Discussion Information Governance

 Discussion 1)This week covered how privacy and security align with IG. I want you to research an articles from any company from 2015 until now on how they implemented their Privacy and Security Policy for their organization.  Identify the  areas you feel were beneficial to the organization and identify areas they could have improved on.  Make sure you identify how IG was incorporated into the article.  

Discussion 2)  

Read Chapter 23 scenario, and address the following question

“Was Société Générale so focused on achieving growth on many fronts that it neglected to invest in sufficiently robust systems and internal controls?”

Task 3)

Small Fillings in Week 5 Homework Assignment. Just fill data in attachment Homework Doc.

School of Computer & Information Sciences

ITS 835

Chapter 23, “Control Complacency Rogue Trading at Société Générale”

This is a narrated presentation.

Overview

•

Kerviel’s Trail – A Media Circus

•

Société Générale – The Rise of Trading

•

Jerome Kerviel

•

Discovery, Damage Control, and Retribution

–

Postmortem

– Managerial Supervision

– Control Environment

– System Reliability

– Risk-Sensitive Culture

•

What Actually Happened

Kerviel’s Trail – A Media Circus

• Criminal trial of 33-year Jerome Kerviel started in Paris’s Palais de Justice. Charges were forgery,

abuse of trust, and illegal use of computers. Caused losses to Société Générale’s losses and the

commencement of the trail, media attention was at a high because Kerviel claimed he was a

scapegoat for high-risk trading practices that were condoned by Société Générale when profitable.

• Société Générale maintained that Kerviel was a rogue trader who single-handedly developed

methods to conduct unauthorized trading without being detected and used them to take massive

trading positions that ultimately backfired when markets turned against him.

• Global financial markets were slow recovering from the 2008 crisis, but memories of Société

Générale trading losses remined vivid because at the time of its announcement in 2008 the incident

seemed to confirm investors’ worst fears that banks in general were taking massive amounts of risk

far beyond their traditional lines of business.

Société Générale – The Rise of Trading

• Société Générale, 1999 through 2006, had a net income increase of 164 percent from €2 billion

annually to €5.2 billion. Its retail and investment management businesses both prospered during this

period, with the main drivers of this higher profitability was its Corporate and Investment Banking

(CIB) division, whose net income increased 230 percent, from €708 million annually to €2.3 billion.

• Société Générale was not alone pursing growth in the early 2000s through expansion of its trading

and capital markets business. Its larger rival, BNP Paribas, adopted the same strategy, as did other

major banks in other countries such as the United Kingdom, Germany, and United States.

• With other major, this strategy backfired when their fixed income desks became deeply involved in

structuring, selling, and trading credit derivatives and debt securities backed by U.S. residential

mortgages and were unable to avoid massive write-downs and funding crises when global credit

markets seized up in the second half of 2008.

Jerome Kerviel

• Kerviels position in Société Générale CIB was unlikely to be noticed because he was one of seven

traders in the Delta One Listed Products (DLP) team, a part of the Equity Finance section in the Equity

Arbitrage group of the CIB’s Global Equities & Derivative Solutions (GEDS) business unit.

• GEDS volatility traders were charged with profiting from directional trading positions, while the

arbitrage traders looked to profit from long/short combinations of offsetting positions by capturing

mispricing between assets with similar market sensitivity. A common feature of arbitrage trading is

that price differentials are typically very small, which requires large notional amounts of offsetting

trades in order to capture meaningful profits.

• Kerviel began experimenting with directional positions during his first year as a Delta One trader,

creating small index futures and cash equity positions that he closed out before the end of each day.

He ventured into overnight trading, but €10 million overnight cash equity position few concern in

2005. To go unnoticed he began creating fictitious trades to offset DLPs books.

Discovery, Damage Control, and Retribution

• 2008 Kerviel resumed his unauthorized directional trading, confident in his ability to keep calling

market movements correctly and hiding his profits. Convinced that the European stock market would

extend their November rally into 2008, he began a series of unauthorized equity index future

purchases that reached a new peak of €49 million.

• His strategy was able to unravel because of an administrative, not operational, slip. Kerviel changed

the counterparty of the fictitious trades concealing his 1.5 billion profits from Société Générale

affiliate to an unsuspecting third-party counterparty. However, the counterparty selectd did not have

a collateral agreement in place with Société Générale which triggered a massive overage in the

counterparty’s credit value at risk (CVaR) limit.

• Queried by risk management, Kerviel canceled the fictitious trades and created a provision in order to

keep his 2007 profits. He calculated an amount for the provision that would leave 15 million of his

undisclosed profits to be accounted for in DLPs 2007 yearbook-end trading results.

