So information security in financial reporting is unnecessary? So you think… I guess you’re not following the HQ-Bank saga in Sweden? Well the stars of this saga are going to prison to pay for falsification of financial information. It seems that even the KPMG auditor (Johan Dyrefors) approved 2009 and 2010 accounts. Credit to KPMG that it didn’t get approved internally. Evidence of malpractice started in 2009. It seems that this was just the tip of the iceberg of accounting malpractices for HQ-Bank.

You know information security is not purely about protecting the confidentiality of financial information, it is about protecting its integrity; ensuring absolute traceability back to the originating source, which is the identity in whichever role they are acting within when financial records are submitted. The financial reports that are submitted should be digitally time-stamped and digitally signed to protect integrity.

It is XBRL that gives transparency. XBRL gives a single language for all financial information from creation through to consumption. However in order to enforce Accountability, Responsibility and Traceability (ART), i.e. quality and integrity in financial reporting, you need information security. You know those deep cryptographic magical stuff that tells you if the financial information has been tampered with.

Lars Berlöf is going to be talking about this at the Nordic IT Security Conference on 5th November, I may even keep him company on stage, for a short time 😉 Lars knows about the challenges of transparency in financial reporting and is driven to enforce traceability hence, legality in all financial reporting, in Sweden, and across the whole world!

Here is a taster of what we will be talking about……

When the identity and associated roles -that trigger and consume- the digital interaction are not an integral part of the process. This means that participating parties cannot be legally held accountable for their actions. Principle consequence is a lack of absolute traceability in your organisation, and if there is some legal requirements, a need for manual paper processes to run in parallel with the digitised processes.

There are additional consequences:

  • a lack of traceability gives limited transparency which means you don’t have control over the information in your organisation.
  • When legality comes into play, there is the extra cost of running the digitised process parallel with a manual process.
  • From a compliance perspective, although you can assign responsibility to roles, you cannot tie accountability with the responsibility because the -so called- identities and appointed roles are not really a part of the digital interaction.
  • From a security angle, the risks to the integrity and confidentiality of your information is increased as the identity, or lack of a strong digital identity weakens the complete digital interaction/cycle.

Although many identity products tout to solve this problem, they do not. The reason why is that they are based on the use of a digital identity, and as I mentioned in the first post in this series, digital identities as used in main today are not identities at all! They weaken with exposure, not reflecting the real world whereby our physical identity strengthens with exposure. They are not people-centric but database/directory centric. This presents significant risks to the integrity and confidentiality of all digital interactions.

So in returning to the original question. The answer is when the digital interaction is pulling identities from a database or directory, not from the identity holder. What is needed is to weave a digital identity that is centric to the individual, one that is strengthened by reference authorities into the digital interaction. This is a true digital interaction anything less is not a digital interaction at all.

Check out this rather interesting project going on A4Cloud. Hewlett-Packard is one of its main sponsors.

How about this for transparency, it is called Uchaguzi? In Kenya the government have implemented an infrastructure that surfaces everything that is going on in the country. It is the Kenyan citizens that report into this using their social media, e.g. SMS, twitter, email, etc.

The interface is simple to understand. It has in red colour the negative disturbances and in green the peaceful events for example.

I love it!
I wonder what Uchaguzi means? It is Swahili apparently.

Cyber Intelligence Sharing and Protection Act (CISA) is not aligned with civil and privacy rights of the individual according to privacy advocates such as Electronic Frontier Foundation and Avaaz.org.

Neither Microsoft or Facebook support this bill. Imagine that everything you post on FB to be available for government authorities? Fine if you trust them I suppose, but I don’t.

Why is not crowdsourcing used more in the fight against terrorism? Transparency and the power of the people, of whom most want a safe society could provide an all encompassing safetynet. Crowdsourcing for example is starting to be used to locate missing persons and children, it is very powerful. There are so many people out there that can make a positive difference to this broken world we live in.

This video gives a nice and clear description of your right for privacy and transparency as an EU data subject. It’s not particularly entertaining but worth hanging in there. The message is important. http://www.youtube.com/watch?v=LqYlZosqpPE&sns=em

A recently passed amendment to the EU Privacy Directive will require Internet users’ consent before cookies can be placed on their computers. This is part of a revised ePrivacy Directive that is close to enactment, that includes improvements on security breach, cookies and enforcement. The new provisions will bring vital improvements in the protection of the privacy and personal data of all Europeans active in the online environment. The improvements relate to security breaches, spyware, cookies, spam, and enforcement of rules. The revised ePrivacy Directive must be implemented by the Member States within 18 months.

The changes introduced include:

    For the first time in the EU, a framework for mandatory notification of personal data breaches . Any communications provider or Internetservice provider (ISP) involved in individuals’ personal data being compromised must inform them if the breach is likely to adversely affect them. Examples of such circumstances would include those where the loss could result in identity theft, fraud, humiliation or damage to reputation. The notification will include recommended measures to avoid or reduce the risks. The data breach notification framework builds on the enhanced provisions on security measures to be implemented by operators, and should stem the increasing flood of data breaches;
    Reinforced protection against interception of users’ communications through the use of – for example – spyware and cookies stored on a user’s computer or other device. Under the new Directive users should be offered better information and easier ways to control whether they want cookies stored in their terminal equipment;
    The possibility for any person negatively affected by spam , including ISPs, to bring effective legal proceedings against spammers;
    Substantially strengthened enforcement powers for national data protection authorities. They will for example be able to order breaches of the law to stop immediately and will have improved means of cross-border cooperation.

What this means is that the current laws that the data subject has increased protection online. If their personal data has been exposed, they must be notified. As such they must be informed if personal information on them is being collected, and they should have the option to opt-out (or more preferably opt-in). This is not possible with the way cookies are used today where they are just downloaded onto the users’ PCs without warning. All security to warn the user of tracking cookies are provided by the web-browser. This will now have to be included in the cookie itself.. I think. Any experts out there that know how this could work in practice, please jump in here and comment 🙂

I also read some references to how the use of RFID for the collection of personal information falls in the scope of this amendment.

And finally enforceability is key. Hence each member state must have the appropriate legilsation implemented to make this amendment effective and enforceable.