Tuesday, June 30, 2015

Securing business critical infrastructure via trusted technology, procurement paradigms, and cyber insurance

Welcome to a special BriefingsDirect panel discussion in conjunction with The Open Group's upcoming conference on July 20, 2015 in Baltimore.

The panel of experts examines how The Open Group Trusted Technology Forum (OTTF) standards and accreditation activities are enhancing the security of global supply chains and improving the integrity of openly available IT products and components.

Listen to the podcast. Find it on iTunes. Get the mobile app for iOS or Android. Read a full transcript or download a copy.

We'll also learn how the age-old practice of insurance is coming to bear on the problem of IT supply-chain risk. Supply chain disruption and security ills may be significantly reduced by leveraging business insurance models.
Attend The Open Group Baltimore 2015
July 20-23, 2015
Register Here
To update us on the work of the OTTF, and explain the workings and benefits of supply-chain insurance, we're joined by our panel of experts:
  • Sally Long, Director of The Open Group Trusted Technology Forum.
  • Andras Szakal, Vice President and Chief Technology Officer for IBM U.S. Federal and Chairman of The Open Group Trusted Technology Forum.
  • Bob Dix, Vice President of Global Government Affairs and Public Policy for Juniper Networks and member of The Open Group Trusted Technology Forum.
  • Dan Reddy, Supply Chain Assurance Specialist, college instructor and Lead of The Open Group Trusted Technology Forum Global Outreach and Standards Harmonization Work Group.
The discussion is moderated by me, Dana Gardner, Principal Analyst at Interarbor Solutions.

Here are some excerpts:

Gardner: Sally, please give us an update on The Open Group Trusted Technology Forum (OTTF) and the supply-chain accreditation process generally. What has been going on?

Long: For some of you who might not have heard of the O-TTPS, which is the standard, it’s called The Open Trusted Technology Provider™ Standard. The effort started with an initiative in 2009, a roundtable discussion with U.S. government and several ICT vendors, on how to identify trustworthy commercial off-the-shelf (COTS) information and communication technology (ICT), basically driven by the fact that governments were moving away from high assurance customized solution and more and more using COTS ICT.

Long
That ad-hoc group formed under the OTTF and proceeded to deliver a standard and an accreditation program.

The standard really provides a set of best practices to be used throughout the COTS ICT product life cycle. That’s both during in-house development, as well as with outsourced development and manufacturing, including the best practices to use for security in the supply chain, encompassing all phases from design to disposal.

Just to bring you up to speed on just some of the milestones that we've had, we released our 1.0 version of the standard in 2013, launched our accreditation program to help assure conformance to the standard in February 2014, and then in July, we released our 1.1 version of the standard. We have now submitted that version to ISO for approval as a publicly available specification (PAS) and it’s a fast track for ISO.

The PAS is a process for adopting standards developed in other standards development organizations (SDOs), and the O-TTPS has passed the draft ISO ballot. Now, it’s coming up for final ballot.

That should bring folks up to speed, Dana, and let them know where we are today.

Gardner: Is there anything in particular at The Open Group Conference in Baltimore, coming up in July, that pertains to these activities? Is this something that’s going to be more than just discussed? Is there something of a milestone nature here, too?

Long: Monday, July 20, is the Cyber Security Day of the Baltimore Conference. We're going to be meeting in the plenary with many of the U.S. government officials from NIST, GSA, and the Department of Homeland Security. So there is going to be a big plenary discussion on cyber security and supply chain.

We'll also be meeting separately as a member forum, but the whole open track on Monday will be devoted to cyber security and supply chain security.

The one milestone that might coincide is that we're publishing our Chinese translation version of the standard 1.1 and we might be announcing that then. I think that’s about it, Dana.

OTTF background

Gardner: Andras, for the benefit of our listeners and readers who might be new to this concept, perhaps you could fill us in on the background on the types of problems that OTTF initiatives and standards are designed to solve. What’s the problem that we need to address here?

Szakal: That’s a great question. We realized, over the last 5 to 10 years, that the traditional supply-chain management practices -- supply-chain integrity practices, where we were ensuring the integrity of the delivery of a product to the end customer, ensuring that it wasn't tampered with, effectively managing our suppliers to ensure they provided us with quality components -- really had expanded as a result of the adoption of technology. There has been pervasive growth of technology in all aspects of manufacturing, but especially as IT has expanded into the Internet of Things, critical infrastructure and mobile technologies, and now obviously cloud and big data.

