Wednesday, 26 March 2014

What is privileged access? - A definition of privileged access from review of US financial institution regulation and ISO 27002

Why is it important to understand what privileged access is? Highlighting some examples of what can happen when privileged access is not managed appropriately demonstrates it is something that needs to be understood:

  • March 2002 – It was reported that Roger Duronio brought down 2,000 business critical servers, including trading servers, with a logic bomb in UBS costing $3.1m in restoration costs and unknown business loses during the downtimei.
  • January 2008 - It was reported that Jérôme Kerviel lost Société Générale €4.9bn in trades purportedly utilising privileged access accumulated from his previous and last roles in the bankii.
  • January 2009 - It was reported that Rajendrasinh B. Makwana almost brought down 4,000 critical servers with a logic bomb that could have lost Fannie Mae “many millions of dollars” with his privileged accessiii.

From this, the impacts of not understanding and appropriately controlling privileged access are significant. The primary challenge with implementing privileged access policies and controls is a lack of a clear definition of what privileged access is.

Fortunately, US financial institutions regulation and the International Standards Organisation provide a starting point.

US Financial Institutions Regulation

The Board of Governors of the Federal Reserve System (the Board) implements the Federal Reserve Act and other laws pertaining to banking and financial activities. The Board implements those laws, in part, through its regulations A through to YY, which are codified in Title 12, Chapter II, of the Code of Federal Regulations within the US Code (USC)iv.

Section 6801 and section 6805 in Title 15 of the USC applies the Gramm-Leach-Bliley Act of 1999 (GLBA) to financial institutions including Bank holding companies. Section 501(b) of the GLBA introduced the “Financial Institutions Safeguards” requirement that requires financial institutions implement administrative, technical, and physical safeguards to ensure the confidentially, security and integrity of customer informationv.

Further guidance as to how to establish these safeguards is provided by CFR Regulation Y - Appendix F to Part 225 - Interagency Guidelines Establishing Information Security Standards. These guidelines were developed by the Member agencies of the Federal Financial Institutions Examination Council (FFIEC). The FFIEC published examination handbooks that apply to the examination of a financial institution's operations and all related data, and serves as a supplement to the agencies' GLBA 501(b) expectations.

Page 19 of the Federal Financial Institution Examination Council (FFIEC) Information Security Examination Handbook defines privileged access asvi:

the ability to override system or application controls”

A key point to note in this definition is the distinction between systems and applications. This distinction means that privileged access may exist at an application level as well as at the underlying infrastructure system level.

International Standards Organisation

The FFIEC Information Security Examination Handbook definition is aligned to the international standard ISO 27002 Information technology - Security techniques - Code of practice for information security management (ISO 27002).

Specifically, page 61 of ISO 27002 defines privileged access rights, as thosevii:

access rights which allow users to override system controls”

How this definition differs from the FFIEC definition is that is refers to access rights and these applying only to system controls rather than both system and application controls. This ISO guidance suggests that the FFIEC definition’s “ability” is that ability conferred to a “user” by virtue of their “access rights”.

Additionally page 62 of ISO 27002 defines system administration privileges asviii:

any feature or facility of an information system that enables the user to override system or application controls”

The last part of this definition is identical to the FFIEC wording “override system or application controls”. This additional ISO guidance suggests that the FFIEC definition’s “ability” is that ability conferred to a “user” by virtue of “any feature or facility of an information system”. As per the FFIEC definition, a key point to note in this definition is the distinction between systems and applications. As with the FFIEC definition, this distinction means that privileged access may exist at an application level as well as at the underlying infrastructure system level.

Finally, further guidance is available at page 56 of ISO 27002 which defines privileged operations asix:

use of privileged accounts, e.g. supervisor, root, administrator; system start-up and stop; [and] I/O device attachment/detachment”

While not a definition of privileged access it does provide useful interpretation guidance in what is commonly considered to be the operations of those with privileged access, and from this, what constitutes privileged access. In this case, operating system or database system administrator accounts such as “root”, “administrator” and “supervisor”. By extension, similar access to the access level of these accounts would be considered privileged access. This definition also describes the ability to execute system start-up; and stop and I/O device attachment/detachment, system level services generally accessible via service or system accounts.

