laptops and other portable devices. As they prepare comprehensive risk management strategies, however, hospitals, clinics and others must make sure they don't overlook other important breach prevention steps, security experts advise.
Following are eight breach prevention tips gathered at the recent Healthcare Information and Management Systems Society Conference. These steps also can play an important role in complying with the privacy and security provisions of HIPAA and the HITECH Act.

1. Make Broader Use of Encryption
Adam Greene, senior health information technology and privacy specialist at the Department of Health and Human Service's Office for Civil Rights, points out that although HIPAA and the HITECH Act don't explicitly mandate the use of encryption, the HIPAA security rule makes encryption "addressable," meaning that "it's required if it's reasonable and appropriate." He added, "For electronic health records, it is generally reasonable and appropriate to encrypt."
Terrell Herzig, information security officer at UAB Medicine, urges hospitals, clinics and others to expand encryption beyond mobile devices and desktops to include USB drives, CDs and DVDs as well (See: Overlooked Breach Prevention Steps).

And far too many organizations are neglecting to use secure e-mail, says Willie Williams III, managing partner at The Kiran Consortium Group. Including patient information in e-mail that lacks encryption is extremely risky and can lead to a breach, he stresses.

2. Use Business Associate Agreements
Although pending HIPAA modifications make it clear that business associates must now comply with HIPAA, business associate agreements still are essential, Greene says. The agreements offer an "important opportunity" to spell out the role of the business associate in protecting patient information and preventing breaches, he stresses.
Williams points out that hospitals, for example, should "write into their business associate agreements how their partners, including consultants, will protect any patient information they remove from the hospital on a laptop."

3. Consider Role of Cloud Computing
Consultant Patricia Dodgen of Hielix advises smaller clinics to consider using the software-as-a-service model of cloud computing when adopting EHRs because it offers a level of security that clinics cannot provide on their own servers. She also says remotely hosted EHRs offer better backup services (See: EHRs and Cloud Computing).
But Feisal Nanji, executive director at the security consulting firm Techumen, urges healthcare organizations to require that cloud computing vendors "provide detailed documentation of how they are protecting their data centers" to prevent breaches. He also says those considering using cloud computing should get a clear understanding of "how computers will be authenticated to either provide information or receive it."

A recent New York health information breach involving the theft of unencrypted backup tapes, which may have affected as many as 1.7 million individuals, may lead more organizations to consider investigating using backup storage in the cloud.

"Many organizations are phasing out physical backup media in favor of backup over the Internet," says security specialist Kate Borten, president of The Marblehead Group. "Of course, that has its risks too, unless proper security measures are followed." (See: Privacy Protections for Backup Files)

4. Use Two-Factor Authentication
Using two-factor authentication can support efforts to more effectively control access to protected health information and prevent breaches, says Herzig of UAB Medicine. The integrated delivery system in Birmingham, Ala., recently shifted from hardware tokens to software tokens that run on mobile devices.
"We received complaints about the inconvenience of hardware tokens," Herzig says. As more clinicians were using a variety of mobile devices to remotely access patient information, UAB determined that an applet that generates a one-time password on any mobile device would be more practical, he explains.

5. Develop a Social Media Policy
Lee Aase, director of the Mayo Clinic Center for Social Media, advises healthcare organizations that are making broader use of social media to educate staff members about appropriate uses of the new media by using a combination of blogs, webcasts, conferences and other options (See: Mayo Clinic's Insights on Social Media).
Mayo's social media guidelines are based on its existing, broader policies regarding maintaining patient privacy, guarding trade secrets, using the Internet during work hours and other issues, Aase points out. He also stresses the need to develop a corporate culture that emphasizes serving the best interests of patients, including maintaining their privacy.

6. Monitor Document Shredding
Shredding documents is an effective strategy to protect the privacy of personal information and prevent breaches, says UAB's Herzig. But when his organization audited the work of its new shredding vendor, "we discovered that in actuality they were leaving a lot of the material in an unsecure location to pre-stage it," he says.
"It's a case in point. You have to audit every one of your security controls to make sure they are operational and effective."