Szakal
And as we manufacture those IT products we have to recognize that now we're in a global environment, and manufacturing and sourcing of components occurs worldwide. In some cases, some of these components are even open source or freely available. We're concerned, obviously, about the lineage, but also the practices of how these products are manufactured from a secure engineering perspective, as well as the supply-chain integrity and supply-chain security practices.

What we've recognized here is that the traditional life cycle of supply-chain security and integrity has expanded to include all the way down to the design aspects of the product through sustainment and managing that product over a period of time, from cradle to grave, and disposal of the product to ensure that those components, if they were hardware-based, don't actually end up recycled in a way that they pose a threat to our customers.

Gardner: So it’s as much a lifecycle as it is a procurement issue.

Szakal: Absolutely. When you talk about procurement, you're talking about lifecycle and about mitigating risks to those two different aspects from sourcing and from manufacturing.

So from the customer's perspective, they need to be considering how they actually apply techniques to ensure that they are sourcing from authorized channels, that they are also applying the same techniques that we use for secure engineering when they are doing the integration of their IT infrastructure.

But from a development perspective, it’s ensuring that we're applying secure engineering techniques, that we have a well-defined baseline for our life cycle, and that we're controlling our assets effectively. We understand who our partners are and we're able to score them and ensure that we're tracking their integrity and that we're applying new techniques around secure engineering, like threat analysis and risk analysis to the supply chain.

We're understanding the current risk landscape and applying techniques like vulnerability analysis and runtime protection techniques that would allow us to mitigate many of these risks as we build out our products and manufacture them.

It goes all the way through sustainment. You probably recognize now, most people would, that your products are no longer a shrink-wrap product that you get, install, and it lives for a year or two before you update it. It’s constantly being updated. So to ensure that the integrity and delivery of that update is consistent with the principles that we are trying to espouse is also really important.

Collaborative effort

Gardner: And to that point, no product stands alone. It’s really a result of a collaborative effort, very complex number of systems coming together. Not only are standards necessary, but cooperation among all those players in that ecosystem becomes necessary.

Dan Reddy, how have we done in terms of getting mutual assurance across a supply chain, that all the participants are willing to take part? It seems to me that, if there is a weak link, everyone would benefit by shoring that up. So how do we go beyond the standards? How are we getting cooperation, get all the parties interested in contributing and being part of this?

Reddy: First of all, it’s an evolutionary process, and we're still in the early days of fully communicating what the best practices are, what the standards are, and getting people to understand how that relates to their place in the supply chain.

Reddy
Certainly, the supplier community would benefit by following some common practices so they don’t wind up answering customized survey questions from all of their customers.

That's what's happening today. It's pretty much a one-off situation, where each customer says, "I need to protect my supply chain. Let me go find out what all of my suppliers are doing." The real benefit here is to have the common language of the requirements in our standard and a way to measure it.

So there should be an incentive for the suppliers to take a look at that and say, "I'm tired of answering these individual survey questions. Maybe if I just document my best practices, I can avoid some of the effort that goes along with that individual approach."

Everyone needs to understand that value proposition across the supply chain. Part of what we're trying to do with the Baltimore conference is to talk to some thought leaders and continue to get the word out about the value proposition here.

Gardner: Bob Dix, the government in the U.S., and, of course, across the globe, all the governments, are major purchasers of technology and also have a great stake in security and low risk. What’s been driving some of the government activities? They're also interested in using COTS technology and cutting costs. So what role can governments play in driving some of these activities around the OTTF?

Risk management

Dix: This issue of supply chain assurance and cyber security is all about risk management, and it's a shared responsibility. For too long I think that the government has had a tendency to want to point a finger at the private sector as not sufficiently attending to this matter.

Dix
The fact is, Dana, that many in the private sector make substantial investments in their product integrity program, as Andras was talking about, from product conception, to delivery, to disposal. What’s really important is that when that investment is made and when companies apply the standard the OTTF has put forward, it’s incumbent upon the government to do their part in purchasing from authorized and trusted sources.

In today's world, we still have a culture that's pervasive across the government acquisition community, where decision-making on procurements is often driven by cost and schedule, and product authenticity, assurance, and security are not necessarily a part of that equation. It’s driven in many cases by budgets and other considerations, but nonetheless, we must change that culture to focus to include authenticity and assurance as a part of the decision making process.
Often those acquisitions are made from untrusted and unauthorized sources, which raises the risk of acquiring counterfeit, tainted, or even malicious equipment.