Conclusion - A Working Definition of Privileged Access

From these sources we can develop a working definition of privileged access that is aligned to US regulatory requirements and international standards.

From the FFIEC definition, the working definition needs to cover both applications and systems. Expanding the FFIEC definition’s use of the term “ability” using ISO guidance, would result in the following definition:

Privileged access is the ability to override system or application controls, conferred to a user by virtue of their access rights or any feature or facility of an information system. This includes the ability to use system administration and service accounts.”

From this working definition, we can better understand what ability is considered privileged and that a user with this access would be considered to have privileged access. Policy making and controls based on this definition will ensure alignment with the US regulators and international standards hopefully resulting in better risk and control assessments to implement the necessary administrative, technical, and physical safeguards to ensure the confidentially, security and integrity of customer information.


i Gaudin, S., Ex-UBS Systems Admin Sentenced To 97 Months In Jail, United States of America, 2006. Available at: (Accessed 6 March 2014).

ii Tarzy, B., Revoke legacy privileged accounts – or pay the consequences, United Kingdom, 2012. Available at: (Accessed 6 March 2014).

iii Keizer, G., Ex-Fannie Mae engineer pleads innocent to server bomb charge, United States of America, 2009. Available at: (Accessed 6 March 2014).

iv Government Printing Office, Electronic Code of Federal Regulations, United States of America, 2012. Available at: (Accessed 6 March 2014).

v Government Printing Office, GRAMM–LEACH–BLILEY ACT, United States of America, 1999. Available at: (Accessed 6 March 2014).

vi Federal Financial Institution Examination Council, The FFIEC Information Security IT Examination Handbook, United States of America, 2006. Available at: (Accessed 6 March 2014).

vii International Organisation for Standardization (ISO), ISO 27002:2005, Information technology - Security techniques - Code of practice for information security management, Switzerland, 2005

viii Ibid

ix Ibid

PS: This is also published in the IT Risk Practitioner

Monday, 24 March 2014

Would Recommend Code::Blocks IDE for C++ Development

I normally use a Linux host for my development work (Eclipse and Netbeans) but have today decided to look at Windows again. I was looking around for a no-nonsense IDE with version control, syntax highlighting, compiling and running of programs in the one intuitive interface. I finally found a good IDE that fits the bill: Code::Blocks (see home page at This IDE installs easily and without any issues from a single downloaded binary (albeit 100mb in size. Download the one at: and can build and run C++ application code straight out of the box. I was very impressed. I didn't have to setup cygwin or MinGW it set this up for me (i.e MinGW was installed alongside the IDE and GCC).

It's looking good so far but we'll see how it goes when I start to exercise it a bit more.

Tuesday, 11 March 2014

Financial services systems change failures and how to control them

When it comes to systems change there are a number of notable failures in the financial services industry:

January 2009: - It was reported that IT systems engineer Rajendrasinh B. Makwana almost brought down 4,000 critical servers with a logic bomb, embedded in developed scripts, which could have lost Fannie Mae “many millions of dollars” that was only discovered by chance by another engineeri.

January 2010: It was reported that a HSBC Mainframe upgrade shut down cash machines and online banking for HSBC customers as part of upgrade to One HSBC platformii. This was in addition to a similar outage in June 2009 a further telephone banking outage in February 2008 due to “coding” changesiii.

September 2010: It was reported that J.P. Morgan’s online banking service was offline for 3 days due to third party database software “corrupting the login process” impacting 16 million customersiv. It was reported that J.P. Morgan appeared not to have a roll-back plan so they could recover while continuing business as normalv.

June 2012: It was reported that the Royal Bank of Scotland to pay £125 million in costs related to a glitch in the CA7 batch process scheduler as part of systems maintenance activity that resulted in 12 million customer accounts being frozen for almost a weekvi.

