From: Dr

From: Dr. M. Fayek Abulela [mailto:dr.abulela@sympatico.ca]
Sent: August 17, 2004 10:32 AM
To: Tom Saar
Subject: Re:Hans Wobbe's views [040817-cda-1]

Hi Tom,

Thanks very much for the email.
I have read Hans's referenced paragraphs. Then, I went back and re-read the entire page. [His references to the 1980's "Trans-border data Flow" issue was very interesting. You may elected to pass on my views on this issue:"The issue was put on the back-burner after the collapse of the USSR, and NOT because it was "a-storm-in-a-tea-cup". For example, China is still grappling with the issue."]
After reading his comments, MY understanding is that, presently, Hans is pitching some solutions to Bell for launching "Certification Services". This is a laudable endeavour, for Canadian-based companies. It is urgently needed, AND, I do wish him success.

However, Hans has NOT addressed the "central issue".

You may elect to forward the following for his "thought-process". I shall try to outline the "central issue".

"Identity-Theft" is the symptom. It is NOT the "central issue".
Those of us, who have worked in, or dealt with, the financial-services industries IT systems, know the REAL issues involved in "security".

There are TWO basic, but SEPARATE sides to the "security".
These are the "IT-systems"; and the "physical": premises, media and individuals.
So long all the processing functions were under ONE control of a Canadian financial-services-organization, rigorous security procedures and controls were conceived, and RIGOROUSLY effected.

In their rush to cope with the 2000 recession, so many companies rushed towards the practices of outsourcing to both domestic and overseas third-parties.

There are DEFINITE financial advantages to move back-office functions and "mundane" payment processing outside the company, and more cost-savings, if these functions were moved overseas.
Some issues were not fully coped with, if NOT TOTALLY swept under the carpet.
Personnel selection and personnel integrity in third companies are one of them.
Irrespective of whether they are domestic or foreign, Internet-web payment third-party companies are just examples of the growing problem.

At the present time, the reported "POTENTIAL" exposures are in the "Individuals" working in the third-party IT systems, MAINLY in overseas countries.

These "Individuals" are not vetted with the same close scrutiny that one sees in say, e.g. the Canadian banks' IT environment.
"Identity-Theft" is blamed on some of those "Individuals", who managed to sneak through the vetting process.
The contention presented had been as follows.

The financial data, as well as a significant part of the personal profile in several cases, of an average xyz individual, in the USA or Canada [say with a credit limit of U$5,000] are readily available with a third-party in a poor country:-

Where the highest paid CEO in IT is making around U$1.000 per annum,
With less than average personnel vetting standards in the Human Resources Departments, [measured against our Canadian financial-services industries],

One would expect that the likelihood is higher, for few unscrupulous individuals being allowed inside the third-party processing cycle.

The low-pay, the lack of rigorous security measures [as we have e.g. in the Canadian banks]
As well as the irrational "down-sizing" and "right-sizing" in support functions in the overseas IT third-party outfits [which in 80% of the cases include security] all add up to the potential security breaches:-

NOT through some system deficiencies,
BUT by HUMAN failings.

From the above review, one can see that the "central issue" is:-

Conceiving and implementing "multi-company", "multi-country", "security" measures, and procedures,
Which go BEYOND the IT systems,
And which will be covering the entire process dealing with individuals, from hiring staff, to releasing staff in domestic labour-market or foreign countries.

I tend to believe that one solution by "multinationals", like IBM, is to institute, as part of their third-party protocol / agreement with say their Indian, or Moroccan, third-party, a "multinational" supervisory function, ON-SITE, to ensure that these "security" domains [ such as personnel, premises, handling of media ..etc] are handled as per the rigour and standards applied at the H.O of the N. American "multinational" .

Best Regards.

Fayek.