The result of focusing on cost and schedule is often those acquisitions are made from untrusted and unauthorized sources, which raises the risk of acquiring counterfeit, tainted, or even malicious equipment.

Part of the work of the OTTF is to present to all stakeholders, in industry and government alike, that there is a process that can be uniform, as has been stated by Sally and Dan, that can be applied in an environment to raise the bar of authenticity, security, and assurance to improve upon that risk management approach.

Gardner: Sally, we've talked about where you're standing in terms of some progress in your development around these standards and activities. We've heard about the challenges and the need for improvement.

Before we talk about this interesting concept of insurance that would come to bear on -- and perhaps encouraging standardization and giving people more ways to reduce their risk and adhere to best practices -- what do you expect to see in a few years? If things go well and if this is adopted widely and embraced in true good practices, what's the result? What do we expect to see as an insurance improvement?

Powerful impact

Long: The most important and significant aspect of the accreditation program is when you look at the holistic nature of the program and how it could have a very powerful impact if it's widely adopted.

The idea of an accreditation program is that a provider gets accredited for conforming to the best practices. A provider that can get accredited could be an integrator, an OEM, the component suppliers of hardware and software that provide the components to the OEM, and the value-add resellers and distributors.

Every important constituent in that supply chain could be accredited. So not only from a business perspective is it important for governments and commercial customers to look on the Accreditation Registry and see who has been accredited for the integrators they want to work with or for the OEMs they want to work with, but it’s also important and beneficial for OEMs to be able to look at that register and say, "These component suppliers are accredited. So I'll work with them as business partners." It's the same for value-add resellers and distributors.
Attend The Open Group Baltimore 2015
July 20-23, 2015
Register Here
It builds in these real business-market incentives to make the concept work, and in the end, of course, the ultimate goal of having a more secure supply chain and more products with integrity will be achieved.

To me, that is one of the most important aspects that we can reach for, especially if we reach out internationally. What we're starting to see internationally is that localized requirements are cropping up in different countries. What that’s going to mean is that vendors need to meet those different requirements, increasing their cost, and sometimes even there will end up being trade barriers.

Back to what Dan and Bob were saying, we need to look at this global standard and accreditation program that already exists. It's not in development; we've been working on it for five years with consensus from many, many of the major players in the industry and government. So urging global adoption of what already exists and what could work holistically is really an important objective for our next couple of years.

Gardner: It certainty sounds like a win, win, win if everyone can participate, have visibility, and get designated as having followed through on those principles. But as you know and as you mentioned, it’s the marketplace. Economics often drives business behavior. So in addition to a standards process and the definitions being available, what is it about this notion of insurance that might be a parallel market force that would help encourage better practices and ultimately move more companies in this direction?

Let’s start with Dan. Explain to me how cyber insurance, as it pertains to the supply chain, would work.

Early stages

Reddy: It’s an interesting question. The cyber insurance industry is still in the early stages, even though it goes back to the '70s, where crime insurance started applying to outsiders gaining physical access to computer systems. You didn't really see the advent of hacker insurance policies until the late '90s. Then, starting in 2000, some of the first forms of cyber insurance covering first and third party started to appear.

What we're seeing today is primarily related to the breaches that we hear about in the paper everyday, where some organization has been comprised, and sensitive information, like credit card information, is exposed for thousands of customers. The remediation is geared toward the companies that have to pay the claim and sign people up for identity protection. It's pretty cut and dried. That's the wave that the insurance industry is riding right now.

What I see is that as attacks get to be more sophisticated and potentially include attacks on the supply chain, it’s going to represent a whole new area for cyber insurance. Having consistent ways to address supplier-related risk, as well as the other infrastructure related risks that go beyond simple data breach, is going to be where the marketplace has to make an adjustment. Standardization is critical there.

Gardner: Andras, how does this work in conjunction with OTTF? Would insurance companies begin their risk assessment by making sure that participants in the supply chain are already adhering to your standards and seeking accreditation? Then, maybe they would have premiums that would reflect the diligence that companies extend into their supply chains. Maybe you could just explain to me, not just the insurance, but how it would work in conjunction with OTTF, maybe to each’s mutual benefit.
The question is, do you buy a policy, and what’s the balance here between a cyber threat that is in your control, and those aspects of supply chain security which are out of your control.