7. Destroy Unused Drives, Tapes
Herzig also says hospitals need to develop more effective, affordable methods to properly dispose of unused media, such as hard drives or backup tapes. He says degaussing magnetic storage media can prove difficult, and overwrites of data can be time-consuming.
So instead, UAB uses an onsite industrial crusher to destroy old drives. "We pulverize our hard drives into half-inch squares," he says. By destroying drives onsite, UAB can easily track the chain of custody and issue a certificate of destruction, he adds.

8. Use DLP as Educational Tool
UAB generates weekly security reports using a data loss prevention application. For example, the reports pinpoint inappropriate uses of e-mail that were prevented.
"We sanitize the data in these reports and use it in our corporate compliance education courses," Herzig says. Such educational efforts can play a critical role in preventing breaches, he adds.

Next Related Article:
Feds Name Healthcare Chief Privacy Officer

Tuesday, March 1, 2011

It's Time to Invest in Your IT Team

Skills to invest in for 2011 and beyond.

By Don Jones03/01/2011
As we near the end of the first quarter of 2011, you're probably getting those new IT projects moving, allocating this year's budget and so forth. As you do, don't forget one of your most important IT assets: your team. But where should you focus? I suggest three areas.

Troubleshooting Skills
In my practice as a strategic consultant, I see an incredible lack of troubleshooting skills within organizations. That means when problems occur, those organizations spend an unacceptably long amount of time resolving issues and stabilizing the production environment. Unfortunately, troubleshooting skills are hard to teach.

You can, however, encourage your team to deliberately develop and refine its experience, which leads directly to more efficient troubleshooting. Have a brief meeting every month (and no, I can't believe I'm recommending more meetings rather than fewer) where you review the problems of the previous month and ask one team member to describe what went wrong, what fixed the problem and why the fix worked.

Automation Skills
It pains me every time I see someone performing some rote task, such as creating new user accounts using a GUI console. C'mon, it's 2011 -- surely we can start letting the computers do the mundane, repetitive stuff, right?

In the Microsoft world, that means investing in Windows PowerShell. A solid understanding of command-line administration also engenders a better understanding of the technology you're administering ... which leads to better troubleshooting skills, too.

I've been careful to write command-line administration and not scripting. A lot of Microsoft-focused admins have a huge fear of, distaste for or disinterest in "programming," and they correctly see scripting as a kind of lightweight programming. No problem: A major benefit of Windows PowerShell is that you can be extremely effective without learning to program. That's a main focus of the classes I teach, and it's a message that's been going over gangbusters with hundreds of administrators every year. Sure, for those admins who do have some programming experience and who enjoy scripting, Windows PowerShell steps up and lets them be extremely powerful -- but it doesn't leave you out in the cold if you're not ready to fire up Visual Studio, either.

Based on what I'm seeing some of my largest clients (banks, pharmaceuticals, telecoms and manufacturing firms) do, Windows PowerShell could well be the most important IT investment you'll make in the next five or six years. Some of my customers have documented clear returns on training investment in just a few months, simply by automating tasks and freeing up administrator time for other projects and issues.

A New Version
Finally, make sure every one of your team members becomes well-versed in the latest version of at least one product or technology that he works with, along with details on how to deploy it. Even if you're not planning to actually deploy that version of that product, get someone up to speed on it.

You never know when you may suddenly have to change your mind about that version, and having an expert on staff will make things easier. Also, the "skip a version" mindset might work well from a financial perspective, but it results in a huge skills deficit. Skip version 4, and your team will be even less prepared for versions 5 and 6, which will doubtless build on version 4. So if version 4 is what's new right now, at least have someone gain a basic familiarity with it. Today's cheap virtual machine technologies make it easy to create a test lab where someone can spend some time with the new technology. Make this project a part of each team member's formal goals for the year.

About the Author
Don Jones is a 12-year industry veteran, author of more than 45 technology books and an in-demand speaker at industry events worldwide. His broad technological background, combined with his years of managerial-level business experience, make him a sought-after consultant by companies that want to better align their technology resources to their business direction. Jones is a contributor to TechNet Magazine and Redmond, and writes a blog at ConcentratedTech.com.