Saturday, May 10, 2014

KYC(Know-Your-Customer) and CDD(Customer Due Diligence)

Know your customer (KYC) is the process used by a businesses to verify the identity of their clients. The term is also used to refer to the bank regulation which governs these activities. Know Your Customer processes are also employed by companies of all sizes for the purpose of ensuring their proposed agents', consultants' or distributors' anti-bribery compliance. Banks, insurers andexport credit agencies are increasingly demanding that customers provide detailed anti-corruption due diligence information, to verify their probity and integrity. (Wikipedia)


Customer Risk Grading




Relevant Thai's laws
พระราชบัญญัติป้องกันและปราบปรามการฟอกเงินพ.ศ.๒๕๔๒ พระราชบัญญัติป้องกันและปราบปรามการป้องกันและปราบปรามการสนับสนุนทางการเงินแก่การก่อการร้ายพ.ศ. ๒๕๕๖ กฎกระทรวงกำหนดธุรกรรมที่สถาบันการเงินและผู้ประกอบอาชีพตามมาตรา ๑๖ ต้องจัดให้ลูกค้าแสดงตน พ.ศ. ๒๕๕๔ กฎกระทรวงตรวจสอบเพื่อทราบข้อเท็จจริงเกี่ยวกับลูกค้า พ.ศ. ๒๕๕๖ กฎกระทรวง กำหนดจำนวนเงินในการทำธุรกรรมที่ใช้เงินสดซึ่งผู้ประกอบอาชีพตามมาตรา ๑๖ ต้องรายงานต่อสำนักงานป้องกันและปราบปรามการฟอกเงิน พ.ศ. ๒๕๕๔ กฎกระทรวงกำหนดให้ผู้ที่มีการกระทำอันเป็นการก่อการร้ายตามมติของหรือประกาศภายใต้คณะมนตรีความมั่นคงแห่งสหประชาชาติเป็นบุคคลที่ถูกกำหนด พ.ศ. ๒๕๕๖ ประกาศสำนักนายกรัฐมนตรี เรื่อง วิธีการแสดงตนของลูกค้าสถาบันการเงินและผู้ประกอบอาชีพตามมาตรา ๑๖ ประกาศสำนักงานป้องกันและปราบปรามการฟอกเงิน เรื่อง แนวทางการกำหนดนโยบายการรับลูกค้าและนโยบายการบริหารความเสี่ยงเกี่ยวกับการฟอกเงินของลูกค้าของสถาบันการเงินและผู้ประกอบอาชีพตามมาตรา พ.ศ. ๒๕๕๖ (๙ ฉบับ) CDD Guideline (Reference: สำนักงานป้องกันและปราบปรามการฟอกเงินhttp://www.amlo.go.th)

Friday, December 16, 2011

Understanding Security in Cloud Storage

The Cloud
Could is the new black. With so much buzz around cloud, it is hard to distinguish the meaningful and relevant parts to business customers. Cloud has become synonymous with anything that runs on the Web. Generally speaking for an offering to be considered cloud it must be available over the Internet, and capable of supporting large numbers of users simultaneously without significant changes to its architecture.
The cloud promises radical simplifications and cost savings in IT. Leveraging their technical expertise and economic of scale, several technology powerhouses including Amazon, Rackspace, Google and Microspft, have deployed a wide array of cloud offerings.
When it comes to security, it is useful to differentiate among the different cloud systems: Software as a Service, cloud compute and cloud storage. Each system poses its own set of benefits and security issues.
Software as a service (SaaS), represented by applications like Salesforce.com, Google Docs. Quickbooks Online and others, involves full software applications that run as a service in the cloud. Tens of thousands of companies share the common infrastructure of Salesforce.com. These companiess maintain control of sensitive customer information through a combination of secure credentials and secure connections to Salesforce.com. Companies that use Salesforce tolerate the risk of their data not being encrypted at the Salesforce.com. Because SaaS runs in the cloud, the data from customers must be visible to the applications in the cloud (either not encrypted or decrypted by the SaaS code). The main benefit of SaaS is to reduce the complexity of having to configure and maintain software in-house. The success of Salesforce.com and others demonstrates that many companies have traded security concerns for the sheer utility and cost savings of not having to run their software in-house.
Cloud compute allows customers to run their own applications in the cloud. Amazon's Elastic Compute Cloud or EC2 represents  this type of system. Customers upload their applications and data to the cloud where vast compute resources of EC2 can be applied to the data. Virtualization provides a practical vehicle to transfer compute environments and share physical compute resources in the cloud. This approach has been used successfully by financial institutions and the life sciences to solve heavy compute models. It is expensive to run data centers full of servers to run complex mathematical models. The idea of sharing a compute infrastructure with other customers makes good economic sense. In a compute cloud the data can be anonymized, however it cannot currently be en-crypted. That is, it is possible to obfuscate the data in such a way that is difficult for anyone to see what the data means; however in order to have a computer in the cloud operate on a data set, with today's technology, the data set must be visible to that computer (i.e, not encrypted).
Cloud storage allows customers to move the bulk of data to the cloud.
Microsoft's Windows Azure storage services and Amazon's Simple Storage Service (S3) are good examples.