Szakal: You made a really great point earlier about the economic element that would drive compliance. For us in IBM, the economic element is the ability to prove that we're providing the right assurance that is being specified in the requests for proposals (RFPs), not only in the federal sector, but outside the federal sector in critical infrastructure and finance. We continue to win those opportunities, and that’s driven our compliance, as well as the government policy aspect worldwide.

But from an insurance point of view, insurance comes in two forms. I buy policy insurance in a case where there are risks that are out of my control, and I apply protective measures that are under my control. So in the case of the supply chain, the OTTF is a set of practices that help you gain control and lower the risk of threat in the manufacturing process.

The question is, do you buy a policy, and what’s the balance here between a cyber threat that is in your control, and those aspects of supply chain security which are out of your control. This is with the understanding that there is an infinite number of a resources or revenue that you can apply to allocate to both of these aspects.

There's going to have to be a balance, and it really is going to be case by case, with respect to customers and manufacturers, as to where the loss of potential intellectual property (IP) with insurance, versus applying controls. Those resources are better applied where they actually have control, versus that of policies that are protecting you against things that are out of your control.

For example, you might buy a policy for providing code to a third party, which has high value IP to manufacture a component. You have to share that information with that third-party supplier to actually manufacture that component as part of the overarching product, but with the realization that if that third party is somehow hacked or intruded on and that IP is stolen, you have lost some significant amount of value. That will be an area where insurance would be applicable.

What's working

Gardner: Bob Dix, if insurance comes to bear in conjunction with standards like what the OTTF is developing in supply chain assurance, it seems to me that the insurance providers themselves would be in a position of gathering information for their actuarial decisions and could be a clearing house for what's working and what isn't working.

It would be in their best interest to then share that back into the marketplace in order to reduce the risk. That’s a market-driven, data-driven approach that could benefit everyone. Do you see the advent of insurance as a benefit or accelerant to improvement here?

Dix: It's a tool. This is a conversation that’s been going on in the community for quite some time, the lack of actuarial data for catastrophic losses produced by cyber events, that is impacting some of the rate setting and premium setting by insurance companies, and that has continued to be a challenge.

But from an incentive standpoint, it’s just like in your home. If you have an alarm system, if you have a fence, if you do other kinds of protective measures, your insurance on your homeowners or liability insurance may get a reduction in premium for those actions that you have taken.

As an incentive, the opportunity to have an insurance policy to either transfer or buy down risk can be driven by the type of controls that you have in your environment. The standard that the OTTF has put forward provides guidance about how best to accomplish that. So, there is an opportunity to leverage, as an incentive, the reduction in premiums for insurance to transfer or buy down risk.
The opportunity to have an insurance policy to either transfer or buy down risk can be driven by the type of controls that you have in your environment.

Gardner: It’s interesting, Sally, that the insurance industry could benefit from OTTF, and by having more insurance available in the marketplace, it could encourage more participation and make the standard even more applicable and valuable. So it's interesting to see over time how that plays out.

Any thoughts or comments on the relationship between what you are doing at OTTF and The Open Group and what the private insurance industry is moving toward?

Long: I agree with what everyone has said. It's an up-and-coming field, and there is a lot more focus on it. I hear at every conference I go to, there is a lot more research on cyber security insurance. There is a place for the O-TTPS in terms of buying down risk, as Bob was mentioning.

The other thing that's interesting is the NIST Cybersecurity Framework. That whole paradigm started out with the fact that there would be incentives for those that followed the NIST Cybersecurity Framework - that incentive piece became very hard to pull together, and still is. To my knowledge, there are no incentives yet associated with it. But insurance was one of the ideas they talked about for incentivizing adopters of the CSF.

The other thing that I think came out of one of the presentations that Dan and Larry Clinton will be giving at our Baltimore Conference, is that insurers are looking for simplicity. They don’t want to go into a client’s environment and have them prove that they are doing all of these things required of them or filling out a long checklist.

That’s why, in terms of simplicity, asking for O-TTPS-accredited providers or lowering their rates based on that - would be a very simplistic approach, but again not here yet. As Bob said, it's been talked about a lot for a long time, but I think it is coming to the fore.

Market of interest

Gardner: Dan Reddy, back to you. When there is generally a large addressable market of interest in a product or service, there often rises a commercial means to satisfy that. How can enterprises, the people who are consuming these products, encourage acceptance of these standards, perhaps push for a stronger insurance capability in the marketplace, or also get involved with some of these standards and practices that we have been talking about?

