10:23 AM
Have a Smooth Ride
Directory Control
In order to know that, you need the ability to ""look down the wire and see what people have on their desktop,"" Heeley explainswhich also enables a variety of risk management controls. One example is making sure all software is appropriately paid for and licensed. ""For that we needed to have an asset management system that could track the number of copies of a given package we had on desktops, relative to the licenses we've purchased,"" Heeley says. Because the Peregrine system connects with R&SA's procurement system, ""if, say, I need a copy of Visio, I go to the procurement system to buy it, that system tells the asset database it's OK for this particular user to have a copy of the software, and I use our software distribution tool to obtain it.""
The tool can also minimize employee misuse of the network, according to Heeley. ""If someone downloads something they shouldn't have from the Internet to their desktop, such as something pornographic or otherwise inappropriate for business use, the asset system will detect that,"" which he adds can minimize the potential of a lawsuit brought by another employee.
In order to improve its control over what resides on employee desktops, Blue Cross Blue Shield South Carolina's (BCBS-SC, Columbia, SC) IT department is rolling out release 2.0 of Microsoft's SMS software distribution and remote control product set, according to Jeff Macabee, director of security and disaster recovery coordination. SMS V2.0 ""is integrated with Microsoft's new Active Directory structure, which supplies a lot of new functionality, such as the ability to more easily institute global desktop control policies,"" he says. ""It makes it a lot easier to have a single policy for a particular group of userswherever they log on to, I push the same policies down to their PCs.""
BCBS-SC is less vulnerable than many IT shops in that around 98 percent of its critical data sits in an IBM (Armonk, NY) OS 390 environment. ""If someone were able to hack into the system, they still would not be able to get at that 98 percent of our data,"" says Wayne Roberts, vice president, IS operations. ""Our security system on the mainframe for controlling internal access to that is IBM RACF Resource Access Control Facility,"" he adds.
For the remaining vulnerabilities, BCBS uses McAfee's (Sunnyvale, CA) eOrchestrator for virus detection and Checkpoint (Redwood City, CA/Ramat-Gan Israel) as its major firewall set. The Checkpoint solution ""creates logs all the way down to the sites visited, charting when they were visited and what they did at their site. Did they download something or did they move on to a different site?'"" explains Fred Rowell, assistant vice president, network services. The insurer uses Cisco's (San Jose, CA) IDS solution for network intrusion detection ""to ensure we're not opening ourselves up unknowingly,"" Rowell observes. ""It monitors the server or the people trying to engage activity with it. It recognizes patterns or signatures to interpret whether it's a denial of service attempt, or someone trying to hack in, and if it is, it shuts the attempt down and logs it.""
For Internet security, BCBS-SC uses Atlanta-based Internet Security Systems' ISS (Internet Security Scanner), which Rowell characterizes as ""probably the premier product set in the market place."" The carrier augments ISS with a variety of freeware and shareware products because ""We try not to believe just one source of data,"" Rowell says. ""We always try to augment any source with some other product, and in the past that has served us very well.""
Fortress BCBS-SC
If the interior of BCBS-SC's IT operation is assiduously secured, the same is true of its exterior. Like most carriers, BCBS-SC came away from 9/11 confident in its contingency plans. Nevertheless, a heightened sense of security did result, manifesting itself in part in physical security measures. ""We're installing additional cameras, putting concrete pylons around the data center and putting an access fence around the back so you can't see in,"" Roberts reports.
Macabee adds that the carrier has also taken a closer look at site access and is installing a Sensormatic Electronic Corp. (Boca Raton, FL) C-Cure card-reader and PIN code access system. ""We'll also be evaluating some biometric authentication methods,"" such as full handprint, fingerprint and retinal scan, he says.