Security Concerns in the Cloud
Armed with the knowledge about the different types of cloud offerings --SaaS, compute and storage--we can now examine the major concerns that are keeping businesses from putting sensitive information in the cloud.
Data Leakage
Many businesses that would benefit significantly from using the cloud are holding back because of data leakage fears. The cloud is a multi-tenant environment, where resources are shared. It is also an outside party, with the potential to access a customer's data. Sharing hardware and placing data in the hands of a vendor seem, intuitively, to be risky. Whether accidental, or due to a malicious hacker attack, data leakage would be a major security violation.
While data leakage remains an unsolved issue in SaaS and cloud compute, encryption offers a sensible strategy to ensure data opacity in cloud storage. Data should be encrypted from the start so that the possibility of the cloud storage provider being somehow compromised poses no additional risk to the encrypted data.
With cloud storage, all data and metadata should be encrypted at the edge before it leaves your data center. The user of the storage system must be in the control of not only the data, but also the keys used to secure that data. From a security perspective, this approach is essentially equivalent to keeping your data secured at your premises. It is never acceptable to encrypt data at an intermediary site before transmission to the cloud, as this allows the intermediary site to read the data. Futhermore, any encryption scheme must not rely on secrecy(other that the actual key), obscurity, or trust.
Customer Identification
Cloud credentials identify customers to the cloud providers. This identification is a key line of defense for the SaaS.

Saturday, November 5, 2011

Cloud Computing: Business Benefits With Security, Governance and Assurance Perspectives

The promise of cloud computing is arguable revolutionizing the IT services world by transforming computing into a ubiquitous utility, leveraging on attributes such as increased agility, elasticity, storage capacity and redundancy to manage information assets.
§  Cloud computing has the likely ability to offer enterprise long-term IT savings, including reducing infrastructure costs and offering pay-for-service models. By moving IT services to the cloud, enterprises can take advantage of using services in an on-demand model.
§  Less upfront capital expenditure is required, which allows businesses increased flexibility with new IT services.
-       ENHANCE IT RESOURCES WHILE CONTROLLING COST
o    Risks and security concerns
§  Added risk with increased dependency on a third-party provider to supply flexible, available, resilient and efficient IT services
§  Changes are required to expand governance approaches and structures to appropriately handle the new IT solutions and enhance business processes.

Cloud model be composed of three service models
Service Model
Definition
To be Considered
Infrastructure as a Service(IaaS)
Capability to provision processing, storage, networks and other fundamental computing resources, offering the customer the ability to deploy and run arbitrary software, which can include operating systems and applications. IaaS puts these IT operations into the hands of a third party.
Options to minimize the impact if the cloud provider has a service interruption
Platform as a Service(PaaS)
Capability to deploy onto the cloud infrastructure customer-created or acquired applications created using programming languages and tools supported by the provider
-       Availability
-       Confidentiality
-       Privacy and legal liability in the event of a security breach (as databases housing sensitive information will now be hosted offsite)
Software as a Service(SaaS)
Capability to use the provider’s applications running on cloud infrastructure. The applications are accessible from various client devices through a thin client interface such as a web browser(e.g., web-based e-mail).
-       Who owns the applications?
-       Where do the applications reside?

Deployment model
Description of Cloud Infrastructure
To be considered
Private cloud
-operate solely for an organization
-may be managed by the organization or a third party
-may exist on-premise or off-premise
- Cloud services with minimum risk
- May not provide the scalability and agility of public cloud services
Community Cloud
-Shared by several organizations
-Supports a specific community that has shared mission or interest
-May be managed by the organizations or third party
-May reside on-premise or off-premise
-same as private cloud, plus
-Data may be stored with the data of competitors
Public cloud
-Made available to the general public or a large industry group
-Owned by an organization selling cloud services
-same as community cloud, plus:
-Data may be stored in unknown locations and may not be easy retrievable
Hybrid cloud
A composition of two or more clouds(private, community or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability(e.g., cloud bursting for load balancing between clouds)
-aggregate risk of merging different models
- Classification and labelling of data will be beneficial to the security manager to ensure that data are assigned to the correct cloud type.

  
Cloud Computing Essential Characteristics

Characteristic
Definition
On-demand self-service
The cloud provider should have the ability to automatically provision computing capabilities such as server and network storage, as needed without requiring interaction with each service’s provider
Broad network access
According to NIST, the cloud network should be accessible anywhere, by almost any device(e.g, smart phone, laptop, mobile devices, PDA)
Resource pooling
The provider’s computing resources are pooled to serve multiple customers using a multitenant model, with different physical and virtual resources dynamically assigned and reassigned according to demand. There is a sense of location independence. The customer generally has no control or knowledge over the exact location of the provided resources. However, he/she may be able to specify location at a higher level of abstraction (e.g, country, region, or data  center). Examples of resources include storage, processing, memory, network bandwidth and virtual machines.
Rapid elasticity
Capabilities can be rapidly and elastically provisioned, in many cases automatically, to scale out quickly and rapidly released to scale in quickly. To the customer, the capabilities available for provisioning often appear to be unlimited and can be purchased in any quantity at any time
Measured service
Cloud systems automatically control and optimize resource use by leveraging a metering capability (e.g, storage, processing, bandwidth and active user accounts)

Sunday, September 18, 2011

Have been coding .NET for 2 years but never know its exact definition

What is .NET?

.NET is an integral part of many applications running on Windows and provides common functionality for those applications to run. This download is for people who need .NET to run an application on their computer. For developers, the .NET Framework provides a comprehensive and consistent programming model for building applications that have visually stunning user experiences and seamless and secure communication.



The .NET Framework is an integral Windows component that supports building and running the next generation of applications and XML Web services. The .NET Framework is designed to fulfill the following objectives:
  • To provide a consistent object-oriented programming environment whether object code is stored and executed locally, executed locally but Internet-distributed, or executed remotely.
  • To provide a code-execution environment that minimizes software deployment and versioning conflicts.
  • To provide a code-execution environment that promotes safe execution of code, including code created by an unknown or semi-trusted third party.
  • To provide a code-execution environment that eliminates the performance problems of scripted or interpreted environments.
  • To make the developer experience consistent across widely varying types of applications, such as Windows-based applications and Web-based applications.
  • To build all communication on industry standards to ensure that code based on the .NET Framework can integrate with any other code.

    The .NET Framework has two main components: the common language runtime and the .NET Framework class library. The common language runtime is the foundation of the .NET Framework. You can think of the runtime as an agent that manages code at execution time, providing core services such as memory management, thread management, and remoting, while also enforcing strict type safety and other forms of code accuracy that promote security and robustness. In fact, the concept of code management is a fundamental principle of the runtime. Code that targets the runtime is known as managed code, while code that does not target the runtime is known as unmanaged code. The class library, the other main component of the .NET Framework, is a comprehensive, object-oriented collection of reusable types that you can use to develop applications ranging from traditional command-line or graphical user interface (GUI) applications to applications based on the latest innovations provided by ASP.NET, such as Web Forms and XML Web services.

    The .NET Framework can be hosted by unmanaged components that load the common language runtime into their processes and initiate the execution of managed code, thereby creating a software environment that can exploit both managed and unmanaged features. The .NET Framework not only provides several runtime hosts, but also supports the development of third-party runtime hosts.
    For example, ASP.NET hosts the runtime to provide a scalable, server-side environment for managed code. ASP.NET works directly with the runtime to enable ASP.NET applications and XML Web services, both of which are discussed later in this topic.


    Internet Explorer is an example of an unmanaged application that hosts the runtime (in the form of a MIME type extension). Using Internet Explorer to host the runtime enables you to embed managed components or Windows Forms controls in HTML documents. Hosting the runtime in this way makes managed mobile code (similar to Microsoft® ActiveX® controls) possible, but with significant improvements that only managed code can offer, such as semi-trusted execution and isolated file storage.

    The following illustration shows the relationship of the common language runtime and the class library to your applications and to the overall system. The illustration also shows how managed code operates within a larger architecture.

Friday, September 16, 2011

Google email for enterprise

Another example of the cloud trend..Enterprise system is moving to cloud..