If you're a publicly traded company, you would want to reduce your exposure and be able to claim accreditation and insurance as well. Let’s look at this from the perspective of the enterprise. What should and could they be doing to improve on this?

Reddy: I want to link back to what Sally said about the NIST Cyber Security Framework. What’s been very useful in publishing the Framework is that it gives enterprises a way to talk about their overall operational risk in a consistent fashion.
Cyber insurance is more than just the risk of suppliers. It’s the risk at the enterprise level.

I was at one of the workshops sponsored by NIST where enterprises that had adopted it talked about what they were doing internally in their own enterprises in changing their practices, improving their security, and using the language of the framework to address that.

Yet, when they talked about one aspect of their risk, their supplier risk, they were trying to send the NIST Cybersecurity Framework risk questions to their suppliers, and those questions aren’t really sufficient. They're interesting. You care about the enterprise of your supplier, but you really care about the products of your supplier.

So one of the things that the OTTF did is look at the requirements in our standard related to suppliers and link them specifically to the same operational areas that were included in the NIST Cybersecurity Framework.

This gives the standard enterprise looking at risk, trying to do standard things, a way to use the language of our requirements in the standard and the accreditation program as a form of measurement to see how that aspect of supplier risk would be addressed.

But remember, cyber insurance is more than just the risk of suppliers. It’s the risk at the enterprise level. But the attacks are going to change over time, and we'll go beyond the simple breaches. That’s where the added complexity will be needed.

Gardner: Andras, any suggestions for how enterprises, suppliers, vendors, systems integrators, and now, of course, the cloud services providers, should get involved? Where can they go for more information? What can they do to become part of the solution on this?

International forum

Szakal: Well, they can always become a member of the Trusted Technology Forum, where we have an international forum.

Gardner: I thought you might say that.

Szakal: That’s an obvious one, right? But there are a couple of places where you can go to learn more about this challenge.

One is certainly our website. Download the framework, which was a compendium of best practices, which we gathered as a result of a lot of hard work of sharing in an open, penalty-free environment all of the best practices that the major vendors are employing to mitigate risks to counterfeit and maliciously tainted products, as well as other supply chain risks. I think that’s a good start, understanding the standard.

Then, it's looking at how you might measure the standard against what your practices are currently using the accreditation criteria that we have established.
The only place where you really find solutions, or at least one of the only places that I have seen is in the TTF, embedded in the standard as a set of practices that are very practical to implement.

Other places would be NIST. I believe that it’s 161 that is the current pending standard for protecting supply chain security. There are several really good reports that the Defense Science Board and other organizations have conducted in the past within the federal government space. There are plenty of materials out there, a lot of discussion about challenges.

But I think the only place where you really find solutions, or at least one of the only places that I have seen is in the TTF, embedded in the standard as a set of practices that are very practical to implement.

Gardner: Sally, the same question to you. Where can people go to get involved? What should they perhaps do to get started?

Long: I'd reiterate what Andras said. I'd also point them toward the accreditation website, which is www.opengroup.org/accreditation/o-ttps. And on that accreditation site you can see the policy, standard and supporting docs. We publicize our assessment procedures so you have a good idea of what the assessment process will entail.

The program is based on evidence of conformance as well as a warranty from the applicant. So the assessment procedures being public will allow any organizations thinking about getting accredited to know exactly what they need to do.

As always, we would appreciate any new members, because we'll be evolving the standard and the accreditation program, and it is done by consensus. So if you want a say in that, whether our standard needs to be stronger, weaker, broader, etc., join the forum and help us evolve it.

Impact on business

Gardner: Dan Reddy, when we think about managing these issues, often it falls on the shoulders of IT and their security apparatus, the Chief Information Security Officer perhaps. But it seems that the impact on business is growing. So should other people in the enterprise be thinking about this? I am thinking about procurement or the governance risk and compliance folks. Who else should be involved other than IT in their security apparatus in mitigating the risks as far as IT supply chain activity?

Reddy: You're right that the old model of everything falls on IT is expanding, and now you see issues of enterprise risk and supply chain risk making it up to the boards of directors, who are asking tough questions. That's one reason why boards look at cyber insurance as a way to mitigate some of the risk that they can't control.

They're asking tough questions all the way around, and I think acquisition people do need to understand what are the right questions to ask of technology providers.
They're asking tough questions all the way around, and I think acquisition people do need to understand what are the right questions to ask of technology providers.

