In the report, they published the results of their fifth annual study on the costs of data breaches for U.S.-based companies. They surveyed 45 companies represnting 15 various industry sectors–significant contributors were financial, retail, services and healthcare companies.

Numbers-wise, the companies they interviewed lost between 5,000 and 101,000 records, at a cost range between $750,000 and $31 million.

What was really interesting was that the average per-record cost of the loss was determined to be $204.00–and how many records does your law enforcement/public safety agency hold?

Some factors they considered in computing the cost of the breach included:

• Direct costs - communications costs, investigations and forensics costs and legal costs
• Indirect costs - lost business, public relations, and new customer acquisition costs

The report also lists a number of causes for the data breaches, such as:

• 82% of all breaches involved organizations that had experienced more than one data breach
• 42% of all breaches studied involved errors made by a third party
• 36% of all breaches studied involved lost, misplaced or stolen laptops or other mobile computing devices
• 24% of all breaches studied involved some sort of criminal or other malicious attack or act (as opposed to mere negligence).

You can download the full report here: http://www.encryptionreports.com/download/Ponemon_COB_2009_US.pdf

Thoughts and comments welcomed…r/Chuck

I’m paraphrasing a bit, but he basically indicated that the state, local, and private sector organizations in his state told him that they “DO NOT want to have to log into multiple portals” to stay informed about criminal and terrorism threats to their state’s  infrastructure.” 

When you take a closer look at the “Portal-mania” that exists, it seems that every agency and multiple programs within a single agency has to have their own portal for accessing the information and analytic tools that agency or program provides; here’s a quick list of ones I am familar with, (feel free to email me the names of others you know about):

1. DHS HSIN State and Local Community of Interest (SLIC)
2. DHS Lessons Learned Information Sharing (LLIS)
3. DHS Automated Critical Asset Management System (ACAMS)
4. DOJ Regional Data Exchange (R-DEx)
5. DOJ National Data Exchange (N-DEx)
6. DOJ eGuardian
7. DOJ Law Enforcement Online (LEO)
8. DOJ InfraGard
9. DOJ National Sex Offender Public Website (NSOPW)
10. DOJ National Criminal Intelligence Resource Center (NCIRC)
11. DOJ Regional information Sharing System (RISS)
12. Private Sector CyberCop
13. [State] Criminal Justice Information System (CJIS)
14. …add to this Department of the Treasury, Department of Transportation, and other federal agency portals
15. …and about three-dozen other databases and private sector websites

This is nutz! Dedicated portals are so 1990′s…we should be able to use the same technology I used to create this website and blog (WordPress and four different plug-in widgets) to make information and advanced analytic capabilities available to Fusion Centers and other public safety users.  I would like to challenge the agencies and programs listed above to make the information and capabilities they offer available  through widgets, web-parts, and gadgets that Fusion Centers and other intelligence/information sharing users can integrate into THEIR portal of choice. 

Whether it’s SharePoint, Oracle, or IBM Websphere, state, local, or private sector organizations should be able to pick and integrate into THEIR selected portal environment from the portal list above the information and capabilities that they need to do their job–they should not have to access the multiple, stovepiped portals as they do today.

I’d like to know what you think about this…Thanks..r/Chuck Georgo

Whether you like the idea of a fusion center or not, they are here to stay. At last count, there were about 70 of them, and DHS recently spoke of helping to get even more going.  At their core, I believe a fusion center is responsible for doing three basic things: 

1. Accepting and vetting reports of unusual behavior (criminal or terrorism related);
2. Providing intelligence support to major case and tactical law enforcement operations; and
3. Proactively supporting federal, state, and local homeland security and community safety objectives. 

To do this well, the majority of fusion centers in operation today are required to rely on an assortment of manual processes, a patchwork of incompatible software applications, and dozens of disparate information sources. Walk into the typical fusion center today and you’ll probably find that an analyst answering the phone has to enter the request for their services into one application for management purposes, enter the same information into a second application for sharing purposes, then has to manually bring up and login to anywhere from 5-15 different data sources to search for information related to the service request, then has to open up at least one or more applications to write up  and package up the requested response, and then, more than likely, has to either manually fax it to whomever asked for the information or call them back on the telephone to give them the answer–a pretty painful and tedious way to work.

Today though, Microsoft announced release of a project that I have been helping them to develop for quite some time–the Fusion Core Solution.  Microsoft hopes, through use of Office, SharePoint and ESRI’s ArcGIS to help ease the pain described above.  The FCS uses SharePoint as a horizontal integration and workflow management platform to help an analyst go from taking in a fusion center service request, to searching for information, to analyzing that information, to producing the intelligence product without having to leave the SharePoint environment at all.