A still more subtle form of operational risk management is practiced by GE Financial Assurance (GEFA, Richmond, VA, $119 billion in assets), which outsources 60 to 70 percent of its IT operations. ""We look at it as a way to manage our volume and scale risk,"" says Scott McKay, CTO. Another benefit is the attenuation of obsolescence risk, attributable to the fact that ""certain outsourcers have more scale and better infrastructure management than what we might have in a smaller-scale operation,"" according to McKay. The outsourcing option also mitigates what he calls ""focus-dilution"" risk. ""Our leadership team has a certain amount of time that we can spend focusing on things"" that can be prioritized over what might be left to outsourcing partners, he explains. Finally, GEFA outsources to control ""execution capacity"" risk, because ""we don't necessarily always want to be bound by the number of employees we have versus the amount of business we do.""
Of course, outsourcing can be as risk-intensifying as risk-mitigating, and in order for it to work, a high degree of rigor must be exercised both inwardly and outwardly by the insurance carrier, according to McKay. GEFA's internal discipline is fostered by its commitment to Six Sigma quality methodology. ""Without strong processing control, it's difficult to effectively outsource,"" McKay asserts. ""If I can't figure out how to do something myself, how is someone else going to do it? That's just passing your problems off.""
McKay attributes GEFA's ability to outsource successfully to ""our ability to globalize and use global development firms to work with us, our commitment to commodity outsourcing and our effectiveness doing it, and our ability to use both outsourcers as well as our own people to create consistent process delivery.""
The inherent risks of outsourcing must be addressed through attention to the partner. ""There's certainly one risk from the standpoint of the outsource company's financial state,"" McKay says. ""If you look over the last five years at companies that have been involved in outsourcing, many of them have not been able to stay in business.""
Outsourcing Risk
GEFA's procedure is to inquire first about the company's process capability and then to query whether it can execute with regard to compliance to ""every form of rule, regulation, customer contract or even 'the-right-thing-to-do' kind of compliance,"" McKay says. ""Then we have to drill into whether their people are licensed and/or the way they're supposed to be, and whether they have done all the background checks required, etc. Then we look at the company as a whole and ask whether it has a good strategy and a viable financial plan. Too often people go into outsourcing and look at it as a purely cost play.""
Outsourcing carries risks beyond the control of either company to the partnership, and more so in some geographical contexts than others. As a company with several Asian outsourcing partners, such as Patni Computer Systems (Mumbai, India) and fellow group operation GE Capital International Services (Gurgaon, India), GEFA acknowledges this risk. ""You have to have a business continuity plan that can be executed on a real-time fail over, and you have to have an excellent process control system to make sure that any work in process can be migrated,"" McKay says. Perhaps equally important, he adds, ""The process owners-the management responsible for processesall have to be intimate with and accountable to exactly how the processes are done, who's doing it and where they're doing itbecause it's our company, and our face.""
-----------------------------------------------
12 Questions Every Insurer Should Ask
In light of the lessons learned, planning considerations and competitive insights, what questions should a well-managed enterprise be asking about operational risk management?
1. Do plans exist for all areas of recovery? Do they work? How do you know? Are plans maintained/tested?
2. Do plans adequately consider the impact of man-made threats such as sabotage, cyber-terrorism, etc.?
3. Is continuous availability of the operation a requirement? How much money would be lost if processes stopped?
4. Can the data center be relocated in an emergency? How do you know?
5. Can all employees be contacted immediately? Key customers? Vendors? Are cell phone numbers available?
6. Can decisions be made if communications are unreliable or key decision-makers cannot be located?
7. Could your staff work from home? Do they have the needed equipment?
8. What would you do if you could never go back to your office again?
9. How concentrated are your people and assets in single facilities or cities?
10. Have all facilities within the enterprise been considered in backup and recovery strategies, or only those within a given business unit?
11. How dependent are you on third-party service providers and suppliers? Are these providers going to weather the current economic downturn?
12. Is there an effective program to prevent and detect threats? Is the security posture of the business routinely assessed?
(Source: ""Business Continuity Management: Unique Perspectives from Ground Zero,"" 2001, Deloitte & Touche.)
Anthony O'Donnell has covered technology in the insurance industry since 2000, when he joined the editorial staff of Insurance & Technology. As an editor and reporter for I&T and the InformationWeek Financial Services of TechWeb he has written on all areas of information ... View Full Bio