To me, this comes back to scalability. This one-off approach of everyone asking questions of each of their vendors just isn't going to make it. The advantage that we have here is that we have a consistent standard, built by consensus, freely available, and it's measurable.

There are a lot of other good documents that talk about supply chain risk and secure engineering, but you can't get a third-party assessment in a straightforward method, and I think that's going to be appealing over time.

Gardner: Bob Dix, last word to you. What do you see happening in the area of government affairs and public policy around these issues? What should we hope for or expect from different governments in creating an atmosphere that improves risk across supply chain?

Dix: A couple things have to happen, Dana. First, we have got to quit blaming victims when we have breaches and compromises and start looking at solutions. The government has a tendency in the United States and in other countries around the world, to look at legislating and trying to pass regulatory measures that impose requirements on industry without a full understanding of what industry is already doing.

In this particular example, the government has had a tendency to take an approach that excludes vendors from being able to participate in federal procurement activities based on a risk level that they determine.

The really great thing about the work of the OTTF and the standard that's being produced is it allows a different way to look at it and instead look at those that are accredited as having met the standard and being able to provide a higher assurance level of authenticity and security around the products and services that they deliver. I think that's a much more productive approach.

Working together

And from a standpoint of public policy, this example on the great work that's being done by industry and government working together globally to be able to deliver the standard provides the government a basis by which they can think about it a little differently.

Instead of just focusing on who they want to exclude, let's look at who actually is delivering the value and meeting the requirements to be a trusted provider. That's a different approach and it's one that we are very proud of in terms of the work of The Open Group and we will continue to work that going forward.
Attend The Open Group Baltimore 2015
July 20-23, 2015
Register Here
Gardner: This special BriefingsDirect thought leadership panel discussion has been brought to you in conjunction with The Open Group's upcoming conference on July 20, 2015 in Baltimore. It's not too late to register on The Open Group's website or to follow the proceedings online and via Twitter and other social media during the week of the presentation.

Listen to the podcast. Find it on iTunes. Get the mobile app for iOS or Android. Read a full transcript or download a copy. Sponsor: The Open Group.

You may also be interested in:


How Malaysia’s Bank Simpanan Nasional implemented a sweeping enterprise content management system

The next BriefingsDirect big data and information governance innovation case study highlights how the National Savings Bank in Malaysia has implemented a sweeping enterprise content management system (ECMS) project.

Learn how this large community bank has slashed paper use, increased productivity, rationalized storage and documents, and cut security risks, while adhering to compliance requirements.

Listen to the podcast. Find it on iTunes. Get the mobile app for iOS or Android. Read a full transcript or download a copy.

To walk us through the bank’s journey to better information management is Alain Boey, Senior Vice President in the Transformation Management Department at the National Savings Bank in Malaysia. The discussion is moderated by me, Dana Gardner, Principal Analyst at Interarbor Solutions.

Here are some excerpts:

Gardner: What were the major drivers that led you to seek a comprehensive approach to enterprise content management?
HP Document and records management system
Helps meet regulatory compliance issues
Get more information
Boey: We were trying to standardize a lot of our processes in the bank and, as you know, in the bank itself we used a lot of paper. There are a lot of documents flying around and documents have to be couriered from one place over to our headquarters (HQ) for processing. We have 14 states all across Malaysia, and all these documents have to be couriered on a daily basis over to our HQ in Kuala Lumpur.

Boey
We were trying to see how we can shorten that process itself, so that we can at least be able to give an answer to our customers in the shortest time possible. By putting in an ECMS, we were able to standardize a lot of the processes that involved paper. Then, documents were able to be retrieved easily regardless of where the person is. In terms of processing times, we were able to shorten the processing time from four days to less than a day.

The documents are now scanned and then uploaded to the server, which is easily accessed  by anybody around Malaysia. The whole objective of going in to the ECMS was to improve the entire customer experience, and also to put in best practices involving processes as well as systems. Ultimately, what we want to achieve is to see how we can serve our customer better.

Gardner: Tell us a little bit about your bank. It’s a quite a distributed organization and there are a lot of moving parts to it. I can understand why it would be a challenge to centralize all of your information.

Promote and mobilize savings

Boey: Bank Simpanan Nasional is owned by the Ministry of Finance. We were incorporated in 1974. So we're 40 years old as of December last year. Our objective is to promote and mobilize savings for the entire Malaysia.