Postmortem

• Internal and external investigation into how Société Générale management and control environment

allowed Kerviel to conduct his unauthorized trading revealed a range of failing.

▪ Managerial Supervision

▪ No explicit requirement to monitor cash movements.

▪ Control Environment

▪ No limit on notional transaction volumes or cash movement

▪ GEDS’s office support for DLP was separated into four different operations groups.

▪ System Reliability

▪ Faculty security protocols allowed to continue to access and change system records after

employees changed departments.

▪ Risk-Sensitive Culture

▪ Identified cultural deficiencies, specifically DLP’s trading oversight and control personnel were

not trained or instructed to be alert for fraud and were slow and lax in responding.

What Actually Happened

CHAPTER

11

INFORMATION GOVERNANCE

Information Governance and Information

Privacy

& Security Functions
ITS

8

3

3

Dr. Mia Simmons

Chapter Overview

■ This chapter will cover pages

2

0

7

-23

6

in

your book.

■ This chapter discusses how privacy &

security aligns directly with the success of

Information Governance.

2

Privacy

■ Privacy cannot be protected without implementing proper

security controls and technologies

3

Insider Threat: Malicious or Not

■ Countering the Insider Threat

– Insider threat breaches can be more costly than outsider
breaches

■ Malicious Insider

– Malicious insiders have many methods at their disposal to harm
the organization by destroying equipment, gaining unsanctioned
access to IP, or removing sensitive information by USB drive, e-
mail, or other methods.

■ Nonmalicious Insider

– The majority of users indicated having sent out documents
accidentally email

■ Solution

– companies need to take a hard look and see whether they have
any effective IG enforcement and document life cycle security
(DLS) technology such as information rights management (IRM)
in place

4

Privacy Laws
■ Federal Wiretap Act “prohibits the unauthorized interception and

disclosure of wire, oral, or electronic communications.”

■ United Kingdom, privacy laws and regulations include these:

– Data Protection Act 1

9

98

– Freedom of Information Act

20

00

– Public Records Act

19

5

8

– Common law duty of confidentiality

– Confidentiality National Health Service (NHS) Code of Practice

– NHS Care Record Guarantee for England

– Social Care Record Guarantee for England

– Information Security NHS Code of Practice

– Records Management NHS Code of Practice

■ Redaction is the process of blocking out sensitive fi elds of information.

5

Limitations of Perimeter Security

■ The perimeter security approach has four fundamental limitations:

1. Limited effectiveness. Perimeter protection stops dead at the firewall, even
though sensitive information is sent past it and circulates around the Web,
unsecured. Today’s extended computing model and the trend toward global
business means that business enterprises and government agencies
frequently share sensitive information externally with other stakeholders,
including business partners, customers, suppliers, and constituents.

2. Haphazard protections. In the normal course of business, knowledge workers
send, work on, and store copies of the same information outside the
organization’s established perimeter. Even if the information’s new digital
environment is secured by other perimeters, each one utilizes different access
controls or sometimes no access control at all (e.g., copying a price list from a
sales folder to a marketing folder; an attorney copying a case brief or litigation
strategy document from a paralegal’s case folder).

3. Too complex. With this multi-perimeter scenario, there are simply too many
perimeters to manage, and often they are out of the organization’s direct
control.

4. No direct protections. Attempts to create boundaries or portals protected by
perimeter security within which stakeholders (partners, suppliers,
shareholders, or customers) can share information causes more complexity
and administrative overhead while it fails to protect the e-documents and data
directly

6

Controlling Access Using Identity Access
Management

■ IAM—along with sharp IG policies—“manages and governs user access to
information through an automated, continuous process

■ A robust and effective IAM solution provides for:

– Auditing . Detailed audit trails of g who attempted to access which
information , and when . Stolen identities can be uncovered if, for
instance, an authorized user attempts to log in from more than one
computer at a time.

– Constant updating. Regular reviews of access rights assigned to
individuals, including review and certification for user access, an
automated recertification process ( attestation ), and enforcement of IG
access policies that govern the way users access information in respect
to segregation of duties.

– Evolving roles. Role life cycle management should be maintained on a
continuous basis, to mine and manage roles and their associated
access rights and policies.

– Risk reduction. Remediation regarding access to critical documents
and information

7

Enforcing IG: Protect Files with Rules
and Permissions

■ Rules and permissions specify who (by roles) is allowed

access to which documents and information, and even

contextually from where (office, home, travel) and at what

times (work hours, or extended hours).