At a non-technical level, the FCS will enable fusion centers to do a couple of pretty cool things:

1. Provides a common look and feel across multiple analytic tools and business processes.
2. Greatly reduces the number of user names and passwords analyst must remember.
3. Organizes requests for fusion center services, and tracks progress of fusion center work.
4. Helps to better document and comply with 28 CFR Part 23, CUI and PCII requirements.
5. Provides multiple analyst-to-analyst and fusion center-to-fusion center collaboration tools
6. Helps to keep track of fusion center and extended staff capabilities and availability.

From a technical perspective, FCS fully supports NIEM conformant information exchanges and establishes a framework for supporting the service-oriented principles of the Justice Reference Architecture (JRA) as it applies to information and data sharing.

In a nutshell, “Fusion Core Solution is for a Fusion Center what Microsoft Windows is to a personal computer“–you can think of FCS as the “operating system” for a Fusion Center.

For more info, check out the Fusion Core Solution website, or email me.

r/Chuck

Added 8/4/2009: Click HERE to see Joe Rozek, Microsoft’s Executive Director of Homeland Security, and Former Senior Director for Domestic Counterterrorism at The White House Office of Homeland Security talk about Fusion Core Solution

It’s no secret, the National Information Exchange Model (NIEM) is a huge success.  Not only has it been embraced horizontally and vertically for law enforcement information sharing at all levels of government, but it is now spreading internationally.  A check of the it.ojp.gov website lists more than 150 justice-related Information Exchange Package Documentation (IEPD) based on NIEM–it’s been adopted by N-DEX, ISE-SAR, NCIC, IJIS PMIX, NCSC, OLLEISN, and many other CAD and RMS projects. 

For at least the last four years, Search.org has been maintaining the Justice Information Exchange Model (JIEM) developed by Search.org.  JIEM documents more than 15,000 justice information exchanges across  9 justice processes, 75 justice events, that affect 27 different justice agencies. 

So if JIEM establishes the required information exchanges required in the conduct of justice system business activities, and NIEM defines the syntactic and semantic model for the data elements within those justice information exchanges…then…

Wouldn’t it make sense for JIEM exchanges to call-out specific NIEM IEPDs?

And vice-versa, wouldn’t it make sense for NIEM IEPDs to identify the specific JIEM exchanges they correspond to?

Here’s a diagram that illustrates this…

Let me know what you think..

r/Chuck

chuck@nowheretohide.org - www.nowheretohide.org

If you haven’t heard about the Department of Health and Human Services Federal Health Architecure and CONNECT project, I suggest you pop over to this website where documentation for version 2.0 of the software resides:

http://www.connectopensource.org/display/NHINR2/Release+2.0+Home

CONNECT is an open source software gateway that connects public and private health orgaizations to the National Health Information Network.  Think of it like a giant peer-to-peer N-DEx, but with an open source “front-porch” that drops into each agency and extracts the data from back-end systems.

I’ll be doing more investigation into the CONNECT project to see if we can adapt it for law enforcement information sharing use–the closest thing to this on the LEIS side is the FINDER project in orlando, FL.

as always, comments and thoughts welcomed.

r/Chuck

chuck@nowheretohide.org - www.nowheretohide.org

Let me first layout the agency landscape :

• There are about 14,000 state and local law enforcement agencies;
• In roughly 3,000 counties;
• That make up the 50 states of our great nation.

Now let’s layout the funding landscape:

• For 2008 the Department of Homeland Security (DHS) allocated $3,200,000,000 (billion) for state and local assistance grants;
• In that same year, the Department of Justice (DOJ) made another $2,000,000,000 available;
• For 2008 that’s a total of $4,200,000,000;
• For 2007 that number was $4,500,000,000;
• For 2009, we are hoping that number stays about the same or goes even higher.
• To all these numbers you must add funding from the Department of Defense, Department of Transportation, Department of Health and Human Services, or State funding sources for LEIS.

Finally, let me lay out the cost landscape for LEIS:

• In my eight or so years of experience of building and deploying LEIS, I’ve seen the costs associated with hooking up an agency to vary between $5,000 and $80,000 per record system connection;
• On average though, I feel the safer number is between about $20,000 and $40,000;
• For arguments sake, let’s use the high number of $40,000.

Now comes the fun part…let’s do some math…

• To be realistic, let’s say that 25% of the 14,000 agencies are already sharing information;
• That leaves about 10,000 agencies left to connect;
• At $40,000 an agency, we would need a total of $560,000,000 (Million);
• Divide that by the 3,000 counties, and we will need about $190,000 per county;
• If we do this over three years, that’s only $63,000 per county, per year for three years!

With (on average) every county getting about $1,400,000 every year for law enforcement and public safety (out of the $4.2 Billion allocated annualy), I would like to think that we (collectively) can see the benefits of LEIS enough to spare $63,000  a year for three years to get it done.

Here’s where the issue of choices and priorities comes in.  If we can agree that the money IS there, what we really need to work on are ways to convince the policymakers and law enforcement exectutives in those counties that investing a little in LEIS is a better investment than whatever it is their currently spending their part of the $4,200,000,000 on.  Do you agree?

I’d also like to know what role youthink the IACP, MCC and NSA would play here?

Thoughts and comments invited…and yes, I used a calculator…;-)

r/Chuck Georgo

The IJIS Institute announces the appointment of Chuck Georgo, founder of NOWHERETOHIDE.ORG, as the Chairperson of the IJIS Institute’s Security and Privacy Advisory Committee. 

The purpose of the IJIS Institute’s Security and Privacy Advisory Committee is to provide advice and counsel to the Department of Justice’s Office of Justice Programs (OJP), as well as other national organizations, on issues of information system security and privacy as applied to integrated justice and public safety information systems, and to develop materials and seminars to educate industry and government staffs on security and privacy measures, designs, and related issues. 

The Security and Privacy Advisory Committee strives to be vendor agnostic in all activities and work products and to be the authoritative source for establishing effective privacy and security measures throughout the justice, public safety, and homeland security information sharing community. Additionally, the committee’s goals include increasing government and industry awareness and understanding of technical and non-technical privacy and security requirements and improving the privacy and security posture for federal, state, local, and tribal justice information sharing efforts. In order to achieve these goals, the committee performs research, issues white papers, develops and conducts training, participates in advisory working groups, and supports technical assistance projects.

Chuck Georgo, regarding his appointment, noted that, “Successful information sharing requires trust. I believe that to get trust you need two things—honorable motive and reliability. Organizations must know that your motives benefit the social good and that your means to protect shared information from compromise is achievable and durable. While honorable motive is in the hands of law enforcement and justice agency executives, I believe that the IJIS Institute, through the Security and Privacy Advisory Committee, can help government and industry to employ effective ways for achieving the reliable means to protect that information. I look forward to working with my fellow committee members to further advance the cause of information sharing through robust security and privacy principles and practices.” 

Chuck Georgo has nearly 28 years of experience in intelligence, national security, defense, and law enforcement arenas. He has served as a strategic planner, business analyst, and technologist supporting the National Security Agency, Federal Bureau of Investigation, Department of Homeland Security, Naval Criminal Investigative Service, Naval Security Group, and many other public and private sector organizations. 

# # #

About the IJIS Institute — The IJIS Institute serves as the voice of industry by uniting the private and public sectors to improve mission critical information sharing for those who protect and serve our communities. The IJIS Institute provides training, technical assistance, national scope issue management and program management services to help government fully realize the power of information sharing. Founded in 2001 as a 501(c)(3) non-profit corporation with national headquarters on the George Washington University Virginia Campus in Ashburn, Virginia, the IJIS Institute has grown to more than 240 member and affiliate companies across the United States. For more information visit www.IJIS.org.

About NOWHERETOHIDE.ORG – NOWHERETOHIDE.ORG, LLC, was established to help federal, state, and local law enforcement, justice, and homeland security agencies to better achieve their public safety and national security objectives. As our name implies, we want to help these agencies become so effective that criminal elements have nowhere-to-hide from justice. We offer planning, assessment, and technology consulting services to help law enforcement, justice, and national security agencies identify and resolve the issues that currently stand in the way of achieving high performance standards. For more information visit www.nowheretohide.org.

I think we can take a lesson from Tom and the OMB and begin using a formal framework for evaluating the level of implementation and real-world results of the many Law Enforcement Information Sharing projects around the nation.  Not for any punitive purposes, but as a proactive way to ensure that the energy, resources, and political will continues long enough to see these projects achieve what their architects originally envisioned. 

I would like to propose that the evaluation framework be based on six “Standards for Law Enforcement Information Sharing” that every LEIS project should strive to comply with; they include:

1. Active Executive Engagement in LEIS Governance and Decision-Making;

2. Robust Privacy and Security Policy and Active Compliance Oversight;

3. Public Safety Priorities Drive Utilization Through Full Integration into Daily Operations;

4. Access and Fusion of the Full Breadth and Depth of Regional Data (law enforcement related);

5. Wide Range of Technical Capabilities to Support Public Safety Business Processes; and

6. Stable Base of Sustainment Funding for Operational and Technical Infrastructure Support.

My next step is to develop scoring criteria for each of these standards; three to five per standard, something simple and easy for project managers and stakeholders to use as a tool to help get LEIS “done.”

I would like to what you think of these standards and if you would like to help me develop the evaluation tool itself…r/Chuck

Chuck Georgo
chuck@nowheretohide.org
www.nowheretohide.org