Google Gmail is now viable alternative to Microsoft in the Enterprise Email Market.
After being in the market for five years, Google's enterprise Gmail is building momentum with commercial organizations with more than 5,000 seats, and it now presents a viable alternative to Microsoft Exchange Online and other cloud email services, according to Gartner, Inc.
"The road to its enterprise enlightenment has been long and bumpy, but Gmail should now be considered a mainstream cloud email supplier," said Matthre Cain, research vice president at Gartner. "While Gmail's enterprise email market share currently hovers around 1 percent, it has close to half of the market for enterprise cloud email. While cloud email is still in its infancy, at 3 percent to 4 percent of the overall enterprise email market, we expect it to be a growth industry, reaching 20 percent of the market by year-end 2016, and 55 percent by year-end 2020."
Mr.Can said that, other than Microsoft Enchange, Google Gmail is the only email system that has prospered in the enterprise space over the past several years. Other enterprise email providers - Novell GroupWise and IBM Lotus Notes/Domino - have lost market momentum, Cisco closed its cloud email effort and VMWare's Zimbra is only now refocusing on the enterprise space.
Google's journey to enterprise enlightenment, however, is not complete. Google focuses on capabilities that will have the broadest market uptake. Large organizations with complex email requirements, such as financial institutions, report that Google is resistent to feature requests that would be applicable to only a small segment of its customers. Banks, for example, may require surveillance capabilities that Google is unlikely to build into Gmail given the limited appeal.
While Google is good at taking direction and input on front-end features, it is more resistant to back-end feature requests that are important to larger enterprises. Large system integrators and enterprises report that Google's lack of transparency in areas such as continuity, security and compliance can thwart deeper relationships.
A less risky approach to cloud email is via a hybrid deployment, where some mailboxes live in the cloud and some are located on premises. This hybrid model plays to Microsoft's strengths given its vast dominance of the on-premises email market."

Tuesday, August 23, 2011

How to audit insurance companies

There are three perspectives in insurance auditing.
First, on the financial perspective, you have to understand how the policies are sold, premiums collected, records kept, and money transferred to the company from the agency(cheque or sweep) and how the commissions are returned back to the agency(cheque or deposit) and how closely are those premiums and commissions tracked to each policy and transaction within the policy period(new business, endorsements and renewals) within the agency management system and accounting system? Are producers paid by commissions, salary or a mixture? How are these tracked? If a producer collect premium from a client off site, what time frame do they have to turn the money over to the agency and how is that verified and tracked? This is just a small sample of what is necessary for insurance agency financial review.
If you are doing an operational audit, you will need to determine how needs assessments are done for each client. Are personal P&C, Life, Annuity and Commercial Lines all handled by the same staff? Are those staff properly licensed for each line? Are they adequately trained to handle the nuances of each endorsements and inputting of all information in the agency management system? Are their accounts audited by supervisors or other accuracy and proper placement of business with the correct coverages and carrier to meet the consumer's needs?
Compliance reviews cover many of the same topics as financial and operations. Most states require agencies to maintain trust account with absolute separation of operation funds and only the ability to "seed" monies into the account that may be used for premium loans for commercial business, which must be closely tracked and properly accounted for on a client by client bases within the trust account. Additionally, as previously noted, all employees who discuss coverages with consumers typically MUST be licensed, in each state that they may be discussing coverage with consumers in. So if you have branches on a boarder and consumers who may live across state lines, your employees must be licensed in the other state to sell insurance for that state, even though the consumer is coming to the bank in the employees primary state. Additionally, the agency likely has underwritting authority with each company and to maintain that authority, they have to attain proper balance of claims.

How can department manage and secure employee mobile devices

IT departments in consumized environments are faced with a series of challenges, mainly around acquiring visibility and some level of control over the plethora of user-liable devices.
- Management of user-liable devices
Management in this case has a dual purpose. First, it is about making the experience for the user a smooth and easy one, in order to maximize his motivation and productivity. Second, it's getting some level of control over user-liable devices to minimize the exposure to security risk. A well-managed device is - in most cases - a safer device.
- Exposure of sensitive corporate data stored on devices
There are several ways for sensitive corporate data to be exposed to unauthorized third parties. Millions of cell phones and laptops are lost or stolen every year. Sensitive data stored on the device must be considered compromised, and depending on the nature of that data, a data breach must be reported to the authorities, resulting in cost of up tp $50,000 per exposed device and a loss of reputation.
- Leakage of sensitive corporate data through consumer applications
As employees use the same device for personal and work-related tasks, sensitive data can easily- with or without malicious intention on the side of the user- be transferred off the device. It can be sent via Webmail, instant messaging or other non-corporate communication channel.