■ To effectively wall off and secure information by management

level, many companies and governments have put in place an

information security framework—a model that delineates

which levels of the organization have access to specifi c

documents and databases as a part of implemented IG policy

8

Apply Better Technology for Better
Enforcement in the Extended Enterprise

■ Protecting E-Documents in the Extended Enterprise

– Sharing e-documents and collaborating are essential in today’s

increasingly mobile and global world

■ Basic Security for the Microsoft Windows Office Desktop

– A key flaw or caveat is that passwords used in protecting documents

cannot be retrieved if they are forgotten or lost.

■ Where Do Deleted Files Go?

– Most users are unaware that deleted fi les and fragments of

documents and drafts are stored temporarily on their computer’s

unallocated space.

■ Lock Down: Stop All External Access to Confidential E-Documents

– these methods are effective in highly classified or restricted areas

where confidential e-documents are held.

9

Apply Better Technology for Better
Enforcement in the Extended Enterprise

■ Secure Printing

– You simply invoke some standard Microsoft Office protections,

which allow you to print the documents once you arrive in the copy

room or at the networked printer.

■ Serious Security Issues with Large Print Files of Confidential Data

– To help secure print fi les, specialized hardware devices designed to

sit between the print server and the network and cloak server print

files are visible only to those who have a cloaking device on the other

end

10

Secure Communications Using
Record-Free E-Mail

■ Stream messaging is a simple, safe, secure electronic communications

system ideal for ensuring that sensitive internal information is kept

confidential and not publicly released

■ Stream messaging separates the sender’s and receiver’s names and

the date from the body of the message, never allowing them to be seen

together. Even if the sender or receiver were to attempt to make a copy

using the print-screen function, these elements are never captured

together

■ Stream messaging is unique because its technology effectively

eliminates the ability to print, cut, paste, forward, or save a message.

11

Digital Signatures

■ A digital signature provides evidence in demonstrating to a third party

that the signature was genuine, true, and authentic, which is known as

nonrepudiation

■ Digital signatures can be implemented a variety of ways—not just

through software but also through firmware (programmed microchips),

computer hardware, or a combination of the three.

■ A formal, trusted certificate authority (CA) issues the certificate

associated with the public-private key.

12

Document Encryption

■ There are e-records management implications of employing document

encryption:

– Unless it is absolutely essential, full document encryption is often

advised against for use within electronic records management

systems as it prevents full-text indexing, and requires that the

decryption keys (and application) are available for any future

access. Furthermore, if the decryption key is lost or

13

Data Loss Prevention (DLP)
Technology

■ The aforementioned document security challenges have given rise to an

emerging but critical set of capabilities by a new breed of IT companies

that provide data loss prevention (DLP) (also called data leak

prevention).

■ Basic DLP Methods DLP solutions typically apply one of three methods:

1. Scanning traffic for keywords or regular expressions, such as

customer credit card or Social Security numbers.

2. Classifying documents and content based on a predefined set to

determine what is likely to be confidential and what is not.

3. Tainting (in the case of agent-based solutions), whereby documents

are tagged and then monitored to determine how to classify

derivative documents. For example, if someone copies a portion of

a sensitive document into a different document, this document

receives the same security clearance as the original document.

14

Missing Piece: Information Rights
Management (IRM

■ “IRM” when referring to this technology set, so as not to be confused with
electronic records management. Major software companies also use the
term “IRM.”

■ The ability to apply security to an e-document in any state (in use, in
motion, and at rest), across media types, inside or outside of the
organization, is called persistent security.

■ Three requirements are recommended to ensure effective IRM:

1. Security is foremost; documents, communications, and licenses
should be encrypted, and documents should require authorization
before being altered.

2. The system can’t be any harder to use than working with
unprotected documents.

3. It must be easy to deploy and manage , scale to enterprise
proportions, and work with a variety of common desktop
applications

15

Policy Creation and Management
■ IG policy defined for a document type includes these following controls:

1. Viewing

2. Editing

3. Copy/Paste (including screen capture)

4. Printing

5. Forwarding e-mail containing secured e-documents

■ Decentralized Administration

– One of the key challenges of e-document security traditionally is that a
system administrator had access to documents and reports

■ Integration

– The best approach is to target one critical department or area with a
strong business need and to keep the scope of the project narrow to
gain an early success before expanding the implementation into other
departments.

– IRM embeds protection into the data (using encryption technology),
allowing fi les to protect themselves.

16

Embedded Protection

■ Locking down data involved encryption in one form or another:

1. E-mail encryption

2. File encryption

3. Full Disk Encryption (FDE)

4. Enterprise wide encryption

■ These encryption solutions can be divided into two categories:

1. encryption in transit (e.g., e-mail encryption)

2. encryption t at rest (e.g., FDE)

17

Approaches for Securing Data Once It
Leaves the Organization

■ Forrester has developed a new network architecture that builds security
into the DNA of a network, using a mixture of five data security design
patterns:

1. Thin client. Access information online only, with no local
operations, using a diskless terminal that cannot store data,
documents, or programs so confidential information stays stored
and secured centrally.

2. Thin device. Devices such as smartphones, which have limited
computing resources, Web surfing, e-mail, and basic Web apps
that locally conduct no real information processing, are
categorized as thin devices.

3. Protected process. This approach allows local processing with a
PC where confidential e-documents and data are stored and
processed in a partition that is highly secure and controlled.

4. Protected data. Deploying IRM and embedding security into the
documents (or data) provides complete DLS

5. Eye in the sky.

18

Document Labeling
■ Document Labeling

– Document labeling is “an easy way to g increase user

awareness about the sensitivity of information in a

document

– The challenge is to standardize and formalize the

process of getting the label onto the document—

enterprisewide

■ Document Analytics

– Document analytics allows a compliance officer or

system administrator to view exactly how many

documents a user accesses in a day and how many

documents the user accesses on average

19

Confidential Stream Messaging
■ The ePolicy Institute offers seven steps to controlling stream messaging:

1. Work with your legal counsel to define “business record” for your

organization on a companywide basis.

2. Work with your legal counsel to determine when, how, why, and with

whom confidential stream messaging is the most appropriate,

effective— and legally compliant—way to hold recordless, confidential

business discussions when permanent records are not required.

3. In order to preserve attorney-client privilege, a phone call or

confidential electronic messaging may be preferable to email.

4. Define key terms for employees.

5. Implement written rules and policies governing the use of email and

confidential stream messaging.

6. Distribute a hard copy of the new confidential messaging policy, email

policy and other electronic communications (e.g., social media, blogs)..

7. Educate, educate, educate. Ensure that all employees who need to

know the difference between email which leaves a potential business

record and stream messaging which does not, and is confidential

20

Chapter Summary
■ Data governance software is another tool that looks at who is accessing which documents

and creates a matrix of roles and access along behavioral lines.

■ Encrypting sensitive e-mail messages is an effective step to securing confidential
information assets while in transit. Encryption can be applied to desktop folders and fi les.

■ For e-mail communication with no trace or record, stream messaging is a solution.

■ Digital signatures authenticate the identity of the signatory and prove that the signature
was, in fact, generated by the claimed signatory. This is known as nonrepudiation.

■ Data loss prevention technology performs a “deep content inspection” of all e-documents
and e-mails before they leave the organization’s perimeter to stop sensitive data from exiting
the firewall.

■ DLP can be used to discover the flow of information within an organization. Additional
security tools can then be applied. This may be the best use for DLP.

■ Information rights management software enforces and manages use rights of electronic
documents. IRM provides a sort of security wrapper around documents and protects
sensitive information assets from unauthorized use or copying. IRM is also known as
enterprise rights management.

■ Persistent security tools like IRM should be enforced on price lists, proprietary blueprints,
and CAD designs. Printing these documents should be highly restricted.

■ Most legacy or first-to-market providers of IRM focused on internal sharing and are heavily
dependent on Microsoft Active Directory and lightweight directory access protocol (LDAP) for
authentication. These early solutions were not built for cloud use or the distributed
enterprises of today, where mobile devices are proliferating.

21

Information Governance

Chapter 11

Complete Week 10 Objectives

Name:

In this assignment, you must answer the “Answer Implying Guilty,” and the “Answer Implying Not Guilty” questions. Both responses must start by stating either “Yes” or “No” for each charge and a brief summary that explains why. One example of the first question was provided.

IMPORTANT: ALL IMPLYING GUILTY ANSWERS ARE NOT ALWAYS “NO” RESPONSES AND ALL IMPLYING NOT GUILTY ANSWERS ARE NOT ALWAYS ‘YES’ RESPONSES.

Could other DLP traders have manipulated GEDS’s transaction systems like Kerviel did?

Question	Answer Implying Guilty	Answer Implying Not Guilty
EXAMPLE:	Could other DLP traders have manipulated GEDS’s transaction systems like Kerviel did?	No, the methods employed by Kerviel were so intricate that no one else could have replicated them.	Yes, Kerviel did not have to customize the systems in any way in order to conceal his unauthorized and fictitious trades.
1
2	Was it typical for middle office employees to be promoted to the front office?
3	When Kerviel worked in the middle office, did he show any unusual aptitude for manipulating the transaction systems?
4	Did DLP have any rules or disincentives designed to deter traders like Kerviel from undertaking unauthorized trading?
5	Why did Kerviel make such huge bets when he did not derive any personal benefit from the profits?