We're specially set up by the Ministry of Finance to provide savings and banking opportunities to all Malaysians. Because we're a national bank, we have branches all across Malaysia. We have 402 branches, and these are serviced by our 6,800 employees.

We also have what we call agent banking. We have 5,200 agents who are able to operate on behalf of the bank. BSN, as what we are normally known in Malaysia, has 982 automatic teller machines (ATMs) and 338 cash deposit machines (CDMs) and this is to serve more than 9.5 million customers. In short, we're a diverse bank. We're the only bank that you can find in the remotest parts of Malaysia.

That's why before ECMS came in, it was very challenging. Documents had to be couriered or had to carried from one place to our central office. Because of that, a simple loan application, for instance, could take up to four to five days before it can reach the central office. That created a lot of challenges in trying to satisfy our customers, especially those applying for loans. They want to know the status of their loan application as soon as possible.

Number two, we also had issues in regard to the management of the documents. Documents had to be stored, and there were issues in relation to the access of physical documents themselves. As we all know, real estate prices have gone up, so storing all these physical documents doesn’t make sense for the bank.
We wanted to put in place a system whereby we're able to track the entire lifecycle of the document.

We wanted to see how we could also find a way to remove as many of these physical documents as possible, and also to make the retrieval of the documents easy. We're also trying to put in controls over access of the documents. Physical paper files can be lost while in transit, or can even be lost because they get misplaced, or a file is missing.

We wanted to put in place a system whereby we're able to track the entire lifecycle of the document. The moment the document is scanned, we're able to see the status of the document itself, as well the status of the application and then the entire lifecycle management of the document. That’s pretty much what we wanted to achieve from this whole exercise.

Gardner: Not only do you get a centralized view and more information about each document much quicker, but you also create a much better security and audit trail, and therefore compliance benefits?

Boey: Definitely. Now, we have a better audit trail of document movement. We have better control in terms of the versioning, like who puts in what. We're also able to rollout a consistent taxonomy for all documents. Whatever documents go into ECMS have to follow a certain methodology in taxonomy inference of the naming. So anybody in Malaysia, when they want to access a file, they're able to identify the file by just looking at the name of the file.

Of course, because everything is in soft copy, we have a back-up in terms of the disaster recovery (DR) as well. So, there's no issue, if a document goes missing, in how we access it and how we look for important documents. So, now that we have a proper DR, we're able to retrieve the documents, even if the physical copy is missing.

Primary technologies

Gardner: Alain, tell us how you went about this. What were the primary technologies, processes, and skills that were required to make this happen?

Boey: The journey itself took us about two years. We explored many vendors in the market to look at which available technologies were able to satisfy our requirements. There were a lot of vendors providing document management systems, but we wanted an enterprise-level system so that we're able to use the same system across the entire organization.

We went through a series of vendors and then eventually we decided to go with HP’s Autonomy and also the HP TRIM Records Management System. Of course, there were many solutions that we looked at. It was an open tender, and the evaluation team comprised a combination of business users as well as technical users. Based on the result of this, the evaluators were comfortable with this solution and the technology that was being provided by HP.

Then, during implementation itself, we were able to have better hands-on experience on the HP TRIM software as well as on Autonomy. We found that the software was very flexible. We were able to build workflows together, and they were also able to put in a lot of controls and a lot of parameterized input. That makes usage, as well as maintenance, easy.
Maintenance becomes easier because we don't need to have somebody physically managing the entire lifecycle of the document.

Gardner: When you go to a digital and managed system like this, you also get benefits for archive and back-up and perhaps even reduction in overall storage infrastructure costs. Is there anything about the storage and back-up and archive benefits that also came to play?

Boey: Definitely. Because we're a bank, all the documents that we have have to be backed up. Previously, every document had to be duplicated, so we had two files of it. That made retrieval and storage challenges as well.

Once a soft copy is in, you're able to make multiple copies if you want to, but because we have a DR in place, we're able to replicate the files to our DR. In terms of archival, it's easier because we can follow our standard archiving policy. When it comes to the end of the lifecycle of the document itself, there are proper procedures to manage the expiry of the documents as well as the disposal of the hard copy.