August 2012: It was reported that Knight Capital Group lost $440 million in 30 minutes and wiped 62% of its stock price, due to a trading software algorithm glitch that generated erratic trades and that bought high and sold low for nearly 150 stocksvii. The glitch resulted in 4 million additional trades in 550 million shares that would not have occurred otherwiseviii.

August 2013: It was reported that Goldman Sachs lost $100 million due to an automated trading systems glitch that caused a number of incorrect options trades that disrupted US exchange trading affecting shares with listing symbols starting with the letter H through Lix. The glitch caused automated trading systems to accidentally send indications of interest as real orders to be filled at the US exchanges. The cause was reported to be due to inadequate software testingx.

September 2013: It was reported that Clydesdale Bank was fined £8.9 million by the Financial Conduct Authority for failing to inform customers of their rights after a software glitch caused the miscalculation of repayments on over 42,500 mortgagesxi.

Risk and associated controls

A good, actionable risk statement that captures these events is:

Customer data leakage, corruption or system unavailability caused by defective or malicious system changes resulting in financial losses of UK £100 million, customer churn of 6.4 percentxii and regulatory sanction by the Financial Conduct Authority and Information Commissioner’s Office.”

This risk statement is a lower level risk that contributes to the organisational level risk of for example:

Loss of market share caused by eroded customer confidence in the organisation’s information security resulting in net revenue reduction to the order of hundreds of millions and bank share value reduced from loss of market confidence in operational management.”

From the lower level risk statement we can then identify the risk causes that need to be controlled. In this case we need to control defective or malicious systems changes that might result in customer data leakage, corruption or systems unavailability.

To take these in turn, we’d need to implement a change quality testing process to ensure that system changes are adequately tested which may include activities such as code quality reviews, unit, functional, systems, integration and regression testing. An additional step for business supporting systems would be user acceptance testing by the business that also includes tests for boundary conditions and invalid data inputs to the system data input interfaces.

We’d then need to implement a change control strategy that uses technical and administrative controls to restrict the ability to make changes to production or critical systems unless these changes are approved. The approval should not be a simple tick in the box but should require appropriately senior stakeholder approval of changes with high risk changes signed off at senior executive levels within the IT and business areas. Part of this sign-off should be that they have assured themselves that the change has been adequately tested and is fit for purpose.

There is a further control required to make these two controls work. This control is to ensure there is a technically enforced separation of duties so that those making changes cannot implement these changes in the target environment.

In order to ensure these controls are adequately and effectively implemented there needs to be clearly articulated and enforceable policies, standards, procedures and guidelines in place. The policies and standards need to be clear and unambiguous, have an owner and describe the enforcement actions that will be taken if the policy or standard is not complied with. These enforcement actions must then be applied for all cases of non-compliance. Where a non-compliance is expected this needs to be pre-approved with the policy owner and clearly highlighted to the system senior stakeholders and approved at the appropriate senior executive level within the technology and business areas involved in the change.


i Keizer, G., Ex-Fannie Mae engineer pleads innocent to server bomb charge, United States of America, January 2009. Available at: (Accessed 6 March 2014).
ii, HSBC mainframe outage causes major HSBC network crash, United States, January 2010. Available at: (Accessed on 11 March 2014).
iii Ibid
v Ibid
vi Flinders, K., RBS computer problem costs £125m, United States, August 2012. Available at:
vii Philips, M., Knight Shows How to Lose $440 Million in 30 Minutes, United States, August 2012. Available at:
viii Ibid
ix Holley, E., Goldman Sachs trading error is “a warning to all”, United States, August 2013. Available at:
x Ibid
xi Nguyen, A., Clydesdale Bank fined £8.9m over mortgage system problem, United Kingdom, September 2013. Available at: (Accessed 11 March 2014).
xii Figure of 6.4% customer churn comes from: Ponemon Institute, 2011 Cost of Data Breach Study: United Kingdom, United Kingdom, March 2012.

Saturday, 8 March 2014

Economics Reading List - Part 1

Have read these in the past to varying extents but am reading through again to refresh my memory. Some very interesting reads.

Title: Wealth of Nations (Wordsworth Classics of World Literature)
Author: Adam Smith
Pages: 1008 pages
Publisher: Wordsworth Editions Ltd.; Classic World Literature edition (5 July 2012)
Language: English
ISBN-10: 1840226889
ISBN-13: 978-1840226881
Notes: This is the full five books (most versions of this are either abridged or only contain the first 3 books)

Title: The General Theory of Employment, Interest and Money by John Maynard Keynes AND Essays In Persuasion
Author: John Maynard Keynes
Pages: 542 pages
Publisher: CreateSpace Independent Publishing Platform (11 Aug 2009)
Language: English
ISBN-10: 144867302X
ISBN-13: 978-1448673025
Notes: This has the primary text and John Maynard Keynes' Essays in Persuasion in the one book

Title: The Affluent Society: Updated with a New Introduction by the Author
Author: John Kenneth Galbraith
Pages: 288 pages
Publisher: Penguin; 5th Revised edition edition (5 Aug 1999)
Language: English
ISBN-10: 0140285199
ISBN-13: 978-0140285192
Notes: Galbraith has an amusing way of putting things in this book.

Title: Money : whence it came, where it went
Author: John Kenneth Galbraith
Pages: 335 pages
Publisher: Bantam (1976)
Language: English
ISBN-10: 0553026887
ISBN-13: 978-0553026887
Notes: Very interesting to understand the history of money.

Friday, 7 March 2014

What is IT Resilience?

Specifically, there are three key pieces of industry guidance that go some way to assisting the understanding of resilience: Cobit 5, ITIL v3 and the US FFIEC IT Examination Handbook.

Cobit 5

Cobit 5, as part of managing critical IT assets (Cobit 5 - BAI09.02) and maintaining a continuity strategy (Cobit 5 - DSS04.02), statesi:
  • Maintain the resilience of critical assets by applying regular preventive maintenance, monitoring performance, and, if required, providing alternative and/or additional assets to minimise the likelihood of failure; and
  • Assess the likelihood of threats that could cause loss of business continuity and identify measures that will reduce the likelihood and impact through improved prevention and increased resilience.


The IT Infrastructure Library v3 (ITIL v3) defines resilience as “the ability of a Configuration Item or IT Service to resist Failure or to Recover quickly following a Failure. For example an armoured cable will resist failure when put under stress.”ii

ITIL provides further guidance in Services Operations highlighting that “resilience is designed and built into the system, for example multiple redundant disks or multiple processors. This protects the system against hardware failure since it is able to continue operating using the duplicated hardware component.”iii

ITIL v3 also provides guidance with respect to software resilience recommending “software, data and operating system resilience is also designed into the system, for example mirrored databases (where a database is duplicated on a backup device) and disk-striping technology (where individual bits of data are distributed across a disk array – so that a disk failure results in the loss of only a part of data, which can be easily recovered using algorithms)… setting up and using virtualization systems to allow movement of processing around the infrastructure to give better performance/resilience in a dynamic fashion.”iv

ITIL v3 defines fault tolerance as “the ability of an IT service or other configuration item to continue to operate correctly after failure of a component part.”v

ITIL v3 defines a countermeasure as referring to “any type of control. The term is most often used when referring to measures that increase resilience, fault tolerance or reliability of an IT service.”vi

ITIL v3 defines redundancy as “the use of one or more additional configuration items to provide fault tolerance. The term also has a generic meaning of obsolescence, or no longer needed.”vii

ITIL v3 defines high availability as “an approach or design that minimizes or hides the effects of configuration item failure from the users of an IT service. High availability solutions are designed to achieve an agreed level of availability and make use of techniques such as fault tolerance, resilience and fast recovery to reduce the number and impact of incidents.”viii


The FFIEC IT Examination handbook defines resiliency as “the ability of an organization to recover from a significant disruption and resume critical operations” and resiliency testing as “testing of an institution’s business continuity and disaster recovery resumption plans.”ix

So what is IT Resilience?

From the preceding literature review of industry guidance, resilience comprises the following:
  • Failure risk assessment and preventative countermeasures
  • Rapid incident detection and response
  • Recovery and countermeasure improvement

What this practically would look like would be that IT failure risk assessments would be performed at an end-to-end service application and infrastructure level (i.e. a business service is delivered through applications hosted on infrastructure). These risk assessments would then be used to design and implement preventative countermeasures.

Countermeasures you’d expect to see would be redundancy, clustering, load balancing, fault tolerance or automatic failover switching features in the architecture with no single points of failure.

When an incident occurs that impacts either the assessed risks or the actual resilience features in the architecture, you’d expect this to be detected early and to see a well rehearsed, tested and informed incident management process respond to the incident to ensure recovery of resilience features.

Finally, you’d expect to see appropriate recovery options available to be able to support rapid recovery such as up to date backups, fully tested disaster recovery sites and associated IT business continuity plans that have been well tested.


i ISACA, Cobit 5 - Enabling Processes, United States, 2012. Available at: (Accessed 6 March 2014).
ii AXELOS Limited, ITIL glossary and abbreviations, United Kingdom, 2011. Available at: (Accessed 6 March 2014).
iii Ibid
iv Ibid
v Ibid
vi Ibid
vii Ibid
viii Ibid

ix Federal Financial Institution Examination Council, The FFIEC IT Examination Handbook - Glossary, United States of America, 2006. Available at: (Accessed 6 March 2014).

PS: This is also published in the IT Risk Practitioner

Thursday, 6 March 2014

Survival, Family and Society


Those biological organisms in existence today are those whose parent/s survived long enough to reproduce. Generally, the mix of physical and mental characteristics that made the parent/s apt to survive will be transferred to the offspring through gene transfer and/or knowledge transfer. This in turn will make the offspring apt for survival and thereby reproduction, and so on.

All biological organisms expend energy in living and thus require that energy to be replaced in order to continue to live. Energy is matter and vice versa, the greater the mass of matter the greater the inherent energy. The Sun (a large mass of matter) and the Earth (a small mass of matter) both release energy in many forms including radiation (eg. heat and light) and wrapping up energy in the internal subatomic and atomic attractive bonds of new atoms or molecules (e.g. carbon, a primary element in all living things, created from hydrogen through atomic fusion by stars). Through varied chemical reactions these atoms and molecules form more complex molecules thus resulting in a myriad of different organisms (e.g. plants and animals) and compounds (e.g. sugar, minerals and proteins) from which we derive our energy for life from. Hence we can say that matter is critical to a physical organism's survival and indeed the very existence of the organism itself.

In our universe matter exists within space and time. That is matter (a human body or plant) exists if they are at a location, at a point in time. How certain bits of matter are characterised will depend on the frame of reference from which the characterisation is applied. To illustrate a human might say “That cow (a bit of matter) over there (its
location and at the moment), is food (the characterisation)”. The cow might conversely characterise the human as something other than food from its frame of reference. So, matter (e.g. plants, animals, salt, water etc) exists within space (an environment or location) at a particular time (now or in the future). This establishes the importance of things such as food and land upon which to live and/or grow food.

So to relate these principles to the practicalities relevant to us as humans we will consider the human organism, and that matter generally characterised as resources for living (eg. food and land).

From this we can say that a human deprived of resources for living will die. By the fact that humans exist today and through other observable behaviours, we can say that humans alive today will generally act in a way that enhances their survival and will generally act in a way that avoids death; if not through purpose, through genetically predisposed behaviours. We can say that the behaviours exhibited by humans today tend to enhance those humans' survival (otherwise they'd all be dead or dying out).

A human survived in the immediate term by hunting or gathering food to eat now or in the near term.  Some environments only supported human life for a certain period of time and at other times did not produce enough food to support human life. A human survived in such environments by over-hunting and over-gathering food and storing it for such periods of infertility.

Now, while this might work for one human in an environment, this is complicated by the fact that other humans may exist within that environment who, will seek toenhance their survival through taking from other humans. This may take the form of stealing others food or taking such a quantity of food from the natural environment that it leaves no food for other humans in that environment. So those humans who are, by virtue of their genes, stronger, can simply take food collected by weaker humans by force. A similar story can be told for land (upon which food is grown and shelter raised) and objects obtained or created that enhance survival potential (e.g. axes, water storage vessels). However, these physically strong humans that take what they want for survival will be looking over their shoulder for either aggrieved “weaker” humans they stole from, or even stronger humans that would seek to enhance their own survival through taking these recently acquired resources.

Family and Society

This state of nature, that of being completely self-interested, is not conducive to immediate genetic survival in that offspring whose food is taken by their mothers of fathers will die and hence not mature and reproduce. So, over time those humans that live today have at least developed (or at least their parents possessed) a base level of a behaviour that was not completely self-interested but rather they tended to exhibit disinterested behaviour. This disinterest, as opposed to self-interest, allowed family groups to exist at least until the offspring were mature enough to survive themselves. Its not that this behaviour evolved but rather the offspring of those humans that did not exhibit this behaviour died before being able to reproduce. Therefore what we're left with are humans who exhibit a degree of disinterest (not in the sense of not caring but rather in the sense of supporting the interests of others).

A side effect of this is that the capacity for humans to care for others was extendednot only to offspring but to immediate family. This led to supporting those who fell ill and supporting elderly parents which had the benefit of greater collective intellect to apply to problem solving and greater capacity to nurture children to maturity. In terms of fending off those that would take survival resources from the group, the group could leverage its numbers against an individuals strength in order to retain their resources and assure their survival. The family group provided strength, knowledge and care in times of injury to its members. These benefits logically extended to tribesthen more advanced social groupings where you'd be more likely to survive and thus reproduce in such a society then as a lone ranger competing for resources with these groupings.

For a social grouping to exist the members of that social group must have the capacity to act not from self-interest but through disinterest (in the interests of others). That is, members of social groups must consider other's interests in the context of their acts.To not do so could be considered antisocial. This is not a value judgement but in the most societies this would be considered a negative feature of an individual, in that, that individual would not support the society but would take from it (as in the first natural state of human development).

The position of social groupings being a natural phenomenon and disinterest being the reason social groupings exist. Would indicate that when one acts as a member of a social group they must consider what effect their actions have upon whichever social groupings they may be part of. This includes family, friends, community and society.
For example, while a person is “free” to take heroin to feel good, that person could also be a father and breadwinner, a cared for brother, a person who once addicted could commit crimes in order to maintain their habit and would thus affect other members of society. The same is equally true for seemingly minor self-interestedbehaviours such as promiscuous sex where disease may be contracted resulting in increased energy investments from friends and family and society (e.g. health institutions) to care for those falling sick (either directly or indirectly with others copying behaviours and falling sick). One argument levelled against this is that why should other social group members care? Why not let the person engaging in thesebehaviours, reap what they sow? A simple counter is that it is only natural (as detailed above) that other members of a social group will at the outset discourage risky behaviour and in the case of the consequences having already been reached, deal with it to support the other member of the society in need.

There are different levels of freedom. One level is that one can be free to club someone on the head to take their food. Another level is that one can enjoy the freedom from the threat of someone clubbing them on the head to take their food in the first place. We base our legal systems on this second level of freedom. Societies find it fit to make laws against theft thus removing one freedom but in its placeproviding a greater freedom. So basically, in a social grouping people will be free to do what they like, when they like and be as carefree as they may wish insofar as they consider what effect their actions will have on the social groupings they are a member of. This can be summarised in a well known statement known as the categoricalimperative from the philosopher Immanuel Kant that can be used as a good guide for doing the right thing:

“Act only on that maxim through which you can at the same time will that it should become a universal law”

Hello World!


Governance, Risk, Economics and Philosophy

A blog dedicated to exploring the subjects of organisation and IT governance, risks and controls, economics and philosophy.

About the author: Benjamin Power, CISA, CPA has worked in the IS audit, control and security field internationally for more than 10 years in the financial services, energy, retail and service industries and government. Benjamin is an experienced risk and audit professional who has a practical background in IT development and management along with corporate governance and accounting. Benjamin interests also lie in his family and the fields of philosophy and economics.