Now that they have the managed soft copy, we're able to track the entire movement, and when it comes to the expiry itself, notifications will remind the users that this document is due for disposal at whatever period of time. The users can then prepare the necessary procedures in regard to disposal of the documents.
HP Document and records management system
Helps meet regulatory compliance issues
Get more information
Maintenance becomes easier because we don't need to have someone physically managing the entire lifecycle of the document. We're leaving it to the system to tell us when what action should be taken for a typical document.

Gardner: Let’s look at some of the results, some of the paybacks that you've achieved as a result of your project. First, I suppose, customer satisfaction is always important. What have you heard from the users, the customers, in terms of how they view this as an improvement? And are there other metrics of success?

User surveys

Boey: We have conducted some surveys with the users in regard to the experience of using the system. Initially, when the system was first rolled out, there were some challenges in the users' options because those were basically changing the way they were used to doing things. Because documents now are all committed electronically, that means physical processes that will have to be eliminated.

There were some challenges from the users in regard to so-called job security, because things were now being replaced by the system itself. We were able to retrain some of these users to other functions. For example, when a document comes in, once the document is scanned it goes into the system, and we need someone to physically eyeball the information.

Previously, someone was preparing the documents for couriering. Now, their new role is basically to eyeball some of this information, to check the consistency, as well as the completeness and the accuracy of the information.
With all of this, we're able to shorten the turnaround time for the loan application and the turnaround time for the commission payment.

Because of this, we're able to see happier customers and users because they are able to see the benefits from using the system.

Sales agents are basically paid by commission. So the faster the loan is approved, for example, the faster they will get the commission. Now, with the system in place, we're able to see shorter turnaround time in terms of the processing. Because of this, the customers are able to get an answer from the bank in the shortest time possible. The customer will then be able to decide if they want to take out the loan with the bank.

With all of this, we're able to shorten the turnaround time for the loan application and the turnaround time for the commission payment, as well as the turnaround time for the feedback to the customers.

Overall, in the three surveys that they have conducted by the bank, the results have been positive. We've seen a higher usage of the system since it has been implemented.

On the customer side, based on the feedback that we have received as well as the surveys that have been done, the customers are happier because they're able to get the answers from the bank sooner.

Previously, we had a lot of drop in customers because the time it took to revert back to them was longer. Now, if an application comes in, it’s submitted on one day, and the customer is able to get a reply in less than 24 hours. So this has increased customers' satisfaction.

Gardner: What about the future? What comes next? Does this capability that you've put in place open up the possibility for other improvements in your infrastructure and documented information management, perhaps some sort of analysis capability or search in other higher order functions around business intelligence?

Robust system

Boey: In doing the implementation, the HP team helped us build some of these applications and helped us put in the applications for some of the departments. Moving forward, we're rolling out to all the other departments in the bank, all of the back offices, and these are going to done by our own team. So it shows the robustness of the system that the team is able to pick up the knowledge of the system and then to roll it out.

Now, with all of this information that we have, we're also looking at the analytics surrounding the data, the data that we have received. We're looking to see how we can further improve the customers' experience based on the information that we have in the system.

We're trying to shorten the entire processing time as much as possible, now that we have better management and information on the processing time.

We're also trying to see, based on the information that we have, whether we're able to better understand our users' behavior. Sometimes, our sales agents are quite smart in playing along with their sales target, like what it’s going to be for this month or is this going to be for next month. So we are trying to get a better understanding of our user’s behavior through the information in BSN itself.
We're also trying to see, based on the information that we have, whether we're able to understand our user’s behavior better.

And also similarly for the customers, based on the analytics surrounding the customers and the information in the system, we are also exploring better products and services to best satisfy our customers’ expectations.

Gardner: If you have an opportunity to instruct someone who is starting out on a similar project, what lessons have you learned? What advice might you offer to those who are beginning a comprehensive ECMS project?

Boey: Look at the bigger picture. There are a lot of document management systems, but if you're looking for an ECMS, you need to identify your objectives. If your objective is just to scan a document, then probably an ECMS will not work.

But if your objective is to look at improving the return on investment (ROI), improving the entire costumer experience, putting in better control on the document lifecycle -- then an ECMS would work for you.

Also, explore what's available in the market in terms of the solution and get to know the vendors, the solution providers, well so that you have a better understanding of the technology, and you have a better knowledge of the roadmap of the technology. Then, you're able to plan your future, your three-year plans or your five-year business plans based on the roadmap of the solution.

Listen to the podcast. Find it on iTunes. Get the mobile app for iOS or Android. Read a full transcript or download a copy. Sponsor: HP.

You may also be interested in: